You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/security/code_security/static_analysis/ai_enhanced_sast.md
+44-43Lines changed: 44 additions & 43 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ This page provides an overview of these features.
31
31
Malicious PR protection is in Preview and supports GitHub repositories only. Click <strong>Request Access</strong> and complete the form.
32
32
{{< /callout >}}
33
33
34
-
Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. By scanning pull requests (PRs) submitted to the default branches of your repositories to detect potentially malicious intent, this functionality helps you to:
34
+
Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. By scanning pull requests (PRs) submitted to the default branches of your repositories to detect potentially malicious intent, this functionality helps you:
35
35
36
36
- Secure code changes from both internal and external contributors
37
37
- Scale your code reviews as the volume of AI-assisted code changes increases
@@ -90,7 +90,7 @@ Both methods operate as complementary components. The static analyzer continues
90
90
91
91
### False positive filtering
92
92
93
-
For a subset of SAST vulnerabilities, [Bits AI][9] reviews the context of the finding and assess whether it is more likely to be a true or false positive, along with a short explanation of the reasoning.
93
+
For a subset of SAST vulnerabilities, [Bits AI][9] reviews the context of the finding and assesses whether it is more likely to be a true or false positive, along with a short explanation of the reasoning.
94
94
95
95
To narrow down your initial list for triage, in [Vulnerabilities][6], select **Filter out false positives**. This option uses the `-bitsAssessment:"False Positive"` query.
96
96
@@ -120,63 +120,64 @@ False positive filtering is supported for the following CWEs:
120
120
AI-suggested remediation for SAST is powered by the Bits AI Dev Agent and is in Preview. To sign up, click <strong>Request Access</strong> and complete the form.
121
121
{{< /callout >}}
122
122
123
-
Datadog SAST uses the [Bits AI Dev Agent][10] to generate single and bulk remediations for vulnerabilities.
123
+
Datadog SAST uses the [Bits AI Dev Agent][10] to generate code fixes for vulnerabilities. You can remediate individual vulnerabilities or fix multiple vulnerabilities using bulk remediation campaigns.
124
124
125
-
### Fix a single vulnerability
126
-
For each SAST vulnerability, open the side panel to see a pre-generated fix under the **Remediation** section. For other findings (such as code quality), you can click the **Fix with Bits** button to generate a fix.
125
+
To view and remediate vulnerabilities:
127
126
128
-
From each remediation, you can modify the fix suggested by Bits AI directly in the session view, or click **Create a pull request** to apply the remediation back to your source code repository.
127
+
1. In Datadog, navigate to [**Security** > **Code Security** > **Vulnerabilities**][6], and select **Static Code (SAST)** on the left sidebar.
128
+
1. Select a vulnerability to open a side panel with details about the finding and the affected code.
129
+
1. In the **Next Steps** > **Remediation** section, click **Fix with Bits**.
129
130
130
-
### Fix multiple vulnerabilities in batches with campaigns
131
-
Datadog SAST saves time by replacing the filing of individual pull requests to fix vulnerabilities with bulk-remediation **campaigns** that can fix multiple vulnerabilities at once.
131
+
- To generate a fix, select [**Single fix**](#single-fix) or [**Bulk fix**](#bulk-fix-campaigns).
132
+
- If a fix has already been generated, select **View fix and create PR** to view the existing [remediation session](#remediation-session-details).
132
133
133
-
A **campaign** is how teams in Datadog operationalize remediation at scale. Creating a campaign tells Datadog to generate remediations for a certain subset of vulnerabilities in your codebase. Each campaign can also automatically create pull requests to apply fixes for all vulnerabilities in the scope of the campaign.
134
+
### Single fix
134
135
135
-
A campaign defines the following:
136
+
Use **Single fix** to open a code session for Bits AI to fix this single vulnerability. You can review the proposed diff, ask follow-up questions, edit the patch, and create a pull request to apply the remediation to your source code repository.
|**Repositories**| Define which repo(s) and paths to scan | - Set the GitHub repo URL.<br>- Use **Paths** to limit rule scanning to certain directories or files. |
140
-
|**Rule**| Choose which SAST rule to apply | - Select a rule from the dropdown.<br>- View description, code example, and number of matches.<br>- Click **Show More** to see remediation steps. |
141
-
|**Session Management**| Controls how PRs are grouped and submitted | - **Create one PR per**:<br> • `Repository`: One PR for all findings in the repo<br> • `File`: One PR per file with findings<br> • `Finding`: One PR per finding (most granular)<br>- **Allow [n] open PRs at a time**: Prevents too many PRs at once<br>- **Limit [n] findings per PR**: Prevents creating too-large PRs |
142
-
|**Custom Instructions**| Customizes how the AI proposes remediations | - **Custom Instructions**: Guide the AI on how to tweak fixes (for example, `Update CHANGELOG.md with a summary of changes`, `Start all PR titles with [autofix]`). |
138
+
### Bulk fix (campaigns)
143
139
144
-
#### Campaign in progress
140
+
Use **Bulk fix** to create a remediation campaign that fixes multiple vulnerabilities at the same time.
