Valery Neira
Marc Wieser
Kassen Qian
AI-assisted development helps teams write code faster, but that speed comes with added security risk. As agents generate more code, they can introduce vulnerabilities, insecure dependencies, or exposed secrets, often before a human reviewer ever sees the change. Security teams are left reviewing more code with the same resources, which makes it harder to catch issues early.
The Datadog Code Security MCP helps teams meet the new security challenges of AI-assisted development by scanning code as it’s generated. Instead of waiting for pull requests or CI pipelines, it analyzes code in real time to detect vulnerabilities, secrets, risky dependencies, and infrastructure misconfigurations. By consolidating checks into a single local MCP server and one authentication flow, teams can apply consistent controls directly in existing workflows without managing multiple tools or added setup.
In this post, we’ll look at how the Datadog Code Security MCP helps teams:
- Detect vulnerabilities as code is generated
- Consolidate multiple security scans into a single workflow
Detect vulnerabilities as code is generated
Security issues are easiest to fix when they are caught early. But in AI-assisted workflows, engineers are generating and iterating on code quickly, often pasting agent-generated output directly into their projects. That speed makes it easy for vulnerabilities to slip through and surface later in pull requests or security reviews.
The Datadog Code Security MCP scans code as it is written and surfaces issues immediately in the developer’s workflow. For example, a developer might ask an AI assistant to generate a login or search endpoint. As the code appears, the MCP server detects a SQL injection vulnerability, highlights the exact line, references the rule, and proposes a fix. The developer applies the fix, reruns the scan, and confirms there are no remaining violations—before the code ever reaches a pull request.
The MCP server also provides protection against other common risks that teams face. For example, if an agent tries to import a third-party library with a known critical vulnerability, the MCP server blocks it before it enters the codebase. Or if a developer or agent hardcodes a credential while writing configuration code, the secret is flagged immediately with guidance to move it to an environment variable or secrets manager. By catching these issues at generation time, teams can prevent them from propagating downstream and reduce the burden on code review.
Consolidate security scans into a single workflow
As teams adopt more tools for AI-driven development, engineers and security teams often end up managing multiple scanners and integrations. A developer might rely on separate tools for static application security testing (SAST), dependency scanning, and secrets detection, each with its own setup and authentication. This tooling fragmentation makes it harder to enforce consistent security standards across the development workflow.
The Datadog Code Security MCP brings these checks together in a single server. It combines SAST, software composition analysis (SCA), secrets detection, and infrastructure-as-code (IaC) scanning. This allows developers to run all scans in one place as they write code, without switching tools or needing to reauthenticate. At the same time, security teams can apply consistent controls without coordinating across separate systems.
The MCP server also simplifies maintenance by downloading scanners on demand at the start of each session. Teams always use the latest detection capabilities without needing to manage versions or updates, so policies stay current with minimal operational effort.
Most importantly, because the MCP server runs locally with a single authentication flow, developers can start scanning immediately in their existing environment. This reduces setup overhead and helps ensure that every engineer is working against the same set of security checks.
Build a secure foundation for AI-assisted development
The Datadog Code Security MCP is part of Datadog’s broader approach to securing AI-assisted development throughout the software development lifecycle. This includes capabilities such as malicious pull request detection, which scans every code change to a GitHub repository for signs of malicious intent, and AI Guard, which blocks potentially harmful prompts and tool calls from affecting your production systems.
To learn more about the Code Security MCP server, see the documentation. If you’re new to Datadog, sign up for a 14-day free trial.
