- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Datadog Software Composition Analysis (SCA) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.
This guide walks you through best practices for getting your team up and running with SCA.
First, see the Library Compatibility requirements page to verify if the Datadog Tracing Library used by your application or service supports the Software Composition Analysis (SCA) capability for your application’s or service’s programming language.
In Datadog, go to Application Security > Settings > Quick Start Guide.
Expand Enable Vulnerability Detection, select Open source vulnerabilities, and click Start Activation. A list of services appears.
Select the service(s) you want to monitor for vulnerabilities, then click Next. The number of selected services and their names are listed.
Click Enable for Selected Service(s) to complete the activation of Software Composition Analysis (SCA) for the chosen service(s).
Optionally, you can select specific GitHub repositories to enable SCA by clicking the toggle for each repository.
Identify Vulnerabilities: Navigate to Vulnerabilities.
Status
, Vulnerability Source
, and Severity
.Each vulnerability has its own status to help prioritize and manage findings:
Status | Description |
---|---|
Open | The vulnerability has been detected by Datadog. |
In Progress | A user has marked the vulnerability as In Progress, but Datadog still detects it. |
Muted | A user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it. |
Remediated | A user has marked the vulnerability as resolved, but Datadog still sees the vulnerability. |
Auto-Closed | The vulnerability is no longer detected by Datadog. |
Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.
View additional details by clicking on the vulnerability. This opens a panel which includes information about:
Which services are affected.
The date on which the vulnerability was last detected.
A description of the vulnerability.
Recommended remediation steps.
Vulnerability score.
Note: The severity of a vulnerability within SCA is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.
The adjusted vulnerability score includes the full context of each service:
Severities are scored by the following:
CVSS Score | Qualitative Rating |
---|---|
0.0 | None |
0.1 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 – 8.9 | High |
9.0 – 10.0 | Critical |
Optionally, download the library inventory (list of libraries and versions in CycloneDX format) for your service. While viewing the details of a vulnerability, click View in Service Catalog. From here you can navigate to the Security view of your service, and download the library inventory under the libraries tab.
Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:
manage_integrations
permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.
For information on disabling Software Composition Analysis, see Disabling Software Composition Analysis.
추가 유용한 문서, 링크 및 기사: