Code security vulnerability detection is in beta. To use it for your service, follow the
Setup instructions.Overview
Datadog code security vulnerability detection scans for code vulnerabilities in your ASM enabled services, as seen below in the Vulnerability Explorer, sorted by the affected service and code.
Enabling code security vulnerability detection
To enable code security vulnerability detection capability, set the DD_IAST_ENABLED environment variable to true in your application configuration, and restart your service.
Datadog is able to indicate the filename and line number where the vulnerability is located, without scanning the source code.
The available code security vulnerability types include the following:
- Admin console active
- Command Injection
- Default HTML escape invalid
- Directory listing leak
- Hardcoded Password
- Hardcoded secrets
- Header injection
- HSTS header missing
- Insecure auth protocol
- Insecure Cookie
- Insecure JSP layout
- LDAP injection
- MongoDB injection
- Cookie without HttpOnly flag
- Cookie without SameSite flag
- Path traversal
- Reflection injection
- Server Side Request Forgery (SSRF)
- Session timeout
- Session rewriting
- SQL injection
- Stack trace leak
- Trust boundary violation
- Unvalidated Redirect
- Verb tampering
- Weak cipher
- Weak hash
- Weak randomness
- X-Content-Type-Options header missing
- X-XSS-Protection header disabled
- XPath injection
- XSS
Disabling code security vulnerability detection
To disable code security vulnerability detection capability, remove the DD_IAST_ENABLED=true environment variable from your application configuration, and restart your service.
If you need additional help, contact Datadog support.
Further Reading
Additional helpful documentation, links, and articles:
