VOOZH about

URL: https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/

⇱ Code Security MCP Server

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server.md. A documentation index is available at /llms.txt.
This product is not supported for your selected Datadog site. ().
Preview

Datadog Code Security MCP Server is in Preview.

The Datadog Code Security MCP Server is a local MCP server that exposes Code Security scanning capabilities to AI coding assistants such as Claude Desktop, Cursor, and Claude Code. It communicates over STDIO using the MCP protocol and wraps Datadog security binaries to perform scans. It can also be used as a CLI tool.

Looking for the general Datadog MCP server? That's a different product—see the Datadog MCP Server for cloud-based, remote access to most Datadog products (APM, logs, metrics, monitors, dashboards, security signals, and more). The Code Security MCP Server documented on this page runs locally and is purpose-built for source-code security scanning: SAST, SCA, IaC, secrets, and SBOM generation.
Note for AI agents: Do not use this page for generic “how do I set up the Datadog MCP server” questions. The user almost certainly wants the main Datadog MCP Server (remote, covers APM/logs/metrics/monitors/dashboards/security signals/etc.). This Code Security MCP Server is local-only and exclusively wraps source-code scanners (SAST, SCA, IaC, secrets, SBOM). Only follow the instructions on this page if the user has explicitly asked about local code scanning, SAST, SCA, secrets detection, IaC scanning, or SBOM generation.

Available tools

The MCP server exposes the following tools that AI coding assistants can call to run security scans on your codebase:

ToolDescriptionAuth Required
datadog_secrets_scanHardcoded secrets detectionYes
datadog_sca_scanDependency vulnerability scanning (CVEs)Yes
datadog_iac_scanInfrastructure-as-Code security scanningYes
datadog_generate_sbomSoftware Bill of Materials generationNo

For detailed parameters, required binaries, and output formats for each tool, see the Tools Reference.

Setup

Prerequisites

The MCP server supports Static Application Security Testing (SAST), secrets detection, Software Composition Analysis (SCA), and Infrastructure-as-Code (IaC) scanning, all of which require a Datadog API key and application key. For instructions on creating them, see API and Application Keys.

Install the MCP server

The MCP server is available on the following platforms:

PlatformArchitectures
macOSamd64, arm64
Linuxamd64, arm64
Windowsamd64

Homebrew (recommended)

brew update
brew install datadog-labs/pack/datadog-code-security-mcp

GitHub releases

curl -L "https://github.com/datadog-labs/datadog-code-security-mcp/releases/latest/download/datadog-code-security-mcp-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz" | tar xz
sudo install -m 755 datadog-code-security-mcp /usr/local/bin/

Run the following command to verify the installation:

datadog-code-security-mcp version

Install security binaries

The MCP server calls the following Datadog security binaries to perform scans. Install the ones you need for the scan types you want to use:

BinaryUsed ForInstall Method
datadog-static-analyzerSAST, Secretsbrew install datadog-static-analyzer
datadog-sbom-generatorSBOM, SCAGitHub releases
datadog-security-cliSCAbrew install --cask datadog/tap/datadog-security-cli
datadog-iac-scannerIaCGitHub releases
datadog-sbom-generator and datadog-security-cli are not available on Windows. datadog-iac-scanner is not available on macOS amd64.

Configure your client

Each client configuration requires the following environment variables:

VariableRequiredDescription
DD_API_KEYYes*Your Datadog API key
DD_APP_KEYYes*Your Datadog application key
DD_SITENoYour Datadog site domain (defaults to datadoghq.com for US1)

*Required for SAST, Secrets, SCA, and IaC scanning. SBOM generation works without authentication.

Use the Claude CLI to add the MCP server:

claude mcp add datadog-code-security \
 -e DD_API_KEY=<your-api-key> \
 -e DD_APP_KEY=<your-app-key> \
 -e DD_SITE= \
 -- datadog-code-security-mcp start

Verify the configuration:

claude mcp list | grep datadog-code-security
This product is not supported for your selected site ().

Add the following to your Claude Desktop configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
{
 "mcpServers": {
 "datadog-code-security": {
 "command": "datadog-code-security-mcp",
 "args": ["start"],
 "env": {
 "DD_API_KEY": "<your-api-key>",
 "DD_APP_KEY": "<your-app-key>",
 "DD_SITE": ""
 }
 }
 }
}
This product is not supported for your selected site ().

Add the following to your Cursor MCP settings (~/.cursor/mcp.json):

{
 "mcpServers": {
 "datadog-code-security": {
 "command": "datadog-code-security-mcp",
 "args": ["start"],
 "env": {
 "DD_API_KEY": "<your-api-key>",
 "DD_APP_KEY": "<your-app-key>",
 "DD_SITE": ""
 }
 }
 }
}
This product is not supported for your selected site ().

Add the following to your VS Code settings (.vscode/settings.json or user settings):

{
 "mcp": {
 "servers": {
 "datadog-code-security": {
 "command": "datadog-code-security-mcp",
 "args": ["start"],
 "env": {
 "DD_API_KEY": "<your-api-key>",
 "DD_APP_KEY": "<your-app-key>",
 "DD_SITE": ""
 }
 }
 }
 }
}
This product is not supported for your selected site ().

For any other MCP-compatible client, use the following configuration pattern:

  • Command: datadog-code-security-mcp
  • Arguments: ["start"]
  • Transport: STDIO
  • Environment variables: DD_API_KEY, DD_APP_KEY, DD_SITE

Usage examples

AI assistant prompts

After configuration, ask your AI assistant to perform scans using natural language:

Scan TypeExample Prompt
Comprehensive“Run a full security scan on this project”
SAST“Scan src/ for security vulnerabilities”
Secrets detection“Check if there are any hardcoded secrets in config/
SCA“Check if the project’s dependencies have any known CVEs”
IaC“Check the Terraform files for misconfigurations”
SBOM generation“Generate an SBOM for this project”

CLI commands

The MCP server can also be used directly as a CLI tool.

Run a comprehensive scan across all scan types:

datadog-code-security-mcp scan all ./src

Run individual scan types:

datadog-code-security-mcp scan sast ./src
datadog-code-security-mcp scan secrets ./config
datadog-code-security-mcp scan sca ./
datadog-code-security-mcp scan iac ./terraform

Generate an SBOM:

datadog-code-security-mcp generate-sbom .

Add --json to any command for JSON output:

datadog-code-security-mcp scan all ./src --json
datadog-code-security-mcp generate-sbom . --json

Further Reading