GitHub Pull Requests
Docs >
Code Analysis >
GitHub Pull Requests
Overview
Code Analysis integrates with GitHub pull requests in two ways:
Pull request comments to flag violations: During code reviews on GitHub, Datadog can automatically check for Static Analysis violations in pull requests for repositories that have at least one ruleset applied. Violations are flagged with an inline review comment on the relevant line(s) of code, along with suggested fixes (when applicable) that can be applied directly in the pull request. This is only available for Static Analysis (SAST).
Open a pull request to fix an issue directly from Datadog: You can create a pull request from the UI to fix a security vulnerability or code quality issue based on Datadog’s suggested code fix. This is only available for Static Analysis (SAST).
To enable these features, ensure you have the required GitHub permissions (Read & Write) for your repository.
Set up Code Analysis for GitHub pull requests
Enable Datadog Code Analysis
To use Datadog Code Analysis, add the appropriate configuration files to your repository, as described in the setup instructions.
To use Code Analysis on GitHub, you can do one of the following:
- Create a GitHub App in Datadog.
- Update an existing GitHub App, if you have already created one in Datadog.
The permissions you grant to the GitHub App determine which GitHub integration features are available for setup.
Create and install a GitHub App
- In Datadog, navigate to Integrations > GitHub Applications > Add New GitHub Application.
- Fill out any required details, such as the GitHub organization name.
- Under Select Features, check the Code Analysis: Pull Request Review Comments box.
- Under Edit Permissions, verify that the Pull Requests permission is set to Read & Write.
- Click Create App in GitHub.
- Enter a name for your app, and submit it.
- Click Install GitHub App.
- Choose which repositories the app should be installed into, then click Install & Authorize.
Update an existing GitHub App
- In Datadog, navigate to Integrations > GitHub Applications, and search for the GitHub App you want to use for Code Analysis.
- On the Features tab, look at the Code Analysis: Pull Request Comments section to determine whether your GitHub App needs additional permissions. If so, click Update permissions in GitHub to edit the app settings.
- Under Repository permissions, set the Pull Requests access to Read and write.
- Under the Subscribe to events heading, check the Pull request box.
- In Datadog, navigate to CI Settings > Code Analysis Settings.
- Click the toggle switch next to a given repository to enable GitHub Comments. In the example below, comments are enabled for the
demo-static-analysis-gates
repository.
Note: If you are using GitHub Actions to run your scans, trigger the action on push
in order for comments to appear.
Fixing a vulnerability directly from Datadog
If your GitHub app’s Pull Requests permission is set to Read & Write, one-click remediation is enabled for all Static Analysis findings with an available suggested fix.
Follow these steps to fix a vulnerability and open a pull request:
- View a specific result in Code Analysis.
- Click Fix Violation in the side panel of the result.
- Select Open a Pull Request.
- Enter a pull request title and commit message.
- Click Create PR.
You can also fix a vulnerability by committing directly to the branch the result was found on.
To commit a suggested fix:
- View a specific result in Code Analysis.
- Click Fix Violation in the side panel of the result.
- Click Commit to current branch.
Further Reading