{"id":15144486,"url":"https://github.com/datadog/datadog-static-analyzer","last_synced_at":"2025-04-05T12:03:03.739Z","repository":{"id":179045534,"uuid":"662703346","full_name":"DataDog/datadog-static-analyzer","owner":"DataDog","description":"Datadog Static Analyzer","archived":false,"fork":false,"pushed_at":"2025-04-05T02:36:54.000Z","size":4321,"stargazers_count":106,"open_issues_count":5,"forks_count":17,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-05T12:02:54.973Z","etag":null,"topics":["ci","cicd","circle","denoland","github-actions-ci","rust","static-analysis","tree-sitter"],"latest_commit_sha":null,"homepage":"https://docs.datadoghq.com/static_analysis/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DataDog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-05T17:47:29.000Z","updated_at":"2025-04-04T22:26:21.000Z","dependencies_parsed_at":"2024-01-08T15:53:14.259Z","dependency_job_id":"dcc9b111-9a06-46aa-b2bd-289c51f52773","html_url":"https://github.com/DataDog/datadog-static-analyzer","commit_stats":{"total_commits":1044,"total_committers":17,"mean_commits":"61.411764705882355","dds":0.5478927203065134,"last_synced_commit":"53912808d8fabfa1e6870f4753921d4cd070f43b"},"previous_names":["datadog/datadog-static-analyzer"],"tags_count":64,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fdatadog-static-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fdatadog-static-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fdatadog-static-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fdatadog-static-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DataDog","download_url":"https://codeload.github.com/DataDog/datadog-static-analyzer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247332560,"owners_count":20921853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","cicd","circle","denoland","github-actions-ci","rust","static-analysis","tree-sitter"],"created_at":"2024-09-26T10:41:40.434Z","updated_at":"2025-04-05T12:03:03.718Z","avatar_url":"https://github.com/DataDog.png","language":"Rust","readme":"# Datadog Static Analyzer\n\n\u003e [!TIP]\n\u003e Datadog supports open source projects. Learn more on [Datadog for Open Source Projects](https://www.datadoghq.com/partner/open-source/).\n\ndatadog-static-analyzer is the static analyzer engine for Datadog [static analysis](https://www.datadoghq.com/code-analysis/).\n\n## How to use Datadog Static Analysis Tool\n\n\n### Quick Start\n\n1. Download the binary from the [releases](https://github.com/DataDog/datadog-static-analyzer/releases)\n2. Run the analyzer on your repository (as shown below)\n3. It will run the analyzer with the default rules available for the support languages\n\n```shell\ndatadog-static-analyzer --directory /path/to/directory --output report.csv --format csv\n```\n\n#### Using Docker\n\n```shell\ndocker run -it --rm -v /path/to/directory:/data ghcr.io/datadog/datadog-static-analyzer:latest --directory /data --output /data/report.csv --format csv\n```\n\nFor more information on the Docker container, see the documentation [here](./doc/docker-container.md).\n\nIf you encounter an issue, read the [Frequently Asked Questions](FAQ.md) first, it may contain\nthe solution to your problem.\n\n### Advanced Usage\n\nYou can choose the rules to use to scan your repository by creating a `static-analysis.datadog.yml` file.\n\nFirst, make sure you follow the [documentation](https://docs.datadoghq.com/code_analysis/static_analysis)\nand create a `static-analysis.datadog.yml` file at the root of your project with the rulesets you want to use.\n\nAll the rules can be found on the [Datadog documentation](https://docs.datadoghq.com/code_analysis/static_analysis_rules). Your `static-analysis.datadog.yml` may only contain rulesets available from the [Datadog documentation](https://docs.datadoghq.com/code_analysis/static_analysis_rules)\n\nExample of YAML file\n\n```yaml\nschema-version: v1\nrulesets:\n  - python-code-style\n  - python-best-practices\n  - python-inclusive\nignore:\n  - tests\n```\n\n\n### CI/CD Integration\n\nYou can use it in your CI/CD pipeline using our integration:\n- [GitHub Action](https://github.com/DataDog/datadog-static-analyzer-github-action)\n- [CircleCI ORB](https://circleci.com/developer/orbs/orb/datadog/datadog-static-analyzer-circleci-orb)\n\nIf you use it in your own CI/CD pipeline, you can integrate the tool directly: see the [Datadog documentation for more information](https://docs.datadoghq.com/code_analysis/static_analysis/setup).