--- title: Code Security description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog IDE Plugins > Datadog Extension for VS Code & Cursor > Code Security --- # Code Security {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Overview{% #overview %} The Datadog extension for VS Code and Cursor helps you detect and fix security issues before you commit your changes. Static Code Analysis catches vulnerabilities, bugs, and maintainability issues. Secret Scanning finds exposed credentials such as API keys, tokens, and passwords. ## Static Code Analysis{% #static-code-analysis %} The extension runs [Static Code Analysis](https://docs.datadoghq.com/security/code_security/static_analysis.md) rules on the source files in your workspace. It flags security vulnerabilities, bugs, and maintainability issues before you commit your changes. Static Code Analysis supports many programming languages. For a complete list, see [Static Code Analysis Rules](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules.md). Issues are shown in the source code editor, and you can apply suggested fixes directly. {% video url="https://docs.dd-static.net/images//ide_plugins/vscode/static_analysis.mp4" /%} ### Get started with Static Code Analysis{% #get-started-with-static-code-analysis %} When you open a source file, the extension looks for [`static-analysis.datadog.yml`](https://github.com/DataDog/datadog-static-analyzer/blob/main/doc/legacy_config.md) at your repository root and prompts you to create one if it does not exist. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-onboard.ef32fc573882fe234b1353ef48eaadfe.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-onboard.ef32fc573882fe234b1353ef48eaadfe.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Onboarding banner for setting up Static Code Analysis with Python files" /%} After you create the configuration file, the analyzer runs automatically in the background when you open a file. To enable Static Code Analysis for a specific language, run the `Datadog: Configure Static Analysis Languages` command from the command palette (`Shift` + `Cmd/Ctrl` + `P`). To analyze an entire folder or workspace, right-click a folder in the file explorer and select **Datadog Code Security > Analyze Folder** or **Analyze Workspace**. {% alert level="info" %} Static Code Analysis does not require a Datadog account, as source files are analyzed locally. {% /alert %} ### Rule editor{% #rule-editor %} Write and test [custom Static Code Analysis rules](https://docs.datadoghq.com/security/code_security/static_analysis/custom_rules.md) without leaving your IDE. Use the rule editor to design detection logic for internal standards, security patterns, or maintainability checks specific to your codebase. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-rule-editor.5d5f05a2a1c7c7f01858343988356f01.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-rule-editor.5d5f05a2a1c7c7f01858343988356f01.png?auto=format&fit=max&w=850&dpr=2 2x" alt="SAST rule editor in the Datadog extension for VS Code" /%} The rule editor provides the following panels. - A **Tree-sitter query editor** for pattern matching against the abstract syntax tree. - A **JavaScript rule panel** for expressing detection logic and reporting violations. - **Compliant and non-compliant test files** that run against the rule as you edit, with expected and actual match counts shown in real time. - An **AST tree view** showing how the parser represents your test code. Import an existing rule from disk, or export a finished rule and upload it to Datadog. ## Secret Scanning{% #secret-scanning %} The extension runs [Secret Scanning](https://docs.datadoghq.com/security/code_security/secret_scanning.md) on the source files in your workspace. It flags exposed credentials such as API keys, tokens, and passwords before you commit your changes. File contents are scanned locally, and findings are shown in the editor as you type. {% video url="https://docs.dd-static.net/images//ide_plugins/vscode/secret_scanning.mp4" /%} ### Get started with Secret Scanning{% #get-started-with-secret-scanning %} Secret Scanning is enabled by default and runs in the background whenever you open a source file. To scan an entire folder or workspace, right-click a folder in the file explorer and select **Datadog Code Security > Analyze Folder** or **Analyze Workspace**. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-batch-analysis.17e4daf34848f0a0665ce6cb3a489905.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-batch-analysis.17e4daf34848f0a0665ce6cb3a489905.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Batch analysis report with a Secret Scanning section listing findings per file" /%} Unlike Static Code Analysis, Secret Scanning does not require a [`static-analysis.datadog.yml`](https://github.com/DataDog/datadog-static-analyzer/blob/main/doc/legacy_config.md) file in your repository, and it scans all text files regardless of programming language. Likely binary files are skipped automatically. {% alert level="info" %} Secret Scanning requires you to be signed in to Datadog, because detection rules are fetched from your Datadog organization. {% /alert %} ### Review findings{% #review-findings %} Detected secrets are shown in three places: - **Inline in the editor**: Each finding appears as an underline on the detected secret, with severity derived from the rule's priority. - **Problems panel**: All findings are listed with the source `Datadog`. - **File Insights view**: Findings are grouped alongside other Code Security issues. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-findings.b79b1198f129354199db97c8ead4ce2d.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-findings.b79b1198f129354199db97c8ead4ce2d.png?auto=format&fit=max&w=850&dpr=2 2x" alt="A detected secret shown inline in the editor with a hover diagnostic, alongside the Problems panel and the File Insights view" /%} ### Suppress a finding{% #suppress-a-finding %} To suppress an individual detection, use the code action for the flagged secret to insert a `no-dd-secrets` comment on the line above. The comment suppresses all secret findings on the following line. ### Turn Secret Scanning on or off{% #turn-secret-scanning-on-or-off %} To toggle Secret Scanning, run the `Datadog: Turn on Secret Scanning` or `Datadog: Turn off Secret Scanning` command from the command palette (`Shift` + `Cmd/Ctrl` + `P`), or change the `datadog.codeSecurity.setup.secretScanning.enabled` setting. ## Further reading{% #further-reading %} - [Learn more about Code Security](https://docs.datadoghq.com/security/code_security.md) - [Static Analysis Rules](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules.md) - [Learn more about Secret Scanning](https://docs.datadoghq.com/security/code_security/secret_scanning.md)