[SECRES-5300] Add documentation for SCFW GitHub Action#38033
Conversation
|
/review |
Preview links (active after the
|
There was a problem hiding this comment.
🤖 Automated review by Claude. AI-generated; verify before acting.
Overall the new SCFW GitHub Action page is well-structured and useful. A few things to address:
Blocker:
- The new page has not been added to
config/_default/menus/main.en.yaml. Since it is a public page (noprivate: true), it won't appear in the side-nav underdev_tool_int. Please add an entry alongsidedev_tool_int_mcp_server/dev_tool_int_git_hooks(around line 8039). - The
further_readingentry withlink: "/scfw_github_action"is a broken self-reference — that path doesn't resolve to this page and, even if it did, the page shouldn't link to itself.
Style nits: a few Vale-flagged terms (currently, via, ensures, ensure) and a version-example inconsistency between the Usage snippet and the version row of the Inputs table. See inline comments.
Reviewed 2fffe1083443aa87cafba14d74e971e827accfd7 — workflow run
|
Thanks for the PR! I've created DOCS-15056 for documentation team review. |
drichards-87
left a comment
There was a problem hiding this comment.
Left some feedback from Docs.
| identifier: dev_tool_int_scfw_github_action | ||
| url: /security/code_security/dev_tool_int/scfw_github_action/ | ||
| parent: dev_tool_int | ||
| weight: 5 |
There was a problem hiding this comment.
| weight: 5 | |
| weight: 6 |
| url: /security/code_security/dev_tool_int/mcp_server/ | ||
| parent: dev_tool_int | ||
| weight: 5 | ||
| - name: SCFW GitHub Action |
There was a problem hiding this comment.
Could we move the new left nav entry for the SCFW GitHub Action doc so it appears below line 8058, after the Troubleshooting topic nested under MCP Server in the left nav? The ordering works as far as how it renders on the docs site, but for maintainability, it would be better if the menu items match the order shown in the left nav.
| [17]: /security/code_security/iac_security/setup/?tab=github | ||
| [18]: /security/cloud_security_management/ | ||
| [19]: /security/code_security/dev_tool_int/mcp_server/ | ||
| [20]: /security/code_security/dev_tool_int/scfw_github_action/ |
There was a problem hiding this comment.
| [20]: /security/code_security/dev_tool_int/scfw_github_action/ | |
| [20]: /security/code_security/dev_tool_int/scfw_github_action/ | |
| [21]: https://github.com/DataDog/guarddog |
| Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed. | ||
|
|
||
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by GuardDog), known vulnerability advisories, and configurable recency thresholds. When it flags a package, it blocks installation immediately with a clear, actionable message (on both developer laptops and CI runners). | ||
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20]. |
There was a problem hiding this comment.
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20]. | |
| Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog][21]), known vulnerability advisories, and configurable recency thresholds. If a package matches one of these checks, SCFW immediately blocks the installation and displays a clear, actionable message on developer laptops and [CI runners][20]. |
|
|
||
| | Output | Description | | ||
| |--------|-------------| | ||
| | `scfw-version` | The installed version of Supply Chain Firewall. | |
There was a problem hiding this comment.
| | `scfw-version` | The installed version of Supply Chain Firewall. | | |
| | `scfw-version` | The installed version of Supply Chain Firewall. | | |
| ## Further reading | |
| {{< partial name="whats-next/whats-next.html" >}} | |
| [1]: https://github.com/DataDog/supply-chain-firewall |
|
|
||
| | Input | Description | Default | | ||
| |-------|-------------|---------| | ||
| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | |
There was a problem hiding this comment.
| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | | |
| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (for example, `"3.1.0"`). | `latest` | |
| |-------|-------------|---------| | ||
| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | | ||
| | `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | | ||
| | `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | |
There was a problem hiding this comment.
| | `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | | |
| | `error-on-block` | Fail the workflow step with a non-zero exit code when an installation is blocked. | `true` | |
| | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | | ||
| | `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | | ||
| | `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` | | ||
| | `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — | |
There was a problem hiding this comment.
| | `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — | | |
| | `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (for example, `'{"team":"security"}'`). | — | |
| | `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` | | ||
| | `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — | | ||
| | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | | ||
| | `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | |
There was a problem hiding this comment.
| | `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | | |
| | `package-minimum-age` | Minimum age, in hours, that a package version must reach before installation is allowed. | `24` | |
| | `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — | | ||
| | `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` | | ||
| | `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` | | ||
| | `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | |
There was a problem hiding this comment.
| | `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | | |
| | `dd-site` | Your Datadog site ({{< region-param key="dd_site" code="true" >}}). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | |
What does this PR do? What is the motivation?
This PR adds documentation for Datadog's recently released GitHub Action for Supply Chain Firewall.
Merge readiness
For Datadog employees:
<name>/<description>convention and include the forward slash (/). If you've already created your PR with an incorrect branch name, please rename your branch and open a fresh PR./reviewto run an automated check that catches common issues before a Documentation team member reviews your PR.AI assistance
Additional notes