Add malicious PR protection preview to Code Security documentation (#32043)

* update security pages and add malicious PR page

* comment out eng blog hyperlink for now, to be added back in after release

* add comment for future reference

* Update content/en/security/_index.md

Co-authored-by: Michael Cretzman <[email protected]>

* Update content/en/security/code_security/static_analysis/malicious_pr_protection.md

Co-authored-by: Michael Cretzman <[email protected]>

* Update content/en/security/code_security/static_analysis/malicious_pr_protection.md

Co-authored-by: Michael Cretzman <[email protected]>

* Update malicious_pr_protection.md

* Update content/en/security/code_security/static_analysis/malicious_pr_protection.md

Co-authored-by: Michael Cretzman <[email protected]>

* fixing broken image

---------

Co-authored-by: Michael Cretzman <[email protected]>
Co-authored-by: Michael Cretzman <[email protected]>

Author: kassenq

config/_default/menus/main.en.yaml

@@ -6742,7 +6742,7 @@ menu:
       identifier: sec_static_analysis_generic_ci_providers
       url: /security/code_security/static_analysis/generic_ci_providers/
       parent: sec_static_analysis
-      weight: 4
+      weight: 3
     - name: Static Code Analysis (SAST) rules
       identifier: sec_static_analysis_rules
       url: /security/code_security/static_analysis/static_analysis_rules/
@@ -6753,7 +6753,7 @@ menu:
       url: /security/code_security/static_analysis/custom_rules/
       parent: sec_static_analysis
       weight: 5
-    - name: SAST Custom Rules Tutorial
+    - name: SAST Custom Rule Creation Tutorial
       identifier: sec_static_analysis_custom_rules_tutorial
       url: /security/code_security/static_analysis/custom_rules/tutorial/
       parent: sec_static_analysis
@@ -6763,6 +6763,11 @@ menu:
       url: /security/code_security/static_analysis/custom_rules/guide/
       parent: sec_static_analysis
       weight: 5
+    - name: Malicious PR Protection
+      identifier: sec_static_analysis_malicious_pr_protection
+      url: /security/code_security/static_analysis/malicious_pr_protection
+      parent: sec_static_analysis
+      weight: 4
     - name: Software Composition Analysis (SCA)
       identifier: software_composition_analysis
       url: /security/code_security/software_composition_analysis/

content/en/security/_index.md

@@ -112,10 +112,12 @@ To learn more, check out the [30-second Product Guided Tour][14].
 - [Runtime Code Analysis (IAST)][29] for identifying vulnerabilities in the first-party code within your services
 - [Secret Scanning][30] for identifying and validating leaked secrets (in Preview)
 
-Code Security helps teams implement DevSecOps throughout the organization:
+With IDE integrations, pull request comments, and CI/CD gates, Code Security helps teams implement DevSecOps throughout the organization:
 - **Developers:** early vulnerability detection, code quality improvements, faster development as developers spend less time debugging and patching.
 - **Security Administrators:** enhanced security posture, improved patch management in response to early vulnerability alerts, and compliance monitoring.
-- **Site Reliability Engineers (SREs):** automated security checks throughout CI/CD workflow, security compliance, and system resilience. SAST reduces manual overhead for SREs and ensures that each release is thoroughly tested for vulnerabilities.
+- **Site Reliability Engineers (SREs):** automated security checks throughout CI/CD workflow, security compliance, and system resilience. SAST reduces manual overhead for SREs and ensures that each release is thoroughly tested for vulnerabilities.  
+
+{{< img src="code_security/gitlab_integration_light.png" alt="A SAST finding within a GitLab repository" width="100%">}}
 
 ## Cloud Security
 
@@ -131,11 +133,6 @@ To get started with Datadog Security, navigate to the [**Security** > **Setup**]
 
 Datadog [App and API Protection (AAP)][1] provides observability into application-level attacks that aim to exploit code-level vulnerabilities, such as Server-Side-Request-Forgery (SSRF), SQL injection, Log4Shell, and Reflected Cross-Site-Scripting (XSS). AAP leverages [Datadog APM][2], the [Datadog Agent][3], and in-app detection rules to detect threats in your application environment. Check out the product [Guided Tour](https://www.datadoghq.com/guided-tour/security/application-security-management/) to see more.
 
