diff --git a/content/en/security/code_security/iac_security/setup.md b/content/en/security/code_security/iac_security/setup.md index 61e87daf4af..d8c5835d78a 100644 --- a/content/en/security/code_security/iac_security/setup.md +++ b/content/en/security/code_security/iac_security/setup.md @@ -94,9 +94,58 @@ After setting up the Azure DevOps integration, enable IaC Security for your repo {{% /tab %}} {{< /tabs >}} +## Upload third-party static analysis results to IaC Security + +
+ You can import SARIF results from third-party Infrastructure-as-Code (IaC) scanners, including Checkov, into IaC Security. See + Upload third-party static analysis results for SARIF-compliant tools supported for SAST. Node.js version 14 or later is required. +
+ +To upload a SARIF report: + +1. Ensure the [`DD_API_KEY` and `DD_APP_KEY` variables are defined][4]. +2. Optionally, set a [`DD_SITE` variable][5] (this defaults to `datadoghq.com`). +3. Install the `datadog-ci` utility (version 2.0 or later): + + ```bash + npm install -g @datadog/datadog-ci + ``` + +4. Run the third-party IaC scanning tool (e.g., Checkov, Trivy, KICS) on your code and output the results in the SARIF v2.1.0 format. +5. Upload the results to Datadog: + + ```bash + datadog-ci sarif upload $OUTPUT_LOCATION + ``` + - Upload Options + - `--tags:` Add custom tags (format: `key:value`) + - `--max-concurrency:` Set concurrent uploads (default: 20) + - `--dry-run:` Validate without uploading +### Required SARIF Attributes +To ensure proper ingestion and display in Datadog IaC Scanning for third-party scanners (excluding Checkov), your SARIF file MUST include the following attributes to be recognized as an IaC security finding: +1. `Runs[...].tool.driver.name: Datadog IaC Scanning` +2. `Runs[...].tool.driver.version: "code_update"` or `"full_scan"` + - `"full_scan”` for complete repository scans + - `"code_update"` for pull request / incremental scans +4. `Runs[...].tool.driver.rules[...].properties.tags:` + - `["DATADOG_RULE_TYPE:IAC_SCANNING"]` + - `[“DATADOG_SCANNED_FILE_COUNT: ”]`, where `"number"` specifies the number of scanned files +5. `Runs[...].results[...].locations[...].physicalLocation:` + - `artifactLocation.uri`: Relative path to file from repository root + - `region.startLine`: Starting line number + - `region.endLine`: Ending line number + - `region.startColumn`: Starting column number + - `region.endColumn`: Ending column number +
Suppressions silently drop violations. If results[ ].suppressions exists, the violation is completely ignored
+ ## Further reading {{< partial name="whats-next/whats-next.html" >}} [1]: /integrations/github/#setup -[2]: https://app.datadoghq.com/security/configuration/code-security/setup \ No newline at end of file +[2]: https://app.datadoghq.com/security/configuration/code-security/setup +[3]: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif +[4]: /account_management/api-app-keys/ +[5]: /getting_started/site/ +[6]: https://docs.datadoghq.com/security/code_security/static_analysis/setup/?tab=github#upload-third-party-static-analysis-results-to-datadog +[7]: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif diff --git a/content/en/security/code_security/static_analysis/setup/_index.md b/content/en/security/code_security/static_analysis/setup/_index.md index 07790aa24f4..42024065581 100644 --- a/content/en/security/code_security/static_analysis/setup/_index.md +++ b/content/en/security/code_security/static_analysis/setup/_index.md @@ -532,7 +532,7 @@ datadog-static-analyzer -i /path/to/directory -g -o sarif.json -f sarif –-diff ## Upload third-party static analysis results to Datadog
- SARIF importing has been tested for Snyk, CodeQL, Semgrep, Checkov, Gitleaks, and Sysdig. Reach out to Datadog Support if you experience any issues with other SARIF-compliant tools. + SARIF importing has been tested for Snyk, CodeQL, Semgrep, Gitleaks, and Sysdig. Reach out to Datadog Support if you experience any issues with other SARIF-compliant tools.
You can send results from third-party static analysis tools to Datadog, provided they are in the interoperable [Static Analysis Results Interchange Format (SARIF) Format][2]. Node.js version 14 or later is required. @@ -687,4 +687,4 @@ Datadog stores findings in accordance with our [Data Rentention Periods](https:/ [24]: https://docs.datadoghq.com/account_management/teams/ [101]: https://docs.datadoghq.com/software_catalog/service_definitions/v3-0/ [102]: https://docs.datadoghq.com/internal_developer_portal/software_catalog/entity_model/?tab=v30#codelocations -[103]: https://docs.datadoghq.com/data_security/data_retention_periods/ \ No newline at end of file +[103]: https://docs.datadoghq.com/data_security/data_retention_periods/