Container Images Explorer
In Datadog, the Container Images Explorer provides insights into every image used in your environment. You can also view Cloud Security vulnerabilities in your container images, and track these vulnerabilities to specific layers.
Select the Trends tab for high-level insights across all of your images in your containerized infrastructure. Container image trends metrics can help you answer key questions about your security posture and deployment footprint over the span of weeks and months.
Configuration
Setup
Container Images Explorer uses data from the following sources:
Enable container collection
Container collection is enabled by default for most Datadog Agent installations. See Set up container collection for details.
Enable image collection
When you install the Datadog Agent by using the Datadog Operator, image collection is automatically enabled.
When you install the Datadog Agent by using the official Helm chart, image collection is enabled by default.
To verify that image collection is enabled, ensure that datadog.containerImageCollection.enabled is set to true in datadog-values.yaml.
datadog:
containerImageCollection:
enabled: true
To enable container image collection on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_CONTAINER_IMAGE_ENABLED",
"value": "true"
}
]
}
]
...
}
Add the following to your datadog.yaml configuration file:
container_image:
enabled: true
Enable SBOM collection
To automatically detect container image vulnerabilities, enable Software Bill of Materials (SBOM) collection for Cloud Security Vulnerabilities. Vulnerabilities are evaluated and scanned against your containers every hour.
Windows environments: The Cloud Security Vulnerabilities feature is not available for containers running on Windows environments.
Amazon ECS with AWS Fargate: The Cloud Security Vulnerabilities feature is available for ECS Fargate through
Agentless scanning.
Google Kubernetes Engine (GKE): To enable SBOM collection in GKE, you must
disable GKE's image streaming feature.
Add the following to your datadog-agent.yaml file:
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
features:
# ...
sbom:
enabled: true
containerImage:
enabled: true
host:
enabled: true
Add the following to your datadog-values.yaml file:
datadog:
sbom:
containerImage:
enabled: true
host:
enabled: true
To enable container image vulnerability scanning on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_SBOM_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_HOST_ENABLED",
"value": "true"
}
]
}
]
...
}
If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
"memory": 256,
...
}
]
...
}
Add the following to your datadog.yaml configuration file:
sbom:
enabled: true
container_image:
enabled: true
host:
enabled: true
Set up Datadog’s AWS integration and enable resource collection to collect container image metadata from Amazon ECR.
Tagging container images
To tag your container images, see Kubernetes Tag Extraction or Docker Tag Extraction.
Data collected
| Metric Name | Description |
|---|
contimage.max_image_size
(gauge) | The maximum size of the container image |
contimage.max_image_age
(gauge) | The age of the container image |
contimage.running_containers
(gauge) | The number of containers in which the container image is running |
contimage.vuln_count
(gauge) | The total number of vulnerabilities found in the container image (for Datadog Cloud Security customers who have enabled Container Vulnerabilities) |
Further reading
Más enlaces, artículos y documentación útiles:
