Skip to content

[SECRES-5300] Add documentation for SCFW GitHub Action#38033

Open
ikretz wants to merge 4 commits into
masterfrom
ikretz/scfw-gh-action
Open

[SECRES-5300] Add documentation for SCFW GitHub Action#38033
ikretz wants to merge 4 commits into
masterfrom
ikretz/scfw-gh-action

Conversation

@ikretz

@ikretz ikretz commented Jul 8, 2026

Copy link
Copy Markdown

What does this PR do? What is the motivation?

This PR adds documentation for Datadog's recently released GitHub Action for Supply Chain Firewall.

Merge readiness

  • Ready for merge

For Datadog employees:

  • ⚠️ Your branch name MUST follow the <name>/<description> convention and include the forward slash (/). If you've already created your PR with an incorrect branch name, please rename your branch and open a fresh PR.
  • 🤖 New: Comment with /review to run an automated check that catches common issues before a Documentation team member reviews your PR.

AI assistance

Additional notes

@ikretz

ikretz commented Jul 8, 2026

Copy link
Copy Markdown
Author

/review

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Automated review by Claude. AI-generated; verify before acting.

Overall the new SCFW GitHub Action page is well-structured and useful. A few things to address:

Blocker:

  • The new page has not been added to config/_default/menus/main.en.yaml. Since it is a public page (no private: true), it won't appear in the side-nav under dev_tool_int. Please add an entry alongside dev_tool_int_mcp_server / dev_tool_int_git_hooks (around line 8039).
  • The further_reading entry with link: "/scfw_github_action" is a broken self-reference — that path doesn't resolve to this page and, even if it did, the page shouldn't link to itself.

Style nits: a few Vale-flagged terms (currently, via, ensures, ensure) and a version-example inconsistency between the Usage snippet and the version row of the Inputs table. See inline comments.

Reviewed 2fffe1083443aa87cafba14d74e971e827accfd7workflow run

Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
Comment thread content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Outdated
@github-actions github-actions Bot added the Architecture Everything related to the Doc backend label Jul 8, 2026
@ikretz ikretz marked this pull request as ready for review July 8, 2026 12:51
@ikretz ikretz requested a review from a team as a code owner July 8, 2026 12:51
@buraizu buraizu added the editorial review Waiting on a more in-depth review label Jul 8, 2026
@buraizu

buraizu commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Thanks for the PR! I've created DOCS-15056 for documentation team review.

@drichards-87 drichards-87 self-requested a review July 13, 2026 22:53

@drichards-87 drichards-87 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some feedback from Docs.

identifier: dev_tool_int_scfw_github_action
url: /security/code_security/dev_tool_int/scfw_github_action/
parent: dev_tool_int
weight: 5

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
weight: 5
weight: 6

url: /security/code_security/dev_tool_int/mcp_server/
parent: dev_tool_int
weight: 5
- name: SCFW GitHub Action

@drichards-87 drichards-87 Jul 13, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we move the new left nav entry for the SCFW GitHub Action doc so it appears below line 8058, after the Troubleshooting topic nested under MCP Server in the left nav? The ordering works as far as how it renders on the docs site, but for maintainability, it would be better if the menu items match the order shown in the left nav.

[17]: /security/code_security/iac_security/setup/?tab=github
[18]: /security/cloud_security_management/
[19]: /security/code_security/dev_tool_int/mcp_server/
[20]: /security/code_security/dev_tool_int/scfw_github_action/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[20]: /security/code_security/dev_tool_int/scfw_github_action/
[20]: /security/code_security/dev_tool_int/scfw_github_action/
[21]: https://github.com/DataDog/guarddog

Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed.

Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by GuardDog), known vulnerability advisories, and configurable recency thresholds. When it flags a package, it blocks installation immediately with a clear, actionable message (on both developer laptops and CI runners).
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20].

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20].
Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog][21]), known vulnerability advisories, and configurable recency thresholds. If a package matches one of these checks, SCFW immediately blocks the installation and displays a clear, actionable message on developer laptops and [CI runners][20].


| Output | Description |
|--------|-------------|
| `scfw-version` | The installed version of Supply Chain Firewall. |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `scfw-version` | The installed version of Supply Chain Firewall. |
| `scfw-version` | The installed version of Supply Chain Firewall. |
## Further reading
{{< partial name="whats-next/whats-next.html" >}}
[1]: https://github.com/DataDog/supply-chain-firewall


| Input | Description | Default |
|-------|-------------|---------|
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` |
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (for example, `"3.1.0"`). | `latest` |

|-------|-------------|---------|
| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` |
| `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` |
| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` |
| `error-on-block` | Fail the workflow step with a non-zero exit code when an installation is blocked. | `true` |

| `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — |
| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` |
| `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` |
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). ||
| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (for example, `'{"team":"security"}'`). ||

| `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` |
| `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — |
| `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — |
| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` |
| `package-minimum-age` | Minimum age, in hours, that a package version must reach before installation is allowed. | `24` |

| `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — |
| `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` |
| `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` |
| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |
| `dd-site` | Your Datadog site ({{< region-param key="dd_site" code="true" >}}). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` |

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Architecture Everything related to the Doc backend editorial review Waiting on a more in-depth review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants