Datadog Software Composition Analysis (SCA) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.

This guide walks you through best practices for getting your team up and running with SCA.

Phase 1: Enable

  1. Check ASM Compatibility to see if your service is supported.

  2. Enable Software Composition Analysis on your services.


    • Navigate to Security -> Configuration -> Application Security -> Setup.
    • Click Get Started to enable Software Composition Analysis for static analysis in source code.
    • Select and configure your CI/CD provider.
    • Click Get Started to enable Software Composition Analysis for runtime analysis in running services.
    • Choose services to secure with ASM.
    • Click Get Started to enable Software Composition Analysis for code security.
    • Select your programming language, and restart your services.
    Software Composition Analysis setup page.

Phase 2: Identify

  1. Identify Vulnerabilities: Navigate to Security -> Application Security -> Vulnerabilities.

    • Sort by Status, Vulnerability Source, and Severity.
    • To switch to the code repository commit point of view, click on the static button. To switch to the real-time point of view to the applications already running, click on the runtime button.
    Software Composition Analysis (SCA) explorer page showing vulnerabilities sorted by static or runtime.

    Each vulnerability has its own status to help prioritize and manage findings:

    OpenThe vulnerability has been detected by Datadog.
    In ProgressA user has marked the vulnerability as In Progress, but Datadog still detects it.
    MutedA user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it.
    RemediatedA user has marked the vulnerability as resolved, but Datadog still sees the vulnerability.
    Auto-ClosedThe vulnerability is no longer detected by Datadog.

    Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.

  2. View additional details by clicking on the vulnerability. This opens a panel which includes information about:

    • Which services are affected.

    • The date on which the vulnerability was last detected.

    • A description of the vulnerability.

    • Recommended remediation steps.

    • Vulnerability score.

      Application Vulnerability Management detailed view of the vulnerability.

      Note: The severity of a vulnerability within SCA is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

      The adjusted vulnerability score includes the full context of each service:

      • The original vulnerability severity.
      • Evidence of suspicious requests.
      • Sensitive or internet-exposed environments.

      Severities are scored by the following:

      CVSS ScoreQualitative Rating
      0.1 - 3.9Low
      4.0 - 6.9Medium
      7.0 – 8.9High
      9.0 – 10.0Critical
  3. Optionally, download the Software Bill of Materials (SBOM) for your service. While viewing the details of a vulnerability, click on View in Service Catalog. From here you can navigate to the Security view of your service, and download the SBOM under the libraries tab.

Phase 3: Remediate

  1. Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:

    • Change the status of a vulnerability.
    • Assign it to a team member for further review.
    • Create a Jira issue. To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.
    • Review recommended remediation steps.
    • View links and information sources to understand the context behind each vulnerability.

    Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.

    Application Vulnerability Management recommended remediation steps of the vulnerability.

Further reading