\n\n\n### IntelliJ JetBrains products\n\nThe [Datadog IntelliJ extension](https://plugins.jetbrains.com/plugin/19495-datadog) allows you to use the static analyzer directly from all JetBrains products.\nCreate a `static-analysis.datadog.yml` file, download the extension and you can start using it. You can see below an example of a suggestion to add a timeout\nwhen fetching data with Python with the requests module.\n\n![Datadog Static Analysis JetBrains](misc/imgs/jetbrains.gif)\n\n\n### VS Code\n\nThe [Datadog VS Code extension](https://marketplace.visualstudio.com/items?itemName=Datadog.datadog-vscode) allows you to use the static analyzer directly from VS Code.\nCreate a `static-analysis.datadog.yml` file, download the extension and you can start using it.\n\n![Datadog Static Analysis JetBrains](misc/imgs/vscode.gif)\n\n## List of rulesets\n\nWhen you onboard on the Datadog product, you can select the ruleset you want/need. If you are not using Datadog directly, \nthere is the list of common used rulesets available in the Datadog static analysis product per language.\n\nThe complete list is available in [our documentation](https://docs.datadoghq.com/code_analysis/static_analysis/setup/).\n\nThe list of rulesets is available in [RULESETS.md](RULESETS.md).\n\n## Download\n\nDownload the latest release for your system and architecture from the [release page](https://github.com/DataDog/datadog-static-analyzer/releases/latest).\n\nTo get the static analyzer via shell:\n\n```shell\ncurl -L -O https://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-\u003ctarget\u003e.zip\n```\n\nExample to get the x86_64 binary for Linux:\n\n```shell\ncurl -L -O https://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip\n```\n\n## Usage\n\n```shell\ndatadog-static-analyzer -i \u003cdirectory\u003e -o \u003coutput-file\u003e\n```\n\nFor the tool to work, you must have a `\u003cdirectory\u003e/static-analysis.datadog.yml` file that defines the configuration of the analyzer. This file will indicate the rules you will use for your project.\n\nYou can get more information about the configuration on [Datadog documentation](https://docs.datadoghq.com/code_analysis/static_analysis/setup/).\n\n### Mac OS X users\n\nThe binary cannot be executed as is. You need to flag the binary as safe to execute using the following command.\n\n```shell\nxattr -dr com.apple.quarantine datadog-static-analyzer\n```\n\n## Options\n\n - `-f` or `--format`: format of the output file. `-f sarif` produces a [SARIF-compliant file](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif)\n - `-r` or `--rules`: provides a file that contains all rules (rules can be put in a file using `datadog-export-rulesets`)\n - `-c` or `--cpus`: number of cores used to analyze (count about 1GB of RAM usage per core)\n - `-o` or `--output`: output file\n - `-p` or `--ignore-path`: path (pattern/glob) to ignore; accepts multiple\n - `-x` or `--performance-statistics`: show performance statistics for the analyzer\n - `-g` or `--add-git-info`: add Git-related information (sha, etc) into the SARIF report when using -f sarif\n - `--fail-on-any-violation`: make the program exit a non-zero exit code if there is at least one violation of a given severity.\n - `-w` or `--diff-aware`: enable diff-aware scanning (see dedicated notes below)\n\n## Configuration\n\nSet the following variables to configure an analysis:\n\n - `DD_SITE`: the Datadog site parameter used to fetch rules ([view list](https://docs.datadoghq.com/getting_started/site/)) (default: `datadoghq.com`)\n\n## Configuration file\n\nThe static analyzer can be configured using a `static-analysis.datadog.yml` file\nat the root directory of the repository. This is a YAML file with the following entries:\n\n- `rulesets`: (required) a list with all the rulesets to use for this repository (see [Datadog Documentation](https://docs.datadoghq.com/code_analysis/static_analysis_rules) for a full list). The elements of this list must be strings or maps containing a configuration for a ruleset (described below.)\n- `ignore`: (optional) a list of path prefixes and glob patterns to ignore. A file that matches any of its entries will not be analyzed.