AI-Enhanced Static Code Analysis

Static Code Analysis (SAST) uses AI to help automate detection, validation, and remediation across the vulnerability management lifecycle. This page provides an overview of these features.

Summary of AI features in SAST

Detection

Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. By scanning pull requests (PRs) submitted to the default branches of your repositories to detect potentially malicious intent, this functionality helps you:

• Secure code changes from both internal and external contributors
• Scale your code reviews as the volume of AI-assisted code changes increases
• Embed code security into your security incident response workflows

Detection coverage

Malicious code changes come in many different forms. Datadog SAST covers attack vectors such as:

• Malicious code injection
• Attempted secret exfiltration
• Pushing of malicious packages
• CI workflow compromise

Examples include the tj-actions/changed-files breach (March 2025) and obfuscation of malicious code in npm packages (September 2025). Read more in the blog post here.

Search and filter results

Detections from Datadog SAST on potentially malicious PRs can be found in Security Signals from the rule ID def-000-wnp.

There are two potential verdicts: malicious and benign. They can be filtered for using:

• @malicious_pr_protection.scan.verdict:malicious
• @malicious_pr_protection.scan.verdict:benign.

Signals can be triaged directly in Datadog (assign, create a case, or declare an incident), or routed externally using Datadog Workflow Automation.

AI-native SAST

Datadog’s AI-native SAST engine uses large language models (LLMs) to detect security vulnerabilities by reasoning about how data flows through your code. Unlike rule-based static analysis, it can identify vulnerabilities that require contextual understanding of application logic.

AI-native SAST uses a two-phase approach:

1. Detection: An LLM scans each file and reasons about whether user-controlled data can reach a dangerous operation without being sanitized.
2. Verification: A second LLM independently re-evaluates each candidate finding through taint analysis, confirming or dismissing each finding to reduce false positives.

Supported languages

Detected vulnerability types

Validation and triage

False positive filtering

Bits AI reviews the context of each SAST finding and assesses whether it is more likely to be a true or false positive, along with a short explanation of the reasoning.

To narrow down your initial list for triage, in Vulnerabilities, turn on the Filter out false positives toggle. This option uses the -bitsAssessment:"False Positive" query.

Each finding includes a section with an explanation of the assessment. You can provide Bits AI with feedback on its assessment using a thumbs up 👍 or thumbs down 👎.

Bits AI Memories

Bits AI Memories lets teams add rule-specific context that Bits AI uses when assessing SAST findings. Use memories to describe organization-specific frameworks, sanitizers, validation patterns, or codebase details that help Bits AI interpret findings for that rule.

In the SAST rule side panel, expand the false positive reports accordion to review reports shared by your organization for the selected rule. Use the custom context tab in the same section to add guidance for future Bits AI assessments. Memories apply at the organization and rule level for SAST. They apply only to security category SAST rules in Datadog’s default rulesets and do not apply to custom rules.

Remediation

Datadog SAST uses Bits Code to generate code fixes for vulnerabilities. You can also create an automation to automatically generate fixes for vulnerabilities as they are found or on a schedule.

To view and remediate vulnerabilities:

1. In Datadog, navigate to Security > Code Security > Vulnerabilities, and select Static Code (SAST).
2. Select a vulnerability to open a side panel with details about the finding and the affected code.
3. In the Next Steps > Remediation section, click Fix with Bits, then one of the following options:
   • Single fix: Generates a code fix for this vulnerability
     • If a fix has already been generated, select View fix and create PR to view the existing remediation session.
   • Create automation: Opens a pop-up modal where you can create a Bits Code automation

Single fix

Use Single fix to open a Bits Code session to fix this single vulnerability. You can review the proposed diff, ask follow-up questions, edit the patch, and create a pull request to apply the remediation to your source code repository.

View all Bits Code sessions on Bits AI > Bits Code > Sessions.

Create automation

Use Create automation to create a Bits Code automation to generate fixes for SAST vulnerabilities automatically, either as they are found or on a schedule.

Selecting this option opens an Automate with Bits modal with the Remediate SAST vulnerabilities action pre-filled. Complete the form, including specifying a trigger and output, then click Create Automation. See Automations to learn more about actions, triggers, and outputs.

View all Bits Code automations on Bits AI > Bits Code > Automations.

Remediation session details

Each Bits Code session shows the life cycle of an AI-generated fix so you can review and validate changes before merging. It includes:

• The original security finding and proposed code change
• An explanation of how and why Bits Code generated the fix
• CI results (if enabled) to validate the patch is safe to deploy
• Options to refine the fix or Create PR to apply the changes to your source code repository

To open the remediation session, select the vulnerability from the Vulnerabilities page to open the side panel, scroll to the Remediation section, and select Expand & Chat.

You can also view all remediation sessions on Sessions.

Further reading

Request a personalized demo