README
¶
Datadog Static AI Security Testing (SAIST) tool
This project is an AI-Native SAST tool. Unlike traditional SAST tools that rely solely on parsing and analysis rules, this project uses LLM (e.g. Claude from Anthropic, GPT from OpenAI or Gemini from Google) to find vulnerabilities.
This project can be used standalone on your laptop. It is available as part of the Datadog Code Security offering.
Project Status
This project is under development and is in preview stage.
Features
- AI-Powered Analysis: Uses advanced AI models to detect security vulnerabilities
- Multiple Language Support: Analyzes code in various programming languages. Java, Python and Go are currently supported. C# support coming soon.
- SARIF Output: Generates industry-standard SARIF reports
- Context-Aware: Builds project context for more accurate analysis
Dependencies
- Go Tree-sitter: Go bindings for Tree-sitter parsing library
- Standard Go text/template: Built-in Go templating for prompt generation
- Go-SARIF: SARIF (Static Analysis Results Interchange Format) library
Usage
LLM key
Set the following environment variables to specify the API key to your LLM provider
- Anthropic:
ANTHROPIC_API_KEY - OpenAI:
OPENAI_API_KEY - Google Gemini:
GOOGLE_API_KEY
Command Line Interface
Build and run the binary:
make build
./bin/datadog-saist --directory <path> --output <output-file> --detection-model <model> --validation-model <model> [options]
Example to run with Gemini
make build
GOOGLE_API_KEY=<...> ./bin/datadog-saist --directory <path> --output <output-file> --detection-model gemini-3-flash --validation-model gemini-3-flash
Required Arguments
--directory: Directory to analyze (required)--output: Output file path for SARIF report (required)--model: Model to use for analysis (required)
Available Models
openai-gpt5.2: OpenAI GPT-5.2openai-gpt5.2-codex: OpenAI GPT-5.2 codexclaude-4.5-haiku: Claude 4.5 Haikuclaude-4.5-opus: Claude 4.5 Haikugemini-2.5-pro: Gemini 2.5 Progemini-2.5-flash: Gemini 2.5 Flashgemini-3-flash: Gemini 3 Flash
Optional Arguments
--debug: Enable debug mode for verbose output--request-timeout-sec: Request timeout in seconds (default: 30)--file-concurrency: Number of concurrent files to analyze (default: 20)--write-prompts: Write prompts to files during analysis--skip-indexing: Disable cross-file context indexing. When set, related files are not collected and included in prompts. Reduces memory usage on large repositories at the cost of cross-file vulnerability detection.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
datadog-saist
command
|
|
|
internal
|
|
|
agents
nolint:lll
|
nolint:lll |
|
analysis
Package analysis provides file discovery and metadata generation for the SAIST engine.
|
Package analysis provides file discovery and metadata generation for the SAIST engine. |
|
codesecurity
Package codesecurity parses the Code Security YAML sast subset used by SAIST so local datadog-saist runs can honor the same repo config files as code-workload-runner (dd-source).
|
Package codesecurity parses the Code Security YAML sast subset used by SAIST so local datadog-saist runs can honor the same repo config files as code-workload-runner (dd-source). |
Click to show internal directories.
Click to hide internal directories.