-In addition to threat detection, Datadog provides end-to-end code and library vulnerability detection from development to production with [Code Security][20], which includes the following capabilities:
-- [Static Code Analysis (SAST)][21] for identifying security and quality issues in your first-party code
-- [Software Composition Analysis (SCA)][22] for identifying open source dependencies in both your repositories and your services
-- [Runtime Code Analysis (IAST)][23] for code-level vulnerabilities in your services
-
 {{< img src="/security/application_security/app-sec-landing-page.png" alt="A security signal panel in Datadog, which displays attack flows and flame graphs" width="75%">}}
 
 ## Workload Protection

content/en/security/code_security/_index.md

@@ -32,6 +32,8 @@ Static Code Analysis (SAST) analyzes pre-production code to identify security an
 Scans can run via your CI/CD pipelines or directly in Datadog with hosted scanning.  
 See [Static Code Analysis Setup][6] to get started.
 
+Static Code Analysis can also scan your pull requests at scale to detect and prevent malicious code changes. This allows Datadog to not only check for known code vulnerabilities, but also detect potentially malicious intent in PRs submitted to default branches of your repositories. [Request access to the Preview][12].
+
 ## Software Composition Analysis
 Software Composition Analysis (SCA) analyzes open source libraries in both your repositories and running services. You can track and manage dependencies across the software development lifecycle with:
 - IDE integration to flag vulnerabilities affecting libraries running on your services
@@ -72,3 +74,4 @@ Developers are being actively targeted with supply chain attacks. Prevent malici
 [9]: https://www.datadoghq.com/product-preview/secret-scanning/
 [10]: /security/code_security/iac_security
 [11]: https://docs.google.com/forms/d/1Xqh5h1n3-jC7au2t30fdTq732dkTJqt_cb7C7T-AkPc
+[12]: https://www.datadoghq.com/product-preview/malicious-pr-protection/

content/en/security/code_security/static_analysis/custom_rules/tutorial.md

@@ -1,6 +1,6 @@
 ---
 description: Learn how to define a custom rule within Datadog.
-title: Static Code Analysis Custom Rule Tutorial
+title: Static Code Analysis Custom Rule Creation Tutorial
 ---
 
 

content/en/security/code_security/static_analysis/malicious_pr_protection.md

@@ -0,0 +1,54 @@
+---
+title: Malicious PR Protection
+description: Learn about how Datadog Static Code Analysis can scan your PRs at scale to prevent malicious code changes.
+is_beta: false
+algolia:
+  tags: ['static analysis', 'datadog static analysis', 'code quality', 'SAST']
+---
+
+{{% site-region region="gov" %}}
+<div class="alert alert-danger">
+    Code Security is not available for the {{< region-param key="dd_site_name" >}} site.
+</div>
+{{% /site-region %}}
+
+
+Datadog Static Code Analysis (SAST) Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. This functionality scans code for known vulnerabilities and detects potentially malicious intent in the pull requests (PRs) submitted to your repositories. Malicious PR protection helps you to:
+
+- Scale your code reviews as the volume of AI-assisted code changes increases
+- Secure code changes from both internal and external contributors
+- Embed code security into your security incident response workflows
+
+Malicious PR protection is supported for default branches and GitHub repositories only.
+
+{{< callout url="https://www.datadoghq.com/product-preview/malicious-pr-protection/" >}}
+Malicious PR protection is in Preview. Click <strong>Request Access</strong> and complete the form to request access.
+{{< /callout >}}  
+
+## Detection coverage
+
+Malicious code changes come in many different forms. Datadog SAST covers attack vectors such as: 
+
+- Malicious code injection
+- Attempted secret exfiltration
+- Pushing of malicious packages
+- CI workflow compromise  
+
+Examples include the [tj-actions/changed-files breach (March 2025)][2] and [obfuscation of malicious code in npm packages (September 2025)][3].  
+
+<!-- Read more in the blog post [here][1].   -->
+<!-- ^^ This line above should be added back in once the eng blog is published -->
+
+## Search and filter results
+
+Detections from Datadog SAST on potentially malicious PRs can be found in [Security Signals][4] by filtering for `malicious_PR`.  
+
+There are two potential verdicts: `malicious` and `benign`. 
+
+Signals can be triaged directly in Datadog (assign, create a case, or declare an incident), or routed externally via [Datadog Workflow Automation][5].
+
+[1]: https://www.datadoghq.com/blog/engineering/malicious-pull-requests/
+[2]: https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
+[3]: https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
+[4]: https://app.datadoghq.com/security
+[5]: /actions/workflows/