145
141
146
-
After you click **Create Campaign**, [Bits AI Dev Agent][10] does the following:
142
+
Selecting this option opens a **Create a new Bits AI Bulk Fix Campaign** modal where you can configure the following:
147
143
148
-
1. Loads SAST findings for the selected repo(s), path(s), and rule.
149
-
2. Generates patches for each group of findings.
150
-
3. Creates PRs according to your session rules. **Note**: Automatic PR creation is _opt-in_ through [Settings][11].
151
-
5. Lets you review, edit, and merge fixes by interacting directly with the Agent.
144
+
-**Campaign title**: A descriptive title for your campaign.
145
+
-**Repositories**: The repositories and paths you want Bits AI to scan.
146
+
-**PR grouping options**: How Bits AI should group findings into pull requests (for example, one PR per repository, file, or finding). You can also limit the number of open PRs and the number of findings per PR.
147
+
-**Custom instructions** (optional): Additional guidance for how Bits AI should generate fixes, such as changelog requirements or pull request title formatting.
148
+
149
+
After you create a campaign, Bits AI Dev Agent loads the in-scope findings, generates patches based on your grouping rules, and (if enabled) creates pull requests. You can review and edit each session before merging changes.
150
+
151
+
<divclass="alert alert-info">
152
+
<ul>
153
+
<li>Automatic PR creation is disabled by default. Enable it in <ahref="https://app.datadoghq.com/code/settings">Settings</a>.</li>
154
+
<li>Campaigns do not track fixes created outside the campaign. If you generate a single fix and later create a campaign, Bits AI may generate the same fix again.</li>
155
+
</ul>
156
+
</div>
157
+
158
+
#### View campaign progress
159
+
160
+
To view all campaigns, navigate to **Bits AI** > **Dev Agent** > **Code Sessions** > [**Campaigns**][12].
161
+
162
+
Click a campaign to view details including session status, pull requests by repository, and remediated findings. You can click on individual sessions to review, edit, and merge fixes with the [Bits AI Dev Agent][10].
152
163
153
-
The campaign page shows real findings that Bits AI is actively remediating and how many have been remediated or are pending so your security and development teams can track progress made toward remediating vulnerabilities.
154
164
{{< img src="/code_security/static_analysis/campaigner-hero-image.png" alt="Campaigns page in Bits AI Dev Agent" style="width:100%;">}}
155
165
156
-
You can click a session to view the code changes in more detail and chat with the [Bits AI Dev Agent][10] to ask for changes.
166
+
### Remediation session details
157
167
158
-
#### Session details
168
+
Each code session shows the life cycle of an AI-generated fix so you can review and validate changes before merging. It includes:
159
169
160
-
A remediation session shows the full lifecycle of an AI-generated fix. It includes the original security finding, a proposed code change, an explanation of how and why the AI made the fix, and if enabled, CI results from applying the patch.
170
+
- The original security finding and proposed code change
171
+
- An explanation of how and why the AI generated the fix
172
+
- CI results (if enabled) to validate the patch is safe to deploy
173
+
- Options to refine the fix or **Create PR** to apply the changes to your source code repository
161
174
162
-
Session details make each remediation transparent, reviewable, and auditable, helping you safely adopt AI in your secure development workflow.
175
+
To open the remediation session, select the vulnerability from the [**Vulnerabilities**][6] page to open the side panel, scroll to the **Remediation** section, and select **Expand & Chat**.
163
176
164
-
{{< img src="/code_security/static_analysis/single-session-sql-injection-fix-light-png.png" alt="An image of a concluded session with Bits AI Dev Agent where remediations have been generated" style="width:100%;">}}
177
+
You can also navigate to remediation sessions through the [**Campaigns**][12] and [**Code Sessions**][7] views.
165
178
166
-
Session details include the following:
179
+
{{< img src="/code_security/static_analysis/single-session-sql-injection-fix-light-png.png" alt="Concluded remediation session in Bits AI Dev Agent showing generated fixes and pull request options" style="width:100%;">}}
167
180
168
-
- Header: Identifies the campaign, time of session creation, and affected branch, file, or PR.
169
-
- Title: Summarizes the remediation goal based on the vulnerability being fixed.
170
-
- Session metadata: Indicates whether the session is a part of a campaign, the AI model used, and related PR metadata.
171
-
- Right panel:
172
-
- Suggested code change: Displays a diff of the vulnerable code and the AI-generated patch.
173
-
-**Create/View Pull Request**: Creates a GitHub PR to apply the remediation, or opens an existing linked GitHub PR for you to review or merge the proposed changes.
174
-
- Left panel displays the chat message history, for example:
175
-
- Prompt for remediation: Asks for remediation(s) and explains the triggered rule, the security risk, and why the original code is unsafe.
176
-
- Task list: Shows exactly how the AI read the code, understood the context, chose its approach, and applied the fix. This is helpful for auditability, compliance, and trust. You can confirm that the AI isn't rewriting code blindly, but applying defensible and explainable patterns.
177
-
- CI logs from GitHub: Describes whether the AI-generated patch breaks anything downstream, and includes full error logs. This helps you validate that a fix is not only secure but also safe to deploy, without needing to leave the platform.
178
-
- Summary: Recaps the impact of the fix and provides next steps or guidance if tests failed or PR needs to be rebased.
179
-
-**Bits AI chat field**: Lets you interactively refine the fix or ask the AI follow-up questions. This makes remediation collaborative and tunable, giving security engineers and developers control without needing to write the patch themselves.
180
181
181
182
## Further reading
182
183
@@ -188,8 +189,8 @@ Session details include the following:
0 commit comments