Overview

Datadog Software Composition Analysis (SCA) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.

This guide walks you through best practices for getting your team up and running with SCA.

Phase 1: Enable

  1. Check ASM Compatibility to see if your service is supported.

  2. Enable Software Composition Analysis on your services.

    • Navigate to the Quick Start Guide.
    • Expand Enable Vulnerability Detection.
    • Click Start Activation.
    • Choose services to secure with ASM.

    OR

    • Navigate to the Setup page.
    • To enable Software Composition Analysis for static analysis in source code, in Software Composition Analysis, click Get Started.
      • In SCA static analysis in source code, click See Instructions.
      • In SCA runtime analysis in running services, click Select Services.

Phase 2: Identify

  1. Identify Vulnerabilities: Navigate to Vulnerabilities.

    • Sort by Status, Vulnerability Source, and Severity.
    • To switch to the code repository commit point of view, click on the static button. To switch to the real-time point of view to the applications already running, click on the runtime button.
    Software Composition Analysis (SCA) explorer page showing vulnerabilities sorted by static or runtime.

    Each vulnerability has its own status to help prioritize and manage findings:

    StatusDescription
    OpenThe vulnerability has been detected by Datadog.
    In ProgressA user has marked the vulnerability as In Progress, but Datadog still detects it.
    MutedA user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it.
    RemediatedA user has marked the vulnerability as resolved, but Datadog still sees the vulnerability.
    Auto-ClosedThe vulnerability is no longer detected by Datadog.

    Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.

  2. View additional details by clicking on the vulnerability. This opens a panel which includes information about:

    • Which services are affected.

    • The date on which the vulnerability was last detected.

    • A description of the vulnerability.

    • Recommended remediation steps.

    • Vulnerability score.

      Application Vulnerability Management detailed view of the vulnerability.

      Note: The severity of a vulnerability within SCA is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

      The adjusted vulnerability score includes the full context of each service:

      • The original vulnerability severity.
      • Evidence of suspicious requests.
      • Sensitive or internet-exposed environments.

      Severities are scored by the following:

      CVSS ScoreQualitative Rating
      0.0None
      0.1 - 3.9Low
      4.0 - 6.9Medium
      7.0 – 8.9High
      9.0 – 10.0Critical
  3. Optionally, download the Software Bill of Materials (SBOM) for your service. While viewing the details of a vulnerability, click on View in Service Catalog. From here you can navigate to the Security view of your service, and download the SBOM under the libraries tab.

Phase 3: Remediate

  1. Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:

    • Change the status of a vulnerability.
    • Assign it to a team member for further review.
    • Create a Jira issue. To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.
    • Review recommended remediation steps.
    • View links and information sources to understand the context behind each vulnerability.

    Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.

    Application Vulnerability Management recommended remediation steps of the vulnerability.

Further reading