This product is not supported for your selected
Datadog site. (
).
Overview
The Datadog extension for VS Code and Cursor helps you detect and fix security issues before you commit your changes. Static Code Analysis catches vulnerabilities, bugs, and maintainability issues. Secret Scanning finds exposed credentials such as API keys, tokens, and passwords.
Static Code Analysis
The extension runs Static Code Analysis rules on the source files in your workspace. It flags security vulnerabilities, bugs, and maintainability issues before you commit your changes.
Static Code Analysis supports many programming languages. For a complete list, see Static Code Analysis Rules. Issues are shown in the source code editor, and you can apply suggested fixes directly.
Get started with Static Code Analysis
When you open a source file, the extension looks for static-analysis.datadog.yml at your repository root and prompts you to create one if it does not exist.
After you create the configuration file, the analyzer runs automatically in the background when you open a file. To enable Static Code Analysis for a specific language, run the Datadog: Configure Static Analysis Languages command from the command palette (Shift + Cmd/Ctrl + P).
To analyze an entire folder or workspace, right-click a folder in the file explorer and select Datadog Code Security > Analyze Folder or Analyze Workspace.
Static Code Analysis does not require a Datadog account, as source files are analyzed locally.
Rule editor
Write and test custom Static Code Analysis rules without leaving your IDE. Use the rule editor to design detection logic for internal standards, security patterns, or maintainability checks specific to your codebase.
The rule editor provides the following panels.
- A Tree-sitter query editor for pattern matching against the abstract syntax tree.
- A JavaScript rule panel for expressing detection logic and reporting violations.
- Compliant and non-compliant test files that run against the rule as you edit, with expected and actual match counts shown in real time.
- An AST tree view showing how the parser represents your test code.
Import an existing rule from disk, or export a finished rule and upload it to Datadog.
Secret Scanning
The extension runs Secret Scanning on the source files in your workspace. It flags exposed credentials such as API keys, tokens, and passwords before you commit your changes. File contents are scanned locally, and findings are shown in the editor as you type.
Get started with Secret Scanning
Secret Scanning is enabled by default and runs in the background whenever you open a source file. To scan an entire folder or workspace, right-click a folder in the file explorer and select Datadog Code Security > Analyze Folder or Analyze Workspace.
Unlike Static Code Analysis, Secret Scanning does not require a static-analysis.datadog.yml file in your repository, and it scans all text files regardless of programming language. Likely binary files are skipped automatically.
Secret Scanning requires you to be signed in to Datadog, because detection rules are fetched from your Datadog organization.
Review findings
Detected secrets are shown in three places:
- Inline in the editor: Each finding appears as an underline on the detected secret, with severity derived from the rule’s priority.
- Problems panel: All findings are listed with the source
Datadog. - File Insights view: Findings are grouped alongside other Code Security issues.
Suppress a finding
To suppress an individual detection, use the code action for the flagged secret to insert a no-dd-secrets comment on the line above. The comment suppresses all secret findings on the following line.
Turn Secret Scanning on or off
To toggle Secret Scanning, run the Datadog: Turn on Secret Scanning or Datadog: Turn off Secret Scanning command from the command palette (Shift + Cmd/Ctrl + P), or change the datadog.codeSecurity.setup.secretScanning.enabled setting.
Further reading
Additional helpful documentation, links, and articles:
