Datadog Code Security MCP provides all Code Security scan tools to AI coding assistants like Claude Desktop, Cursor, etc - Can also be used as a CLI tool.
Note: The Datadog Code Security MCP server is currently in Preview
datadog_code_security_scan- SAST + Secrets + SCA + IAC in paralleldatadog_sast_scan- Static Application Security Testing onlydatadog_secrets_scan- Secrets detection onlydatadog_sca_scan- Software Composition Analysis (dependency vulnerabilities)datadog_iac_scan- Infrastructure as code scanningdatadog_generate_sbom- Generate Software Bill of Materials (SBOM)
Homebrew (Recommended):
brew tap datadog-labs/pack
brew update
brew install datadog-labs/pack/datadog-code-security-mcpAlternative: Download from GitHub Releases
# macOS / Linux (auto-detects platform)
curl -L "https://github.com/datadog-labs/datadog-code-security-mcp/releases/latest/download/datadog-code-security-mcp-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz" | tar xz
sudo install -m 755 datadog-code-security-mcp /usr/local/bin/Verify installation:
datadog-code-security-mcp versionThe MCP server requires external Datadog security binaries to perform scans.
Note: If a required binary is missing, the MCP server will detect this and provide platform-specific installation instructions.
The MCP Server requires Datadog API key and application key as DD_API_KEY and DD_APP_KEY
# Configure with API keys
claude mcp add datadog-code-security \
-e DD_API_KEY=<your-api-key> \
-e DD_APP_KEY=<your-app-key> \
-e DD_SITE=datadoghq.com \
-- datadog-code-security-mcp start
# Verify it's running
claude mcp list | grep datadog-code-security{
"mcpServers": {
"datadog-code-security": {
"command": "datadog-code-security-mcp",
"args": ["start"],
"env": {
"DD_API_KEY": "<your-api-key>",
"DD_APP_KEY": "<your-app-key>",
"DD_SITE": "datadoghq.com"
}
}
}
}Cursor supports MCP servers through its settings. Add the following to your Cursor MCP configuration:
{
"mcpServers": {
"datadog-code-security": {
"command": "datadog-code-security-mcp",
"args": ["start"],
"env": {
"DD_API_KEY": "<your-api-key>",
"DD_APP_KEY": "<your-app-key>",
"DD_SITE": "datadoghq.com"
}
}
}
}Once configured, ask your AI assistant to scan your code:
Security Scans:
- "Scan this directory for security vulnerabilities"
- "Check if there are any hardcoded secrets in config/"
- "Run a full security scan (SAST + Secrets + SCA)"
- "Find all security issues in this project"
Dependency Analysis:
- "Scan for vulnerable dependencies"
- "Check if my dependencies have any known CVEs"
- "Generate an SBOM for this project"
- "What dependencies does this project have?"
# Comprehensive scan (SAST + Secrets + SCA in parallel)
datadog-code-security-mcp scan all ./src
# Individual scan types
datadog-code-security-mcp scan sast ./app # SAST only
datadog-code-security-mcp scan secrets ./config # Secrets only
datadog-code-security-mcp scan sca ./ # SCA only (requires datadog-security-cli)
# SBOM generation
datadog-code-security-mcp generate-sbom . # Generate SBOM
# JSON output for programmatic use
datadog-code-security-mcp scan all ./src --json
datadog-code-security-mcp scan sast ./app --json
datadog-code-security-mcp generate-sbom . --jsondatadog-static-analyzer (SAST + Secrets)
# macOS (Homebrew — tap is already added if you installed the MCP server via brew)
brew install datadog-static-analyzerdatadog-sbom-generator (SBOM)
# macOS / Linux (download from GitHub releases)
curl -L "https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m).zip" -o /tmp/sbom.zip
unzip -o /tmp/sbom.zip -d /tmp/ && mkdir -p ~/.local/bin && mv /tmp/datadog-sbom-generator ~/.local/bin/ && chmod +x ~/.local/bin/datadog-sbom-generatordatadog-security-cli (SCA)
# macOS (Homebrew)
brew install --cask datadog-security-cliQuick References:
- CLAUDE.md - Developer guide for Claude Code
- AGENTS.md - Quick reference for AI coding assistants
- docs/RELEASE.md - Release process
Key Commands:
make build # Build binary
make test # Run tests with race detector
make lint # Run linters
go run ./cmd/datadog-code-security-mcp versionApache 2.0