This product is not supported for your selected Datadog site. ().

The Supply Chain Firewall GitHub Action installs Datadog’s Supply Chain Firewall (SCFW) and configures it to intercept supported package manager commands in all subsequent workflow steps. When active, SCFW inspects each supported package manager command before allowing it to run.

This action supports Linux and macOS runners only.

Usage

steps:
  - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

  - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
    with:
      version: '3.1.0'
      package-managers: npm,pip

  # npm and pip commands are inspected by SCFW before they run.
  # Flagged packages are blocked; other installs proceed normally.
  - run: pip install -r requirements.txt
  - run: npm install

Configure the Supply Chain Security integration

Join the Preview!

Use this form to submit your request to join the Supply Chain Security Preview.

Request Access
steps:
  - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
    with:
      dd-codesec-logger: 'true'
      dd-api-key: ${{ secrets.DD_API_KEY }}
      dd-app-key: ${{ secrets.DD_APP_KEY }}
      dd-site: 

Cache the SCFW_HOME directory

Caching SCFW_HOME avoids re-fetching verifier data on each run:

steps:
  - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
    with:
      path: ~/.scfw
      key: scfw-${{ runner.os }}

  - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0
    with:
      scfw-home: ~/.scfw

How it works

  1. Install: The Supply Chain Firewall CLI is installed with pipx in an isolated Python environment so it does not interfere with the project’s dependencies.

  2. Wrap: For each requested package manager, the action writes a thin wrapper script to a temporary directory and prepends that directory to PATH. All subsequent steps that invoke those package managers are automatically routed through Supply Chain Firewall.

    Each wrapper resolves the real binary at call time by removing its own directory from PATH before searching for the binary, then passes the resolved path to scfw run --executable. This helps ensure that Supply Chain Firewall calls the real binary and does not re-invoke the wrapper.

    Activating a Python virtual environment, such as with source .venv/bin/activate, takes precedence over the Supply Chain Firewall wrappers for the remainder of that step. Use scfw run pip install ... explicitly for any commands that run inside virtual environments.

  3. Configure: Relevant environment variables, such as DD_API_KEY and SCFW_HOME, are written to GITHUB_ENV so they are available to subsequent steps.

    Environment variables written to GITHUB_ENV are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply dd-api-key or dd-app-key, audit the actions that follow in your workflow for suspicious behavior or signs of compromise.

Inputs

InputDescriptionDefault
versionThe version of SCFW to install. Use "latest" or pin to a specific release (for example, "3.1.0").latest
package-managersComma-separated list of package managers to intercept. Supported: npm, pip, poetry.npm,pip,poetry
error-on-blockFail the workflow step with a non-zero exit code when an installation is blocked.true
dd-api-keyDatadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use ${{ secrets.DD_API_KEY }}.
dd-app-keyDatadog application key for forwarding firewall events to the Datadog Code Security API. Use ${{ secrets.DD_APP_KEY }}.
dd-api-loggerWhen "true", enables SCFW’s Datadog HTTP API logger. Requires dd-api-key.false
dd-codesec-loggerWhen "true", enables SCFW’s Datadog Code Security logger. Requires dd-api-key and dd-app-key.false
dd-siteYour Datadog site (). Used by both dd-api-logger and dd-codesec-logger.datadoghq.com
dd-log-levelControls which firewall events are forwarded to Datadog. ALLOW logs all events; BLOCK logs only blocked events.ALLOW
scfw-homeDirectory for SCFW’s local cache. Point this at a cached directory to speed up verifier data fetches across runs.
on-warningAction that SCFW should take on warning-level findings: ALLOW or BLOCK. Defaults to BLOCK in non-interactive environments.
package-minimum-ageMinimum age, in hours, that a package version must reach before installation is allowed.24
dd-envDatadog environment tag attached to all forwarded firewall events.ci
dd-log-attributesA JSON object of custom attributes to attach to all forwarded Datadog log events (for example, '{"team":"security"}').

Outputs

OutputDescription
scfw-versionThe installed version of Supply Chain Firewall.

Further reading