\n- `only`: (optional) a list of path prefixes and glob patterns to analyze. If `only` is specified, only files that match one of its entries will be analyzed.\n- `ignore-gitignore`: (optional) by default, any entries found in the `.gitignore` file are added to the `ignore` list. If the `ignore-gitignore` option is true, the `.gitignore` file is not read.\n- `max-file-size-kb`: (optional) files larger than this size, in kilobytes, will be ignored. The default value is 200 kB.\n- `schema-version`: (optional) the version of the schema that this configuration file follows. If specified, it must be `v1`.\n\nThe entries of the `rulesets` list must be strings that contain the name of a ruleset to enable, or a map that contains the configuration for a ruleset. This map contains the following fields:\n\n- the first field (required) gives the ruleset name as its key, with an empty value.\n- `ignore`: (optional) a list of path prefixes and glob patterns to ignore _for this ruleset_. Rules in this ruleset will not be evaluated for any files that match any of the entries in the `ignore` list.\n- `only`: (optional) a list of path prefixes and glob patterns to analyze _for this ruleset_. If `only` is specified, rules in this ruleset will only be evaluated for files that match one of the entries.\n- `rules`: (optional) a map of rule configurations. Rules not specified in this map will still be evaluated, but with their default configuration.\n\nThe map in the `rules` field uses the rule's name as its key, and the values are maps with the following fields:\n\n- `ignore` (optional) a list of path prefixes and glob patterns to ignore _for this rule_. This rule will not be evaluated for any files that match any of the entries in the `ignore` list.\n- `only`: (optional) a list of path prefixes and glob patterns to analyze _for this rule_. If `only` is specified, this rule will only be evaluated for files that match one of the entries.\n- `severity`: (optional) if provided, override the severity of violations produced by this rule. The valid severities are `ERROR`, `WARNING`, `NOTICE`, and `NONE`.\n- `category`: (optional) if provided, override this rule's category. The valid categories are `BEST_PRACTICES`, `CODE_STYLE`, `ERROR_PRONE`, `PERFORMANCE`, and `SECURITY`.\n- `arguments`: (optional) a map of values for the rule's arguments.\n\nThe map in the `arguments` field uses an argument's name as its key, and the values are either strings or maps:\n\n- if you want to set a value for the whole repository, you can specify it as a string;\n- if you want to set different values for different subtrees in the repository, you can specify them as a map from a subtree prefix to the value that the argument will have within that subtree. See the example for more details.\n\nAn annotated example of a configuration file:\n\n```yaml\n# This is a \"v1\" configuration file.\nschema-version: v1\n# The list of rulesets to enable for this repository.\nrulesets:\n  # Enable the `python-inclusive` ruleset with the default configuration.\n  - python-inclusive\n  # Enable the `python-best-practices` ruleset with a custom configuration.\n  - python-best-practices:\n    # Do not apply any of the rules in this ruleset to files that match `src/**/*.generated.py`.\n    ignore:\n      - src/**/*.generated.py\n    rules:\n      # Special configuration for the `python-best-practices/no-generic-exception` rule.\n      no-generic-exception:\n        # Treat violations of this rule as errors (normally \"notice\").\n        severity: ERROR\n        # Classify violations of this rule under the \"code style\" category.\n        category: CODE_STYLE\n        # Only apply this rule to files under the `src/new-code` subtree.\n        only:\n          - src/new-code\n  # Enable the `python-code-style ruleset` with a custom configuration.\n  - python-code-style:\n    rules:\n      max-function-lines:\n        # Set arguments for the `python-code-style/max-function-lines` rule.\n        arguments:\n          # Set the `max-lines` argument to 150 in the whole repository.\n          max-lines: 150\n      max-class-lines:\n        # Set arguments for the `python-code-style/max-class-lines` rule.\n        arguments:\n          # Set different values for the `max-lines` argument in different subtrees.