As your engineering teams grow and commit code more frequently, it becomes increasingly difficult to release high-quality, secure code while achieving your desired development velocity. To create smoother developer workflows that ensure high standards for code quality and security, it’s critical for developers to detect and remediate issues earlier in the software development lifecycle— without switching tools or contexts.
To help engineering teams effectively address code quality and security issues before they get merged to production, Datadog Code Analysis uses our open source Static Analyzer to scan your codebase for security vulnerabilities and maintainability issues, and highlights them directly within your IDE and GitHub pull requests. Code Analysis can also run Software Composition Analysis to scan the open source libraries imported into your repositories for known vulnerabilities. By incorporating Code Analysis into your existing workflows, you can continuously improve your code quality and secure new features before they reach your end users.
In this post, we’ll cover how Datadog Code Analysis helps you identify and resolve vulnerabilities and code quality issues in your local environment before deploying them to production. We’ll also explore how you can triage existing issues to improve your codebase over time and mitigate vulnerabilities in open source libraries.
Resolve vulnerabilities and code quality issues in development
When vulnerabilities and performance issues are merged into production, they can impact customers and interrupt workflows, as developers need to devote time to investigating and correcting these problems. Addressing these problems earlier in the development cycle enables developers to adhere to best practices and improve the security of their code.
Datadog Static Analysis analyzes your code in real time directly in your IDE as you write it. The analysis helps identify vulnerabilities, violations of industry-standard best practices, and other issues such as code that is prone to errors or difficult to maintain. After installing the Datadog plugin that’s available for your IDE (VS Code or JetBrains) and selecting the out-of-the-box rules you’d like it to use, our plugin will dynamically detect rule violations as you make changes to your code. This enables you to proactively address issues during the development stage and reduce the amount of context switching and investigation required after your code has been merged.
When Datadog detects a rule violation, our plugin will call out the code that requires correcting. In the following example, we’re making a GET request, but we’ve failed to include a timeout. The requests module in Python doesn’t include timeouts by default, which means that the connections created by this function call may hang indefinitely, leading to server overloads or crashes. For certain violations, Datadog will suggest a fix that you can apply directly within your IDE. In the example below, clicking “Add timeout argument” will automatically add an additional timeout parameter to your GET request to help you resolve the issue.
Enabling our Static Analysis security rulesets also helps you secure your code before it reaches production. Our analyzer detects cases of non-compliant code—such as SQL queries and file reads that use unsanitized user input—that can leave your application vulnerable to SQL injection attacks and data leaks. If left unchecked, these vulnerabilities can present a huge security risk to your organization.
In addition to providing developers with real-time feedback on their code with our IDE integrations, you can also get automated feedback and suggestions across your repository or codebase by configuring Datadog’s GitHub integration. This enables you to flag rule violations directly in pull requests and create transparent suggestions for developers committing new code. You’ll also have the option to require contributors to fix their code violations prior to PR approval. To further enforce these rulesets, you can configure Quality Gates that will automatically halt a PR from getting merged if it fails to meet your defined standards (e.g., unaddressed security violations). You can learn more about how to use Quality Gates in our blog post.
Triage existing code violations in Datadog
After enabling Code Analysis within a repository, you can view and begin addressing existing Static Analysis violations in the Datadog platform. You can filter by result status to triage and prioritize higher severity issues or by specific rule IDs to identify the prevalence of any given violation. By inspecting a violation, Datadog will direct you to the location of the source code directly in your GitHub repository—and recommend a suggested fix to help you quickly resolve the issue without any manual effort.
While code vulnerabilities may require a more urgent response, it’s also important to resolve code quality violations to avoid accumulating technical debt. By triaging all of these issues, your engineering teams can improve the quality and security of your codebase over time—and prevent the introduction of new issues using the IDE and GitHub integrations for Static Analysis.
Mitigate vulnerabilities in open source libraries
Static Analysis can help you find and fix vulnerabilities before your code changes are shipped to production, but vulnerabilities may still be introduced through third-party, open source libraries imported within your codebase. Datadog Software Composition Analysis (SCA) scans the open source libraries imported within your service so that your libraries are held to the same high standards as your first-party code. By navigating to Code Analysis within Datadog, you can view a list of vulnerabilities found in your libraries in the “Library Vulnerabilities” tab as shown below. You can toggle Code Analysis to your development branches for visibility into your working code changes as well. By inspecting a library, Datadog will give you additional details into how the vulnerability affects your application and users, where it’s located in your stack, and remediation steps to help you minimize the risk of exploitation.
You can also inspect critical library vulnerabilities at runtime in Application Security Management. This means that you gain insights into services running in your production environment with exposed vulnerabilities, as well as services actively under attack by threat actors. In the screenshot below, SCA has detected a remote code execution vulnerability in one of the frameworks used in your application. By following Datadog’s suggested next steps, you can quickly upgrade the framework to a new, recommended version and verify that the fix is working as intended.
Get started with Code Analysis
Datadog Code Analysis enables developers to proactively catch and fix issues within their code before they create impact for end users. To get started with the public beta for this feature, head to our Code Analysis setup page, where you’ll need to select your repository’s programming language(s), your CI/CD provider, and the name of your service and environment. After you select the rulesets you want to apply, such as code quality, security, and supported frameworks, Datadog will automatically generate rulesets that you can use to create a static-analysis.datadog.yml file within your project directory. You can also choose to enable Software Composition Analysis for your service.
To run Static Analysis on your local machine, you can get started by installing our plugins for IntelliJ or VS Code.
If you don’t already have a Datadog account, sign up for a free 14-day trial today.
