Infrastructure as Code (IaC) Security

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Datadog Infrastructure as Code (IaC) Security detects misconfigurations in Terraform code before deployment. It flags issues such as missing encryption or overly permissive access in files stored in your connected GitHub repositories. Supported file types include standalone Terraform files and local modules.

IaC misconfiguration side panel showing details for the high severity IMDSv1 Enabled issue, including a security summary, code snippet, detection timestamps, and remediation steps.

How it works

IaC Security integrates with your GitHub repositories to continuously scan for misconfigurations. It analyzes every commit across all branches and performs a daily full scan of each configured repository. Findings surface when violations are detected and are associated with the relevant repository, branch, and file path. This allows you to identify, prioritize, and fix misconfigurations directly at the source.

Key capabilities

Review and fix violations in pull requests

When a GitHub pull request includes infrastructure-as-code changes, Datadog adds inline comments to flag any violations. Where applicable, it also suggests code fixes that can be applied directly in the pull request. You can also open a new pull request from Datadog to remediate a finding. For more information, see GitHub Pull Requests.

View and filter findings

After setting up IaC Security, each commit to a scanned repository triggers a scan. Findings are summarized on the Code Security Vulnerabilities page and grouped per repository on the Code Security Repositories page.

Use filters to narrow results by:

  • Severity
  • Status (open, muted, fixed)
  • Resource type
  • Cloud provider
  • File path
  • Team
  • Repository

Click any finding to open a side panel that shows:

  • Details: A description and the relevant code that triggered the finding. (To view code snippets, install the GitHub App.)
  • Remediation: If available, suggested code fixes are provided for findings that support remediation.

Create Jira tickets from findings

You can create a bidirectional Jira ticket directly from any finding to track and remediate issues in your existing workflows. Ticket status remains synced between Datadog and Jira. For more information, see Bidirectional ticket syncing with Jira.

Mute findings

To suppress a finding, click Mute in the finding details panel. This opens a workflow where you can create a Muting Rule for context-aware filtering by tag values (for example, by service or environment). Muting a finding hides it and excludes it from reports.

To restore a muted finding, click Unmute in the details panel. You can also use the Status filter on the Code Security Vulnerabilities page to review muted findings.

Exclude specific rules, files, or resources

You can configure exclusions to prevent certain findings from appearing in scan results. Exclusions can be based on rule ID, file path, resource type, severity, or tag.

Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see Configure IaC Security Exclusions.

Next steps

  1. Set up IaC Security in your environment.
  2. Configure scanning exclusions to reduce false positives or ignore expected results.
  3. Review and triage findings on the Code Security Vulnerabilities page.

Further reading

추가 유용한 문서, 링크 및 기사:

Prevent cloud misconfigurations from reaching production with Datadog IaC SecurityBLOG more more Set up IaC SecurityDOCUMENTATION more more Configure IaC Security ExclusionsDOCUMENTATION more more IaC Security RulesDOCUMENTATION more more