From 626cb50011204ece8a78850dcfd6eef8600ea38f Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Wed, 8 Jul 2026 13:21:53 +0200 Subject: [PATCH 01/25] Add documentation for SCFW GitHub Action --- content/en/security/code_security/_index.md | 6 +- .../dev_tool_int/scfw_github_action/_index.md | 106 ++++++++++++++++++ 2 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md diff --git a/content/en/security/code_security/_index.md b/content/en/security/code_security/_index.md index b42342c5ce3..8cff7aacc67 100644 --- a/content/en/security/code_security/_index.md +++ b/content/en/security/code_security/_index.md @@ -40,7 +40,7 @@ Code Security scans your first-party code and open source libraries used in your - [Runtime Code Analysis (IAST)][3] for identifying vulnerabilities in the first-party code within your services - [Secret Scanning][8] for identifying and validating leaked secrets - [Infrastructure as Code (IaC) Security][10] for identifying security misconfigurations in IaC stored in your repositories -- [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories +- [Supply Chain Security](#supply-chain-security-preview) for preventing malicious packages from entering your development environment and code repositories Code Security helps teams implement DevSecOps throughout the organization: - **Developers:** early vulnerability detection, code quality improvements, faster development as developers spend less time debugging and patching. @@ -106,12 +106,11 @@ With [Cloud Security Management (CSM)][18], you can see misconfigurations in IaC Use this form to submit your request to join the Supply Chain Security Preview. {{< /callout >}} - Supply Chain Security prevents malicious open source packages from entering your development environments at the point of installation, before they reach your repositories or CI/CD pipelines. Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed. -Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by GuardDog), known vulnerability advisories, and configurable recency thresholds. When it flags a package, it blocks installation immediately with a clear, actionable message (on both developer laptops and CI runners). +Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20]. In addition to protecting individual developer machines or CI pipelines, SCFW provides event observability to search, filter, and audit ALLOW, WARN, and BLOCK events across developer machines and CI systems in a unified event feed. @@ -140,3 +139,4 @@ The [Code Security MCP Server][19] is a local Model Context Protocol (MCP) serve [17]: /security/code_security/iac_security/setup/?tab=github [18]: /security/cloud_security_management/ [19]: /security/code_security/dev_tool_int/mcp_server/ +[20]: /security/code_security/dev_tool_int/scfw_github_action/ diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md new file mode 100644 index 00000000000..d8fe67a8dc7 --- /dev/null +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -0,0 +1,106 @@ +--- +title: Supply Chain Firewall GitHub Action +description: Keep malicious packages out of your CI/CD runners with Datadog's GitHub Action for Supply Chain Firewall. +is_beta: true +disable_toc: false +further_reading: +- link: "https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewall/" + tag: "Blog" + text: "Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages" +- link: "/scfw_github_action" + tag: "Documentation" + text: "Datadog's GitHub Action for Supply Chain Firewall" +--- + +The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run. + +This action currently supports Linux and macOS runners. Windows runners are not supported, as SCFW itself is not currently supported on Windows. + +## Usage + +```yaml +steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 + with: + version: '3.1.0' + package-managers: npm,pip + + # npm and pip commands are now transparently intercepted by SCFW. + # Malicious packages are blocked; clean installs proceed normally. + - run: pip install -r requirements.txt + - run: npm install +``` + +### With Supply Chain Security integration + +{{< callout url=https://docs.google.com/forms/d/1Xqh5h1n3-jC7au2t30fdTq732dkTJqt_cb7C7T-AkPc/viewform?edit_requested=true + btn_hidden="false" header="Join the Preview!">}} +Use this form to submit your request to join the Supply Chain Security Preview. +{{< /callout >}} + +```yaml +steps: + - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 + with: + dd-codesec-logger: 'true' + dd-api-key: ${{ secrets.DD_API_KEY }} + dd-app-key: ${{ secrets.DD_APP_KEY }} + dd-site: datadoghq.eu +``` + +### With a cached `SCFW_HOME` directory + +Caching `SCFW_HOME` avoids re-fetching verifier data on each run: + +```yaml +steps: + - uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + with: + path: ~/.scfw + key: scfw-${{ runner.os }} + + - uses: DataDog/supply-chain-firewall-action@2f166ae1d2c34ed717d7b08427c7acb57804f3f5 # v1.0.0 + with: + scfw-home: ~/.scfw +``` + +## How it works + +1. **Install**: The Supply Chain Firewall CLI is installed via `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies. + +2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall. + + Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This ensures Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. + + > :warning: Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. + +3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. + + > :warning: Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow to ensure none are untrusted or compromised. + +## Inputs + +| Input | Description | Default | +|-------|-------------|---------| +| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"0.7.0"`). | `latest` | +| `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | +| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | +| `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — | +| `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — | +| `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` | +| `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` | +| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | +| `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` | +| `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — | +| `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | +| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | +| `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` | +| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — | + +## Outputs + +| Output | Description | +|--------|-------------| +| `scfw-version` | The installed version of Supply Chain Firewall. | From a1d7ea809c50b8f9e63ab49416e2deae971d2bd3 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 8 Jul 2026 14:38:05 +0200 Subject: [PATCH 02/25] Respond to review feedback --- config/_default/menus/main.en.yaml | 5 +++++ .../dev_tool_int/scfw_github_action/_index.md | 16 ++++++++-------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index f57a10dc630..b53e6761a4f 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8081,6 +8081,11 @@ menu: url: /security/code_security/dev_tool_int/mcp_server/ parent: dev_tool_int weight: 5 + - name: Supply Chain Firewall GitHub Action + identifier: dev_tool_int_scfw_github_action + url: /security/code_security/dev_tool_int/scfw_github_action/ + parent: dev_tool_int + weight: 5 - name: Tools Reference identifier: dev_tool_int_mcp_server_tools_reference url: /security/code_security/dev_tool_int/mcp_server/tools_reference/ diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index d8fe67a8dc7..9697d3bf1c5 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -7,14 +7,14 @@ further_reading: - link: "https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewall/" tag: "Blog" text: "Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages" -- link: "/scfw_github_action" +- link: "/security/code_security/#supply-chain-security-preview" tag: "Documentation" - text: "Datadog's GitHub Action for Supply Chain Firewall" + text: "Supply Chain Security" --- -The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run. +The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run. -This action currently supports Linux and macOS runners. Windows runners are not supported, as SCFW itself is not currently supported on Windows. +This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows. ## Usage @@ -68,23 +68,23 @@ steps: ## How it works -1. **Install**: The Supply Chain Firewall CLI is installed via `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies. +1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies. 2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall. - Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This ensures Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. + Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. > :warning: Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. 3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. - > :warning: Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow to ensure none are untrusted or compromised. + > :warning: Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise. ## Inputs | Input | Description | Default | |-------|-------------|---------| -| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"0.7.0"`). | `latest` | +| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | | `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | | `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | | `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — | From 7498ef3d481fb3e349e951ec471e59d7a569d0fe Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 8 Jul 2026 14:53:46 +0200 Subject: [PATCH 03/25] Remove unsupported emojis --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 9697d3bf1c5..b3a5d1af9ad 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -74,11 +74,11 @@ steps: Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. - > :warning: Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. + Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. 