Add Git Hooks (#24455)

* add git hooks * fix two spaces * update image * Apply suggestions from code review Co-authored-by: Ursula Chen <[email protected]> --------- Co-authored-by: Ursula Chen <[email protected]>
DataDog · Sep 3, 2024 · 0365573 · 0365573
1 parent b04713d
commit 0365573
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 4 deletions.
diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
@@ -4156,16 +4156,21 @@ menu:
       parent: code_analysis
       identifier: code_analysis_ide_plugins
       weight: 5
+    - name: Git Hooks
+      url: code_analysis/git_hooks
+      parent: code_analysis
+      identifier: code_analysis_git_hooks
+      weight: 6
     - name: Troubleshooting
       url: code_analysis/troubleshooting
       parent: code_analysis
       identifier: code_analysis_troubleshooting
-      weight: 6
+      weight: 7
     - name: Frequently Asked Questions
       url: code_analysis/faq
       parent: code_analysis
       identifier: code_analysis_faq
-      weight: 7
+      weight: 8
     - name: Quality Gates
       url: quality_gates/
       pre: ci
@@ -5179,7 +5184,7 @@ menu:
       url: security/application_security/software_composition_analysis/setup/compatibility/
       parent: application_security_software_composition_analysis_setup
       identifier: appsec_compat_sca
-      weight: 2      
+      weight: 2
     - name: Code Security
       url: security/application_security/code_security/
       parent: application_security
@@ -5194,7 +5199,7 @@ menu:
       url: security/application_security/code_security/setup/compatibility/
       parent: application_security_code_security_setup
       identifier: appsec_compat_code_security
-      weight: 2      
+      weight: 2
     - name: Threat Management
       url: security/application_security/threats/
       parent: application_security

diff --git a/content/en/code_analysis/git_hooks/_index.md b/content/en/code_analysis/git_hooks/_index.md
@@ -0,0 +1,70 @@
+---
+title: Git Hooks
+description: Prevent the merging of code with errors
+further_reading:
+- link: "/code_analysis/"
+  tag: "Documentation"
+  text: "Learn about Code Analysis"
+- link: "/code_analysis/static_analysis/"
+  tag: "Documentation"
+  text: "Learn about Static Analysis"
+- link: "/code_analysis/software_composition_analysis/"
+  tag: "Documentation"
+  text: "Learn about Software Composition Analysis"
+---
+
+## Overview
+
+A [Git hook](https://git-scm.com/docs/githooks) is a program executed before a user commits code to a repository
+or pushes code to a remote location. A Git hook is generally used to run verifications
+and enforce requirements on the code before it is pushed to the remote branch.
+
+Datadog Code Analysis provides a Git hook to check for static analysis
+violations or secrets before code is pushed or committed. The Datadog Code Analysis Git hook
+checks the code from the latest commit and the default branch and surfaces
+any errors it detects.
+
+The Datadog Git hook warns developers before they push any code
+containing coding errors, vulnerabilities, or secrets. When you commit code with an
+error, a prompt like the following appears in the user terminal:
+
+{{< img src="code_analysis/git_hooks/git_hook.png" alt="Datadog Git Hook detecting vulnerabilities" style="width:100%;">}}
+
+## Setup
+
+1. Download the `datadog-git-hook` program from the release page or the [Datadog Static Analyzer
+releases](https://github.com/DataDog/datadog-static-analyzer/releases).
+2. Install the program on your computer.
+3. Add a `.git/hooks/pre-push` file in the repository with the script below. **Note:** The script assumes the `datadog-static-analyzer-git-hook` binary is in `/usr/local/bin/datadog-static-analyzer-git-hook`.
+
+```shell
+#!/bin/sh
+
+# Get the repo root path
+repo_path=$(git rev-parse --show-toplevel)
+
+# Make sure the user can provide some input
+exec < /dev/tty
+
+/usr/local/bin/datadog-static-analyzer-git-hook -r $repo_path --secrets --confirmation --default-branch <default-branch>
+
+if [ $? -eq 0 ]; then
+    echo "datadog-static-analyzer check passed"
+    exit 0
+else
+    echo "datadog-static-analyzer check failed"
+    exit 1
+fi
+```
+
+The program accepts the following parameters:
+
+ - `--confirmation`: Ask the user for confirmation to override the Git hook check
+ - `--default-branch`: Specify the name of the default branch.
+ - `--secrets`: Enable secrets detection (private beta).
+ - `--output <file>`: Export the findings found in the commit into a SARIF file.
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
diff --git a/static/images/code_analysis/git_hooks/git_hook.png b/static/images/code_analysis/git_hooks/git_hook.png