Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Cloud Security Management Vulnerabilities is not supported for your selected Datadog site ().

Overview

Cloud Security Management Vulnerabilities (CSM Vulnerabilities) helps you improve your security posture and achieve compliance, by continuously scanning container images, hosts, host images, and serverless functions for vulnerabilities, from CI/CD pipelines to live production. Leveraging runtime observability, it helps you prioritize and remediate exploitable vulnerabilities in your daily workflows, all in a single view, and without any dependencies on other Datadog products.

With CSM Vulnerabilities, you can manage your cloud security management strategy, all in one place:

  • Create a vulnerability management program, from CI/CD pipelines to production resources
  • Pass compliance audits (such as SOC2, PCI, HIPAA, CIS, and FedRamp)
  • Remediate emerging vulnerabilities (0-day CVEs)

Note: For vulnerability management in application libraries, see Software Composition Analysis. For application code, see Code Security.

Key capabilities

Deploy using Agentless or unified Datadog Agent
Quickly scan your entire infrastructure for vulnerabilities, either using Agentless, or by using the unified Datadog Agent you already have deployed.
Inventory cloud resources, in real-time
Inventory container images, hosts, serverless functions, and all packages deployed in your infrastructure, in real time, and export your SBOM.
Detect vulnerabilities continuously
Scan recent updates and newly published CVEs, across running container images, hosts, host images, and serverless, and identify vulnerable container image layers.
Prioritize exploitable vulnerabilities, using runtime observability
Leverage Datadog’s security scoring, which is based on CVSS, by incorporating intel from CISA KEV, EPSS, and public exploit availability. With runtime observability, you can monitor production, exposure to attacks, sensitive data processing, and privileged access.
Take advantage of guided remediation
See which layers are impacted, get suggestions specific to each image, and action on your vulnerability lifecycle management.
Implement automation and integrations
Automate the creation of Jira tickets and implement SLAs. Use Datadog’s public API to export vulnerabilities, coverage, and SBOMs.
Explore reports
View and monitor vulnerability data in your dashboards.

Deployment methods

Get started with CSM Vulnerabilities and cover your infrastructure in minutes, using:

You can also use both deployment methods to use the unified Datadog Agent where you already have it deployed, and Agentless elsewhere.

After you’ve enabled it, Datadog starts scanning your resources continuously, and starts reporting prioritized vulnerabilities in your CSM Vulnerability Explorer within an hour.

Use these tables to decide which solution to start with:

FeatureAgentlessUnified Datadog Agent
Time to deploy across your infrastructureMinutesHours to weeks
Vulnerability prioritizationYesYes, with runtime context
Vulnerability scanning frequency12 hoursReal-time
Vulnerability detection scopeAgentlessUnified Datadog Agent
Host and host imageOS packages and app packages, mapped to imageOS packages
Container imageOS packages and app packages, mapped to imageOS packages
Cloud providerAWS, Azure (Preview)AWS, Azure, GCP, on-prem, etc.
Operating systemLinuxLinux, Windows
ServerlessAWS LambdaNot applicable
Container registriesAmazon ECR (Preview)Not applicable

For more information on compatibility, see CSM Vulnerabilities Hosts and Containers Compatibility. If you need any assistance, see the troubleshooting guide, or reach out to support@datadoghq.com.

Continuously detect, prioritize, and remediate exploitable vulnerabilities

The CSM Vulnerabilities Explorer helps you investigate vulnerabilities detected across your container images, host images, running hosts, and serverless functions using filtering and grouping capabilities.

Focus on exploitable vulnerabilities first, using the Datadog Severity Score, combining the base CVSS score with many risk factors, including sensitive data, environment sensitivity, exposure to attacks, exploit availability, or threat intelligence sources.

For vulnerabilities with available fixes, the Explorer provides guided remediation steps to assist Dev and Ops teams in resolving issues more quickly and effectively. You can also triage, mute, comment, and assign vulnerabilities to manage their lifecycle.

The CSM Vulnerability Explorer displaying a vulnerability and the actions a user can take to remediate it

Automation and Jira integration

Make CSM Vulnerabilities part of your daily workflow by setting up security notification rules and automation pipelines (in Preview):

  • Get alerted upon detection of an exploitable vulnerability for your scope
  • Automatically create Jira tickets
  • Configure SLAs to remediate vulnerabilities
The notification rule setup screen

Tracking and reporting

Use the out-of-the-box CSM Vulnerabilities dashboard to track and report progress to stakeholders. Clone and modify it as needed to fit your unique needs.

The CSM Vulnerabilities dashboard

Explore infrastructure packages

The Infrastructure Packages Catalog provides a real-time inventory of all packages across hosts, host images, and container images deployed in your infrastructure. It offers an interface you can use to investigate your SBOMs, enriched with vulnerability and runtime context.

Quickly assess the impact of a critical emerging vulnerability by searching for affected package versions and identifying all of the resources that use it.

The inventory of packages deployed in the infrastructure with vulnerability context and pivot to resources using them

Video walkthrough

The following video provides an overview of how to enable and use CSM Vulnerabilities:

Further reading