3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. - > :warning: Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise. + Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise. ## Inputs From aecea916c2bc6f0e597c03b23e3332d4edca53c3 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 8 Jul 2026 14:55:17 +0200 Subject: [PATCH 04/25] Shorten sidebar text --- config/_default/menus/main.en.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index b53e6761a4f..a321c02351f 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8081,7 +8081,7 @@ menu: url: /security/code_security/dev_tool_int/mcp_server/ parent: dev_tool_int weight: 5 - - name: Supply Chain Firewall GitHub Action + - name: SCFW GitHub Action identifier: dev_tool_int_scfw_github_action url: /security/code_security/dev_tool_int/scfw_github_action/ parent: dev_tool_int From d7e3d2bca408e9a82ee20f96b683e96d68ea7e30 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:34:34 +0200 Subject: [PATCH 05/25] Update config/_default/menus/main.en.yaml Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- config/_default/menus/main.en.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index a321c02351f..dfd3a26783c 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8085,7 +8085,7 @@ menu: identifier: dev_tool_int_scfw_github_action url: /security/code_security/dev_tool_int/scfw_github_action/ parent: dev_tool_int - weight: 5 + weight: 6 - name: Tools Reference identifier: dev_tool_int_mcp_server_tools_reference url: /security/code_security/dev_tool_int/mcp_server/tools_reference/ From b90147fc052482a7060f8dcffe8687eca2efd28f Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:35:38 +0200 Subject: [PATCH 06/25] Update content/en/security/code_security/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- content/en/security/code_security/_index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/security/code_security/_index.md b/content/en/security/code_security/_index.md index 8cff7aacc67..60985b7fae3 100644 --- a/content/en/security/code_security/_index.md +++ b/content/en/security/code_security/_index.md @@ -140,3 +140,4 @@ The [Code Security MCP Server][19] is a local Model Context Protocol (MCP) serve [18]: /security/cloud_security_management/ [19]: /security/code_security/dev_tool_int/mcp_server/ [20]: /security/code_security/dev_tool_int/scfw_github_action/ +[21]: https://github.com/DataDog/guarddog From 8440d07425b064b2da26a71aca87fb78c33dc883 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:36:13 +0200 Subject: [PATCH 07/25] Update content/en/security/code_security/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- content/en/security/code_security/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/_index.md b/content/en/security/code_security/_index.md index 60985b7fae3..41c4283d9d0 100644 --- a/content/en/security/code_security/_index.md +++ b/content/en/security/code_security/_index.md @@ -110,7 +110,7 @@ Supply Chain Security prevents malicious open source packages from entering your Unlike SCA, which scans dependencies already in your codebase, the Datadog Supply Chain Firewall (SCFW) intercepts package manager commands (`npm`, `pip`, `poetry`) in real time and blocks malicious or recently published packages before they are installed. -Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog](https://github.com/DataDog/guarddog)), known vulnerability advisories, and configurable recency thresholds. SCFW immediately blocks installation of flagged packages with a clear, actionable message on both developer laptops and [CI runners][20]. +Supply Chain Security evaluates every package install against Datadog's malicious package feed (powered by [GuardDog][21]), known vulnerability advisories, and configurable recency thresholds. If a package matches one of these checks, SCFW immediately blocks the installation and displays a clear, actionable message on developer laptops and [CI runners][20]. In addition to protecting individual developer machines or CI pipelines, SCFW provides event observability to search, filter, and audit ALLOW, WARN, and BLOCK events across developer machines and CI systems in a unified event feed. From 121df4a6e185404bf425d8ad2dbe53afd75305cb Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:36:54 +0200 Subject: [PATCH 08/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index b3a5d1af9ad..1b135226f1e 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -104,3 +104,9 @@ steps: | Output | Description | |--------|-------------| | `scfw-version` | The installed version of Supply Chain Firewall. | + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/supply-chain-firewall From a3e45f487e3334c10dbba81dba115f64557b979a Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:37:35 +0200 Subject: [PATCH 09/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 1b135226f1e..6d99b00bcf3 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -12,7 +12,7 @@ further_reading: text: "Supply Chain Security" --- -The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall](https://github.com/DataDog/supply-chain-firewall) (SCFW) and configures it to transparently intercept supported package manager commands for all subsequent steps in a workflow. When active, any command for a supported package manager is inspected with SCFW before being allowed to run. +The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall][1] (SCFW) and configures it to intercept supported package manager commands in all subsequent workflow steps. When active, SCFW inspects each supported package manager command before allowing it to run. This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows. From a99d02902e0c1b6a359abc42f23378c04371b957 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:37:53 +0200 Subject: [PATCH 10/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 6d99b00bcf3..cc429e14218 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -14,7 +14,7 @@ further_reading: The Supply Chain Firewall GitHub Action installs Datadog's [Supply Chain Firewall][1] (SCFW) and configures it to intercept supported package manager commands in all subsequent workflow steps. When active, SCFW inspects each supported package manager command before allowing it to run. -This action supports Linux and macOS runners. Windows runners are not supported, as SCFW itself does not support Windows. +
This action supports Linux and macOS runners only.
## Usage From 3731154ac5249b961ca0fea7e037945fef893959 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:39:01 +0200 Subject: [PATCH 11/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index cc429e14218..adb0433758d 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -33,7 +33,7 @@ steps: - run: npm install ``` -### With Supply Chain Security integration +### Configure the Supply Chain Security integration {{< callout url=https://docs.google.com/forms/d/1Xqh5h1n3-jC7au2t30fdTq732dkTJqt_cb7C7T-AkPc/viewform?edit_requested=true btn_hidden="false" header="Join the Preview!">}} From cf1d67b4612eab29a29bd0647cb6a8afba8cc763 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:39:20 +0200 Subject: [PATCH 12/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index adb0433758d..969aad7600b 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -50,7 +50,7 @@ steps: dd-site: datadoghq.eu ``` -### With a cached `SCFW_HOME` directory +### Cache the `SCFW_HOME` directory Caching `SCFW_HOME` avoids re-fetching verifier data on each run: From 34ab98a1d14269f89e68201f57436e0edb2259d4 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:40:09 +0200 Subject: [PATCH 13/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 969aad7600b..ca7b43ca6fc 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -47,7 +47,7 @@ steps: dd-codesec-logger: 'true' dd-api-key: ${{ secrets.DD_API_KEY }} dd-app-key: ${{ secrets.DD_APP_KEY }} - dd-site: datadoghq.eu + dd-site: {{< region-param key="dd_site" >}} ``` ### Cache the `SCFW_HOME` directory From 6cf8a54ef766ce1eecf86296b6cbf442dc273e19 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:40:31 +0200 Subject: [PATCH 14/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index ca7b43ca6fc..ec52705562f 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -68,7 +68,7 @@ steps: ## How it works -1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` into an isolated Python environment so it does not interfere with the project's own dependencies. +1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` in an isolated Python environment so it does not interfere with the project's dependencies. 2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall. From 3a824cde704af9a4953a9cec61a97d5735155600 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:40:54 +0200 Subject: [PATCH 15/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index ec52705562f..80856f9d842 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -70,7 +70,7 @@ steps: 1. **Install**: The Supply Chain Firewall CLI is installed with `pipx` in an isolated Python environment so it does not interfere with the project's dependencies. -2. **Wrap**: For each requested package manager, the action writes a thin wrapper script into a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers automatically go through Supply Chain Firewall. +2. **Wrap**: For each requested package manager, the action writes a thin wrapper script to a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers are automatically routed through Supply Chain Firewall. Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. From d674189cc32829e8f8ac8039181a4497b9bfa449 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:41:21 +0200 Subject: [PATCH 16/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 80856f9d842..178bfb5c631 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -72,7 +72,7 @@ steps: 2. **Wrap**: For each requested package manager, the action writes a thin wrapper script to a temporary directory and prepends that directory to `PATH`. All subsequent steps that invoke those package managers are automatically routed through Supply Chain Firewall. - Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching, then passes the resolved path to `scfw run --executable`. This helps ensure Supply Chain Firewall always calls the real binary and never re-invokes the wrapper. + Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching for the binary, then passes the resolved path to `scfw run --executable`. This helps ensure that Supply Chain Firewall calls the real binary and does not re-invoke the wrapper. Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. From 107923665dc0bfdc352e590f745837f23054793d Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:42:09 +0200 Subject: [PATCH 17/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 178bfb5c631..f2c2b571feb 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -74,7 +74,7 @@ steps: Each wrapper resolves the real binary at call time by removing its own directory from `PATH` before searching for the binary, then passes the resolved path to `scfw run --executable`. This helps ensure that Supply Chain Firewall calls the real binary and does not re-invoke the wrapper. - Activating a Python virtual environment (e.g., `source .venv/bin/activate`) shadows the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands run inside virtual environments. + Activating a Python virtual environment, such as with `source .venv/bin/activate`, takes precedence over the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands that run inside virtual environments. 3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. From 5739a3cfeb6da9bcd1506e431099a9351bb848fb Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:42:28 +0200 Subject: [PATCH 18/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index f2c2b571feb..326f7ccc3ab 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -76,7 +76,7 @@ steps: Activating a Python virtual environment, such as with `source .venv/bin/activate`, takes precedence over the Supply Chain Firewall wrappers for the remainder of that step. Use `scfw run pip install ...` explicitly for any commands that run inside virtual environments. -3. **Configure**: Relevant environment variables (`DD_API_KEY`, `SCFW_HOME`, etc.) are written to `GITHUB_ENV` so they are available to all subsequent steps. +3. **Configure**: Relevant environment variables, such as `DD_API_KEY` and `SCFW_HOME`, are written to `GITHUB_ENV` so they are available to subsequent steps. Environment variables written to `GITHUB_ENV` are accessible to all subsequent steps in the job, including any third-party actions that run after this one. If you supply `dd-api-key` or `dd-app-key`, audit the actions that follow in your workflow for suspicious behavior or signs of compromise. From 66853a8aba7993900e51c1fc6b0e1a48352ff694 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:42:46 +0200 Subject: [PATCH 19/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 326f7ccc3ab..04f04c72e0e 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -84,7 +84,7 @@ steps: | Input | Description | Default | |-------|-------------|---------| -| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (e.g., `"3.1.0"`). | `latest` | +| `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (for example, `"3.1.0"`). | `latest` | | `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | | `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | | `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — | From bbdca98c39eca573b2ae720281afcfbdae4e4b6a Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:43:03 +0200 Subject: [PATCH 20/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 04f04c72e0e..515ce6db962 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -86,7 +86,7 @@ steps: |-------|-------------|---------| | `version` | The version of SCFW to install. Use `"latest"` or pin to a specific release (for example, `"3.1.0"`). | `latest` | | `package-managers` | Comma-separated list of package managers to intercept. Supported: `npm`, `pip`, `poetry`. | `npm,pip,poetry` | -| `error-on-block` | Exit with a non-zero code when an installation is blocked, failing the workflow step. | `true` | +| `error-on-block` | Fail the workflow step with a non-zero exit code when an installation is blocked. | `true` | | `dd-api-key` | Datadog API key for forwarding firewall events to the Datadog HTTP or Code Security API. Use `${{ secrets.DD_API_KEY }}`. | — | | `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — | | `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` | From 473217d84bcc8c31ab22d052e513f077144cea55 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:43:13 +0200 Subject: [PATCH 21/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 515ce6db962..1b1b7593a87 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -97,7 +97,7 @@ steps: | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | | `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | | `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` | -| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (e.g., `'{"team":"security"}'`). | — | +| `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (for example, `'{"team":"security"}'`). | — | ## Outputs From 016046acd5e03421034abe54457dc3308d945d25 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:43:37 +0200 Subject: [PATCH 22/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 1b1b7593a87..8b7ea2acfef 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -95,7 +95,7 @@ steps: | `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` | | `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — | | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | -| `package-minimum-age` | Minimum age in hours a package must have before installation is allowed. | `24` | +| `package-minimum-age` | Minimum age, in hours, that a package version must reach before installation is allowed. | `24` | | `dd-env` | Datadog environment tag attached to all forwarded firewall events. | `ci` | | `dd-log-attributes` | A JSON object of custom attributes to attach to all forwarded Datadog log events (for example, `'{"team":"security"}'`). | — | From 3870317a8f6224d13bcff8c79c79ab577acfd79b Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:43:52 +0200 Subject: [PATCH 23/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index 8b7ea2acfef..acaf70f5a63 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -91,7 +91,7 @@ steps: | `dd-app-key` | Datadog application key for forwarding firewall events to the Datadog Code Security API. Use `${{ secrets.DD_APP_KEY }}`. | — | | `dd-api-logger` | When `"true"`, enables SCFW's Datadog HTTP API logger. Requires `dd-api-key`. | `false` | | `dd-codesec-logger` | When `"true"`, enables SCFW's Datadog Code Security logger. Requires `dd-api-key` and `dd-app-key`. | `false` | -| `dd-site` | Datadog site (e.g., `datadoghq.com`, `datadoghq.eu`, `us3.datadoghq.com`). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | +| `dd-site` | Your Datadog site ({{< region-param key="dd_site" code="true" >}}). Used by both `dd-api-logger` and `dd-codesec-logger`. | `datadoghq.com` | | `dd-log-level` | Controls which firewall events are forwarded to Datadog. `ALLOW` logs all events; `BLOCK` logs only blocked events. | `ALLOW` | | `scfw-home` | Directory for SCFW's local cache. Point this at a cached directory to speed up verifier data fetches across runs. | — | | `on-warning` | Action that SCFW should take on warning-level findings: `ALLOW` or `BLOCK`. Defaults to `BLOCK` in non-interactive environments. | — | From 7aabf22454e23a646fa9e61ec980d79160a5f1ac Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:46:51 +0200 Subject: [PATCH 24/25] Update content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- .../code_security/dev_tool_int/scfw_github_action/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md index acaf70f5a63..9cfd4aa30a6 100644 --- a/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md +++ b/content/en/security/code_security/dev_tool_int/scfw_github_action/_index.md @@ -27,8 +27,8 @@ steps: version: '3.1.0' package-managers: npm,pip - # npm and pip commands are now transparently intercepted by SCFW. - # Malicious packages are blocked; clean installs proceed normally. + # npm and pip commands are inspected by SCFW before they run. +# Flagged packages are blocked; other installs proceed normally. - run: pip install -r requirements.txt - run: npm install ``` From 21c0abdc846ee88e1cb40ac047023f1c1e90e053 Mon Sep 17 00:00:00 2001 From: Ian Kretz Date: Wed, 15 Jul 2026 13:47:20 +0200 Subject: [PATCH 25/25] Reorder left nav elements --- config/_default/menus/main.en.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index dfd3a26783c..b27f88cdd98 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8081,11 +8081,6 @@ menu: url: /security/code_security/dev_tool_int/mcp_server/ parent: dev_tool_int weight: 5 - - name: SCFW GitHub Action - identifier: dev_tool_int_scfw_github_action - url: /security/code_security/dev_tool_int/scfw_github_action/ - parent: dev_tool_int - weight: 6 - name: Tools Reference identifier: dev_tool_int_mcp_server_tools_reference url: /security/code_security/dev_tool_int/mcp_server/tools_reference/ @@ -8096,6 +8091,11 @@ menu: url: /security/code_security/dev_tool_int/mcp_server/troubleshooting/ parent: dev_tool_int_mcp_server weight: 2 + - name: SCFW GitHub Action + identifier: dev_tool_int_scfw_github_action + url: /security/code_security/dev_tool_int/scfw_github_action/ + parent: dev_tool_int + weight: 6 - name: Troubleshooting identifier: sec_code_sec_tshoot url: /security/code_security/troubleshooting/