Skip to content

[K9VULN-5345] Improve static sca setup documentation #29559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

piloulacdog
Copy link
Contributor

@piloulacdog piloulacdog commented May 27, 2025

What does this PR do? What is the motivation?

Some customers are facing issues with the SBOM upload process and have reported that the documentation provided is inadequate. They have requested escalation and the booking of an engineer to support them with this critical installation for an important customer.

We should fix the documentation so that they can better understand how to install static SCA.

Merge instructions

Merge readiness:

  • Ready for merge

Preview

The preview can be found here

@piloulacdog piloulacdog force-pushed the pierrelouis.lacorte/K9VULN-5345-improve-sca-documentation branch from 78191ed to fdc7e8c Compare May 27, 2025 16:06
@piloulacdog piloulacdog marked this pull request as ready for review May 27, 2025 16:34
@piloulacdog piloulacdog requested a review from a team as a code owner May 27, 2025 16:34
@dastrong
Copy link
Contributor

This makes it seem like we don't support GitLab for our product. This request access is to be able to see Code Snippets and get MR comments FWIR.

Screenshot 2025-05-27 at 12 51 08 PM

Why not put the supported language/package managers at the top? Afraid customers won't see this at all otherwise

Screenshot 2025-05-27 at 12 49 19 PM

With the change above, we could remove the supported languages note. We could also probably shorten this whole section to be something like "Go to Security > Code Security to get started in app or following the documentation below."

Screenshot 2025-05-27 at 12 55 49 PM

I'd make this Other and says they need to use a customizable script and redirect. This Gitlab link doesn't lead to a script for SCA setup

Screenshot 2025-05-27 at 12 48 26 PM

This seems like it's better suited right under the "Run SCA scans in your CI Pipelines" heading?

Screenshot 2025-05-27 at 12 53 40 PM

@hestonhoffman hestonhoffman added the editorial review Waiting on a more in-depth review label May 27, 2025
@michaelcretzman michaelcretzman self-requested a review May 27, 2025 21:13
@michaelcretzman
Copy link
Contributor

@piloulacdog have you reviewed the comments of @dastrong?

Let me know if you are going to make more changes and then I will review and merge the PR.

(DOCS editorial ticket is DOCS-11033)

@piloulacdog
Copy link
Contributor Author

@dastrong for your feedbacks:

This makes it seem like we don't support GitLab for our product. This request access is to be able to see Code Snippets and get MR comments FWIR.

I think that I will likely need your help knowing exactly what it implies. I wasn't able to find a single org which had it enabled... so wasn't able to confirm that we offer...

Why not put the supported language/package managers at the top? Afraid customers won't see this at all otherwise

That's because this list is only true if you scan using the Datadog/datadog-sbom-generator. It is not true if you use any other SBOM generator. The only true statement is the list of languages. But if you use the new osv-scanner (the google one, version v2) for example, you would have uv support. I've put it at the top of the Run SCA scans in your CI Pipelines section hoping that it helps with clarity!

With the change above, we could remove the supported languages note. We could also probably shorten this whole section to be something like "Go to Security > Code Security to get started in app or following the documentation below."

Tried a rewording:


To get started:
1. Open [**Security** > **Code Security** > **Security Settings**][2].
2. Click **Manage Repositories** under "Activate scanning for your repositories".
3. Choose [where to run SCA scans](#select-where-to-run-static-sca-scans) (Datadog-hosted or CI Pipelines).
4. Follow the setup instructions for your source code provider.

The sections below cover the different ways to configure SCA for your repositories.

I'd make this Other and says they need to use a customizable script and redirect. This Gitlab link doesn't lead to a script for SCA setup

✅ Updated!

Copy link
Contributor

github-actions bot commented May 28, 2025

✅ Documentation Team Review

The documentation team has approved this pull request. Thank you for your contribution!

@piloulacdog
Copy link
Contributor Author

@piloulacdog have you reviewed the comments of @dastrong?

Let me know if you are going to make more changes and then I will review and merge the PR.

(DOCS editorial ticket is DOCS-11033)

Hi @michaelcretzman, I will ping us as soon as we agree on our final copy (by EoD)

@dastrong
Copy link
Contributor

Love the changes (especially the Further Reading section). One thing to note with the changes to the linking services tab is that this content is on a couple different pages I believe (this this one), so maybe omit it in this PR or update all occurrences. Ping @kassenq for final review though

@michaelcretzman
Copy link
Contributor

@piloulacdog are you going to ping @kassenq for review as suggested by @dastrong or can I review and merge?

@piloulacdog
Copy link
Contributor Author

Hi @michaelcretzman, I did ping @kassenq on Slack, I think she didn't get the chance to look at it just yet.
Please feel free to review! I don't expect push back from her. And she already gave us an initial blessing when I came up with the architecture of the re-write

Copy link
Contributor

@michaelcretzman michaelcretzman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with minor edits that don't impact tech content. I will make the edits and merge.

@michaelcretzman
Copy link
Contributor

/merge

@dd-devflow
Copy link

dd-devflow bot commented May 29, 2025

View all feedbacks in Devflow UI.

2025-05-29 00:09:39 UTC ℹ️ Start processing command /merge


2025-05-29 00:09:45 UTC ℹ️ MergeQueue: waiting for PR to be ready

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.


2025-05-29 00:39:09 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in master is approximately 20m (p90).


2025-05-29 00:39:14 UTCMergeQueue: This merge request is not mergeable, blocked by github

PR can't be merged according to github policy

@piloulacdog
Copy link
Contributor Author

/merge

@dd-devflow
Copy link

dd-devflow bot commented May 29, 2025

View all feedbacks in Devflow UI.

2025-05-29 08:36:09 UTC ℹ️ Start processing command /merge


2025-05-29 08:36:14 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 20m (p90).


2025-05-29 08:56:01 UTC ℹ️ MergeQueue: This merge request was merged

@dd-mergequeue dd-mergequeue bot merged commit ff50f9e into master May 29, 2025
21 of 31 checks passed
@dd-mergequeue dd-mergequeue bot deleted the pierrelouis.lacorte/K9VULN-5345-improve-sca-documentation branch May 29, 2025 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
editorial review Waiting on a more in-depth review mergequeue-status: done
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants