Datadog SAST Finds the Bugs. Here's How to Fix Them Automatically.
If you run Datadog SAST, your findings live in one system and your fixes happen in another. The gap between detection and remediation is where findings go to die. They sit in a queue, someone triages the top 20, the other 300 age out, and the next scan adds 40 more. The backlog grows monotonically.
This is not a Datadog-specific problem. It is a structural problem with how the industry handles static analysis findings. The average team runs 5.3 scanning tools. Each tool produces findings. None of them fix what they find.
Pixee now integrates directly with Datadog SAST. Findings flow from Datadog into Pixee's triage and remediation pipeline, where 70-95% of false positives get eliminated automatically and the true positives get code fixes opened as pull requests. Across Pixee customers, developers merge 76% of these generated fixes. You see a PR, not a ticket.
Two integration paths
The integration supports two modes. The right choice depends on your environment and security policy.
Native API (zero CI/CD changes)
Pixee connects directly to your Datadog account and pulls SAST findings automatically. You provide a Datadog API key and Application key in the Pixee admin console, and findings start flowing. No CI/CD pipeline changes. No new build steps.
This mode works with all six Datadog regional sites (US1, US3, US5, EU1, AP1, US1-FED) and auto-discovers your repositories from your connected SCM. If you run Datadog SAST and want the fastest path to automated remediation, this is it.
SARIF upload (open-source, no Datadog keys needed)
Run Datadog's open-source Static Analyzer CLI in your CI/CD pipeline, output a SARIF file, and upload it to Pixee's API. No Datadog account required. No API keys shared with Pixee.
This path is the right choice when your security policy requires all data flows to originate from your CI/CD environment, or when you want to evaluate Datadog's SAST engine without a Datadog contract.
Setup details for both paths are in our integration docs.
What happens to your findings
Both paths feed into the same pipeline. Here is what that pipeline does to every Datadog SAST finding that arrives.
Triage. Pixee runs multi-layer analysis on each finding: exploitability assessment, contextual analysis of whether the code path actually handles untrusted input, and cross-scanner correlation if you have other scanners connected. At industry-typical false positive rates of 71-88%, most of an AppSec engineer's manual triage time is spent on findings that do not matter. Pixee eliminates that noise automatically, with actual reduction depending on the scanner's baseline rate. This aligns with our SAST False Positives: 3-Category Framework that breaks down reachability analysis and exploitability assessment.
Fix generation. For triaged true positives, Pixee generates code fixes that match your repository's conventions. Not generic patches. They account for your framework versions, coding style, and dependency constraints. Fixes arrive as pull requests with explanations of what changed and why. For deeper context on how purpose-built remediation differs from generic AI wrappers, see AI Code Security Fixes: Three Gaps You Can't Prompt Around.
Developer acceptance. That 76% merge rate matters because a fix developers reject is just a different kind of noise. If the automated fix does not respect how your team writes code, it creates work instead of removing it. The merge rate is the ground truth for whether automated remediation works in practice. We dig deeper into this in Why Pixee Achieves a 76% Merge Rate on Purpose-Built Security Fixes.
What this integration does and does not do
Does:
-
Pull Datadog SAST findings into Pixee for automated triage and remediation
-
Support both cloud and self-hosted Pixee deployments
-
Work alongside Pixee's other 12 scanner integrations (CodeQL, Snyk, Checkmarx, Semgrep, SonarQube, and others)
Does not:
-
Push Pixee metrics into Datadog dashboards
-
Touch Datadog Security features (infrastructure monitoring, cloud posture, runtime threat detection)
-
Replace Datadog's own SAST findings UI
Datadog's strength is detection and monitoring. Pixee's is triage and remediation. The integration connects the two without either system trying to do the other's job.
Getting started
If you already run Datadog SAST, add your API keys in the Pixee admin console and findings start flowing within the hour.
If you run Datadog's Static Analyzer CLI in CI/CD, the SARIF upload path works today. Add a single upload step after your scan.
If you run 5+ scanners and Datadog is one of them, Pixee normalizes findings across all of them into a single triage and remediation pipeline. The Datadog integration is one input among many, and findings from all scanners get the same treatment. This multi-scanner approach helps teams move from tool sprawl toward consolidation, as we explored in AWS Bundles 14 Security Vendors Into One Bill.
Full setup documentation is available in our integration guide.
Related reading:
