Container Images View

Overview

The container images view in Datadog provides key insights into every image used in your environment to help you assess their deployment footprint. It also detects and remediates security and performance issues that can affect multiple containers. You can view container image details alongside the rest of your container data to troubleshoot image issues affecting infrastructure health. Additionally, you can view vulnerabilities found in your container images from Cloud Security Management (CSM) to help you streamline your security efforts.

The container images view highlighting vulnerabilities and container column sort feature

Configure container images view

Images on the container images view are collected from several different sources (Live Containers, Image Collection, and Amazon ECR). The following instructions describe how to enable images from each of these sources.

Live Containers

To enable live container collection, see the containers documentation. It provides information on enabling the Process Agent, and excluding and including containers.

Image collection

Datadog collects container image metadata to provide enhanced debugging context for related containers and Cloud Security Management (CSM) vulnerabilities.

Configure the Agent

The following instructions enable the container image metadata collection and Software Bill of Materials (SBOM) collection in the Datadog Agent for CSM Vulnerabilities. This allows you to scan the libraries in container images to detect vulnerabilities. Vulnerabilities are evaluated and scanned against your containers every hour.

Note: The CSM Vulnerabilities feature is not available for AWS Fargate or Windows environments.

Image collection is enabled by default with Datadog Operator version >= 1.3.0.
Or, add the following to the spec section of your values.yaml file:

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    # ...
    sbom:
      enabled: true
      containerImage:
        enabled: true

If you are using Helm version >= 3.46.0, image collection is enabled by default.
Or, add the following to your values.yaml Helm configuration file:

datadog:
  containerImageCollection:
    enabled: true
  sbom:
    containerImage:
      enabled: true

To enable container image vulnerability scanning on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:

{
    "containerDefinitions": [
        {
            "name": "datadog-agent",
             ...
            "environment": [
              ...
              {
                "name": "DD_CONTAINER_IMAGE_ENABLED",
                "value": "true"
              },
              {
                "name": "DD_SBOM_ENABLED",
                "value": "true"
              },
              {
                "name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
                "value": "true"
              }
            ]
        }
    ]
  ...
}

If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:

{
    "containerDefinitions": [
        {
            "name": "datadog-agent",
            "memory": 256,
            ...
        }
     ]
    ...
}

Add the following to your datadog.yaml configuration file:

sbom:
  enabled: true
  container_image:
    enabled: true
container_image:
  enabled: true

Container registries

Amazon Elastic Container Registry (Amazon ECR)

Set up the AWS integration to begin crawling Container Image metadata from Amazon ECR.

Container image tagging

Tag and enrich your container images with arbitrary tags by using extract labels as tags configuration on the Agent. These tags are then picked by the Container Image check.

Further reading