New announcements from Dash: Incident Management, Continuous Profiler, and more! New announcements from Dash!


Agent Check Agent Check

Supported OS: Linux Mac OS Windows


This check monitors Aqua.

The Aqua check will alert the user if total high-severity vulnerability is reached, or if a container is running inside a host not registered by Aqua. Aqua will also send data alerts regarding blocked events in runtime, and it is possible to trigger a webhook to scale infrastructure if more Aqua scanners are required.


The Aqua check is not included in the Datadog Agent package, so you will need to install it yourself.


If you are using Agent v6.8+ follow the instructions below to install the Aqua check on your host. See our dedicated Agent guide for installing community integrations to install checks with the Agent prior to version 6.8 or the Docker Agent:

  1. Install the developer toolkit.
  2. Clone the integrations-extras repository:

    git clone
  3. Update your ddev config with the integrations-extras/ path:

    ddev config set extras ./integrations-extras
  4. To build the aqua package, run:

    ddev -e release build aqua
  5. Download and launch the Datadog Agent.

  6. Run the following command to install the integrations wheel with the Agent:

    datadog-agent integration install -w <PATH_OF_AQUA_ARTIFACT>/<AQUA_ARTIFACT_NAME>.whl
  7. Configure your integration like any other packaged integration.


Metric Collection

  1. Edit the aqua.d/conf.yaml file in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your Aqua metrics. See the sample conf.yaml for all available configuration options.:

     - url:
       api_user: "<API_USERNAME>"
       password: "<API_USER_PASSWORD>"

    Change the api_user and password parameter values and configure them for your environment.

  2. Restart the Agent.

Log Collection

There are two types of logs generated by Aqua:

  • Aqua audit logs
  • Aqua enforcer logs

To collect Aqua audit logs:

  1. Connect to your Aqua account
  2. Go to the Log Management Section of the Integration Page
  3. Activate the Webhook integration
  4. Enable it and add the following endpoint:<DATADOG_API_KEY>?ddsource=aqua

    • Replace <DATADOG_API_KEY> by your Datadog Api Key.
    • Note: For the EU region, replace .com by .eu in the endpoint.

    For the Aqua Enforcer logs: Available for Agent >6.0

  5. Collecting logs is disabled by default in the Datadog Agent. Enable it in your daemonset configuration:

     # (...)
       # (...)
       - name: DD_LOGS_ENABLED
           value: "true"
           value: "true"
     # (...)

    Make sure that the Docker socket is mounted to the Datadog Agent as done in this manifest.

  6. Restart the Agent.


Run the Agent’s status subcommand and look for aqua under the Checks section.

Data Collected


The number of images seen by Aqua
Shown as unit
The number and categories of vulnerabilities detected by Aqua
Shown as occurrence
The number of running containers seen by Aqua
Shown as container
The number of audit events per category
Shown as event
The number of scan queues per type
Shown as occurrence
The number of host enforcers per status
Shown as host

Service Checks


Returns CRITICAL if the Agent cannot connect to Aqua to collect metrics. Returns OK otherwise.


Aqua does not include any events.


Need help? Contact Datadog support.