\n          max-lines:\n            # Set the `max-lines` argument to 100 by default\n            /: 100\n            # Set the `max-lines` argument to 75 under the `src/new-code` subtree.\n            src/new-code: 75\n# Analyze only files in the `src` and `imported` subtrees.\nonly:\n  - src\n  - imported\n# Do not analyze any files in the `src/tests` subtree.\nignore:\n  - src/tests\n# Do not add the content of the `.gitignore` file to the `ignore` list.\nignore-gitignore: true\n# Do not analyze files larger than 100 kB.\nmax-file-size-kb: 100\n```\n\nAnother example that shows every option being used:\n\n```yaml\nschema-version: v1\nrulesets:\n  - python-best-practices\n  - python-code-style:\n    ignore:\n      - src/generated\n      - src/**/*_test.py\n    only:\n      - src\n      - imported/**/new/**\n    rules:\n      max-function-lines:\n        severity: WARNING\n        category: PERFORMANCE\n        ignore:\n          - src/new-code\n          - src/new/*.gen.py\n        only:\n          - src/new\n          - src/**/new-code/**\n        arguments:\n          max-lines: 150\n          min-lines:\n            /: 10\n            src/new-code: 0\nignore:\n  - dist\n  - lib/**/*.py\nonly:\n  - src\n  - imported/**/*.py\nignore-gitignore: true\nmax-file-size-kb: 256\n```\n\n## Configuration file schema\n\nThere is a JSON Schema definition for the `static-analysis.datadog.yml` in the `schema` subdirectory.\n\nYou can use it to check the syntax of your configuration file:\n\n1. Install https://www.npmjs.com/package/pajv (`npm install -g pajv`)\n2. Execute `pajv validate -s schema/schema.json -d path/to/your/static-analysis.datadog.yml`\n\nThere are some examples of valid and invalid configuration files in the [`schema/examples/valid`](schema/examples/valid)\nand [`schema/examples/invalid`](schema/examples/invalid) subdirectories, respectively. If you make changes to the JSON\nSchema, you can test them against our examples:\n\n1. Install https://www.npmjs.com/package/pajv (`npm install -g pajv`)\n2. Execute `make -C schema`\n\n## Diff-Aware Scanning\n\nDiff-aware scanning is a feature of the static-analyzer to only scan the files that have been\nrecently changed. Diff-aware scans use previous results and add only the violations from the\nchanged files.\n\nIn order to use diff-aware scanning, you must be a Datadog customer.\n\nTo use diff-aware scanning:\n\n 1. Set up the `DD_SITE` environment variable according to the Datadog datacenter you are using (https://docs.datadoghq.com/getting_started/site/)\n 2. Set up the `DD_APP_KEY` and `DD_API_KEY` environment variables with your Datadog application and API keys\n 3. Run the static analyzer with option `--diff-aware`\n\nWhen using diff-aware, the static analyzer will connect to Datadog and attempt a previous analysis to use. If any problem occurs\nand diff-aware cannot be used, the analyzer will output an error like the one below and continue with a full scan.\n\nYou can use the option `--debug true` to troubleshoot further if needed.\n\n```shell\n$ datadog-static-analyzer --directory /path/to/code --output output.sarif --format sarif --diff-aware\n\n...\ndiff aware not enabled (error when receiving diff-aware data from Datadog with config hash 16163d87d4a1922ab89ec891159446d1ce0fb47f9c1469448bb331b72d19f55c, sha 5509900dc490cedbe2bb64afaf43478e24ad144b), proceeding with full scan.\n...\n```\n\n## Other Tools\n\n### datadog-export-rulesets\n\nExport rulesets from the API into a file\n\n```shell\ncargo run --locked --bin datadog-export-rulesets -- -r \u003cruleset\u003e -o \u003cfile-to-export\u003e\n```\n\n## More\n\n - [How diff-aware scanning works](doc/diff-aware.md)\n - [Report an issue](doc/report-issue.md)\n - [OWASP Benchmark](doc/owasp-benchmark.md)\n\n## Contribute\n\nSee file [CONTRIBUTING.md](CONTRIBUTING.md) for more information as well as [DEVELOPMENT.md](DEVELOPMENT.md)\nfor all details about testing and coding guidelines.\n\n## More information\n\n - [Datadog Static Analysis](https://docs.datadoghq.com/code_analysis/static_analysis)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatadog%2Fdatadog-static-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatadog%2Fdatadog-static-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatadog%2Fdatadog-static-analyzer/lists"}