Code Security scans your first-party code and open source libraries used in your applications in both your repositories and running services, providing end-to-end visibility from development to production. It encompasses the following capabilities:

• Static Code Analysis (SAST) for identifying security and quality issues in your first-party code
• Software Composition Analysis (SCA) for identifying open source dependencies in both your repositories and your services
• Runtime Code Analysis (IAST) for identifying vulnerabilities in the first-party code within your services
• Secret Scanning for identifying and validating leaked secrets
• Infrastructure as Code (IaC) Security for identifying security misconfigurations in IaC stored in your repositories
• Supply Chain Security for preventing malicious packages from entering your development environment and code repositories

Code Security helps teams implement DevSecOps throughout the organization:

• Developers: early vulnerability detection, code quality improvements, faster development as developers spend less time debugging and patching.
• Security Administrators: enhanced security posture, improved patch management in response to early vulnerability alerts, and compliance monitoring.
• Site Reliability Engineers (SREs): automated security checks throughout CI/CD workflow, security compliance, and system resilience. SAST reduces manual overhead for SREs and ensures that each release is thoroughly tested for vulnerabilities.

The following vulnerability management capabilities are available across Code Security:

• Developer tool integrations to flag vulnerabilities in IDE and pull request comments, and block vulnerabilities from being merged to your production codebase
• Ticketing integrations with Jira and Datadog Case Management, with bidirectional syncing
• Notifications
• Automation pipelines for automatically muting vulnerabilities and assigning due dates by severity
• MCP server to run Code Security scans directly from AI coding assistants (in Preview)

Static Code Analysis (SAST)

Static Code Analysis (SAST) analyzes pre-production code to identify security and quality issues. You can embed best security and development practices throughout the software development lifecycle with:

• IDE integration to flag violations in real time with deterministic suggested fixes
• In-line pull request comments with deterministic suggested fixes and incremental/diff-aware scanning
• Ability to open a pull request to fix a violation directly from Datadog

Scans can run via your CI/CD pipelines or directly in Datadog with hosted scanning.
See Static Code Analysis Setup to get started.

Static Code Analysis can also scan your pull requests at scale to detect and prevent malicious code changes. This allows Datadog to not only check for known code vulnerabilities, but also detect potentially malicious intent in PRs submitted to default branches of your repositories. Request access to the Preview.

Software Composition Analysis

Software Composition Analysis (SCA) analyzes open source libraries in both your repositories and running services. You can track and manage dependencies across the software development lifecycle with:

• IDE integration to flag vulnerabilities affecting libraries running on your services
• Ability to open a pull request to fix a library vulnerability directly from Datadog
• Runtime-informed prioritization of vulnerabilities with the Datadog severity score

SCA supports both static and runtime dependency detection.
For static scanning, you can scan via your CI/CD pipelines or directly via Datadog with hosted scanning. See static setup to get started.
For runtime vulnerability detection, you can easily enable SCA on your services instrumented with Datadog APM. See runtime setup to get started.

Runtime Code Analysis (IAST)

Runtime Code Analysis (IAST) identifies code-level vulnerabilities in your running services. It relies on inspection of legitimate application traffic as opposed to external testing that often requires extra configuration or periodic scheduling. IAST provides an up-to-date view of your attack surface area by:

• Monitoring your code’s interactions with other components of your stack (such as libraries and infrastructure)
• Providing 100% coverage of the OWASP Top 10
• Runtime-informed prioritization of vulnerabilities with the Datadog severity score

You can enable IAST on your services instrumented with Datadog APM. See IAST setup to get started.

Secret Scanning

Secret Scanning identifies and validates exposed credentials, API keys, and other sensitive secrets in your codebase. You can prevent leaked secrets throughout your software development life cycle with:

• Pre-commit hooks to block secrets from being committed locally before they ever reach your repository
• Pull-request gates to block leaked secrets from reaching your default branch
• Third-party validation to confirm whether a detected secret is active and exploitable, reducing noise from rotated or invalid credentials

Scans can run through your CI/CD pipelines or directly in Datadog with hosted scanning. See Secret Scanning setup to get started.

Infrastructure as Code Security (IaC Security)

IaC Security analyzes infrastructure-as-code to detect misconfigurations before they are provisioned to your cloud environment. You can secure your infrastructure and CI/CD with:

• In-line pull request comments with deterministic suggested fixes and incremental/diff-aware scanning
• Pull-request gates to block high-severity misconfigurations from reaching your production environment
• Hundreds of detections across Terraform, CloudFormation, Kubernetes, GitHub Actions, and more

With Cloud Security Management (CSM), you can see misconfigurations in IaC Security directly from runtime findings. See IaC Security setup to get started.

Supply Chain Security

Prevent malicious packages from entering your development environments with Datadog Supply Chain Security Firewall, supported for GitHub. Request access to the Preview.

Code Security MCP Server (Preview)

The Code Security MCP Server is a local Model Context Protocol (MCP) server that brings SAST, secrets detection, SCA, IaC scanning, and SBOM generation directly into AI coding assistants such as Cursor, Claude Desktop, and VS Code. Read the MCP Server documentation to get started.

Further Reading

お役に立つドキュメント、リンクや記事:

Introducing Bits AI Dev Agent for Code SecurityBLOG Remediate transitive vulnerabilities faster with Datadog Software Composition AnalysisBLOG Generate audit-ready vulnerability and compliance reports with Datadog SheetsBLOG Troubleshoot faster with the GitLab Source Code integration in DatadogBLOG Detect and block exposed credentials with Datadog Secret ScanningBLOG Secure your code at scale with AI-driven vulnerability managementBLOG Identify common security risks in MCP serversBLOG Using LLMs to filter out false positives from static code analysisBLOG Write secure code with Datadog Code SecurityLEARNING CENTER