From d3b78620d1223c0b206b37253a96b10d7dc27a6d Mon Sep 17 00:00:00 2001 From: Ryan Coulter Date: Tue, 16 Jun 2026 10:48:13 -0400 Subject: [PATCH 1/3] Document lockfile-less SCA scanning for package.json and pyproject.toml --- .../setup_static/_index.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md index aa5ad8fb189..673463987a7 100644 --- a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md +++ b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md @@ -43,6 +43,23 @@ Datadog SCA scans libraries in the following languages using dependency manifest **Note:** If both a `packages.lock.json` and a `.csproj` file are present, the `packages.lock.json` takes precedence and provides more precise version resolution. +## Lockfile-less scanning + +When a repository does not contain a supported lockfile, Datadog SCA can scan manifest files directly to identify dependencies. + +| Language | Package Manager | File | +|----------|------------------------|------------------| +| Node.js | npm, yarn, pnpm, Bun | `package.json` | +| Python | Poetry, PDM, UV, pip | `pyproject.toml` | + +**Supported sections:** +- `package.json`: `dependencies`, `devDependencies`, and `optionalDependencies` +- `pyproject.toml`: PEP 621 `dependencies` and `optional-dependencies`, PEP 735 `dependency-groups`, and Poetry dependency sections + +
+Because manifests declare version ranges (such as ^2.3.4 or >=1.0,<2) rather than pinned versions, Datadog resolves each range to a published version. Results may differ from what a package manager would install. Where a lockfile is available, it takes precedence and provides more precise version resolution. +
+ ## Select where to run static SCA scans By default, scans run when you commit changes that update supported dependency manifests or lockfiles in an enabled repository. You can also run SCA in your CI pipelines; CI jobs are supported for `push` events. From 30f1db2cff3946311f05333ba7a4b676a0655f37 Mon Sep 17 00:00:00 2001 From: Ryan Coulter Date: Tue, 16 Jun 2026 11:41:58 -0400 Subject: [PATCH 2/3] Clarify lockfile precedence and version selection --- .../software_composition_analysis/setup_static/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md index 673463987a7..e7332df16e3 100644 --- a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md +++ b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md @@ -45,7 +45,7 @@ Datadog SCA scans libraries in the following languages using dependency manifest ## Lockfile-less scanning -When a repository does not contain a supported lockfile, Datadog SCA can scan manifest files directly to identify dependencies. +Datadog SCA scans manifest files **only when no supported lockfile is detected**. When a lockfile is present, it takes precedence and the manifest is not scanned. | Language | Package Manager | File | |----------|------------------------|------------------| @@ -57,7 +57,7 @@ When a repository does not contain a supported lockfile, Datadog SCA can scan ma - `pyproject.toml`: PEP 621 `dependencies` and `optional-dependencies`, PEP 735 `dependency-groups`, and Poetry dependency sections
-Because manifests declare version ranges (such as ^2.3.4 or >=1.0,<2) rather than pinned versions, Datadog resolves each range to a published version. Results may differ from what a package manager would install. Where a lockfile is available, it takes precedence and provides more precise version resolution. +Because manifests declare version ranges (such as ^2.3.4 or >=1.0,<2) rather than pinned versions, Datadog resolves each range by selecting the newest published version that satisfies the range. Pre-release versions are excluded.
## Select where to run static SCA scans From cb38e0e6a0fb5c86618e73ffe275856ca0a0e371 Mon Sep 17 00:00:00 2001 From: Ryan Coulter Date: Tue, 16 Jun 2026 11:43:21 -0400 Subject: [PATCH 3/3] Manifests can declare ranges, not always --- .../software_composition_analysis/setup_static/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md index e7332df16e3..64dd577c589 100644 --- a/content/en/security/code_security/software_composition_analysis/setup_static/_index.md +++ b/content/en/security/code_security/software_composition_analysis/setup_static/_index.md @@ -57,7 +57,7 @@ Datadog SCA scans manifest files **only when no supported lockfile is detected** - `pyproject.toml`: PEP 621 `dependencies` and `optional-dependencies`, PEP 735 `dependency-groups`, and Poetry dependency sections
-Because manifests declare version ranges (such as ^2.3.4 or >=1.0,<2) rather than pinned versions, Datadog resolves each range by selecting the newest published version that satisfies the range. Pre-release versions are excluded. +Because manifests can declare version ranges (such as ^2.3.4 or >=1.0,<2) rather than pinned versions, Datadog resolves each range by selecting the newest published version that satisfies the range. Pre-release versions are excluded.
## Select where to run static SCA scans