datadog-iac-scanner

module
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2026 License: Apache-2.0

README

Datadog IaC Scanner

This repository contains the source code of the Datadog IaC Scanner.

The scanner finds security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code. It produces standard SARIF output that can be integrated with Datadog or any other tool that consumes SARIF.

This project was forked from Checkmarx KICS.

Getting started

  1. Download or build the binary.
  2. Add a configuration file to your repository (optional).
  3. Run the scanner.
Installation

Visit the releases page and download the binary archive for your operating system and architecture.

  • For Linux, choose the latest datadog-iac-scanner_X.Y.Z_linux_amd64.tar.gz (x86_64) or datadog-iac-scanner_X.Y.Z_linux_arm64.tar.gz (ARM64) file.
  • For macOS, choose the latest datadog-iac-scanner_X.Y.Z_darwin_arm64.tar.gz file. Intel hardware is not supported.
  • For Windows, choose the latest datadog-iac-scanner_X.Y.Z_windows_amd64.zip file.
Building from source

Clone the repository or download a source code archive from the releases page, then run:

make build

The binary will be available at bin/datadog-iac-scanner.

Usage

Scan the directory REPODIR and write SARIF output to OUTPUTDIR:

datadog-iac-scanner scan -p REPODIR -o OUTPUTDIR

REPODIR must be within a Git repository. You can also specify file names, or multiple directories and files, as long as they all reside in the same Git repository:

datadog-iac-scanner scan -p REPODIR/file1.yaml -p REPODIR/otherdir/file2.yaml -p REPODIR/anotherdir -o OUTPUTDIR

You can also use commas instead of repeating the -p flag:

datadog-iac-scanner scan -p REPODIR/file1.yaml,REPODIR/otherdir/file2.yaml,REPODIR/anotherdir -o OUTPUTDIR

By default, the output file is named datadog-iac-scanner-result.sarif. Use --output-name to specify a different name:

datadog-iac-scanner scan -p REPODIR -o OUTPUTDIR --output-name OUTPUTFILE.sarif

Run datadog-iac-scanner scan --help to see all available flags.

Configuring the scan

Create a file named dd-iac-scan.config in your repository to customize scanner behavior. Use this file to exclude specific categories, paths, severities, or queries. The file can be written in YAML, JSON, TOML, or HCL.

exclude-severities:
  - "info"
  - "low"
exclude-paths:
  - "./shouldNotScan/*"
  - "dir/somefile.txt"
exclude-queries:
  - "e69890e6-fce5-461d-98ad-cb98318dfc96"
  - "4728cd65-a20c-49da-8b31-9c08b423e4db"
exclude-categories:
  - "Access Control"
  - "Best Practices"

You can also use inline comments to exclude files, blocks, and individual lines from scan results. Add a comment starting with # dd-iac-scan followed by a command.

Comment Description
# dd-iac-scan ignore-line Ignores findings on the next line.
# dd-iac-scan ignore-block Ignores findings in the following block.
# dd-iac-scan ignore Ignores findings in the entire file. Must appear at the beginning of the file.
# dd-iac-scan disable=queryId Ignores results for the specified query ID. Must appear at the beginning of the file; applies to the whole file.
# dd-iac-scan enable=queryId Ignores results for all queries except the specified query ID. Must appear at the beginning of the file; applies to the whole file.

See the exclusions documentation for more information.

License

Datadog IaC Scanner is licensed under the Apache License, Version 2.0.

Acknowledgment

This project is based on KICS, developed by Checkmarx and released under the Apache License 2.0. It extends the original project with Datadog platform integration and additional rule coverage. For more details, see the Datadog IaC Security documentation.

Directories

Path Synopsis
generator/directory command
cmd
scanner command
e2e
testcases
utils
internal
console
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
console/helpers
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
constants
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
storage
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
tracker
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
pkg
analyzer
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
builder/engine
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
config
detector
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
detector/docker
detector/helm
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
detector/terraform
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
engine
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
engine/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
engine/provider
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
engine/similarity
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
engine/source
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
featureflags
hclexpr
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
kics
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
kuberneter
Package kuberneter implements calls to the Kubernetes API in order to scan the runtime information of the resources
 Package kuberneter implements calls to the Kubernetes API in order to scan the runtime information of the resources
logger
minified
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
model
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/ansible/ini/comments
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/ansible/ini/config
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/ansible/ini/hosts
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/bicep
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/bicep/antlr/parser
parser/buildah
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/docker
parser/grpc
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/grpc/converter
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/json
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/jsonfilter/parser
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/terraform
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/terraform/comment
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/terraform/converter
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/terraform/functions
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/terraform/modules
parser/utils
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/yaml
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/yaml/cicd
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
parser/yaml/default
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
printer
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
report
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
report/model
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
report/remediations
resolver
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
resolver/file
resolver/helm
scan
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
scanner
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
utils
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
 * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.