Overview

Datadog Code Security identifies code-level vulnerabilities in your services and provides actionable insights and recommended fixes.

For a list of supported services, see the Library Compatibility Requirements.

Code Security uses an Interactive Application Security Testing (IAST) approach to find vulnerabilities within your application code. IAST uses instrumentation embedded in your code like application performance monitoring (APM).

Code Security also monitors your code’s interactions with other components of your stack, such as libraries and infrastructure.

IAST enables Datadog to identify vulnerabilities using legitimate application traffic instead of relying on external tests that could require extra configuration or periodic scheduling.

Code Security’s runtime application monitoring provides an up-to-date view of your attack surface that enables you to quickly identify potential issues.

Code-level vulnerabilities list

The Code Security detection rules support the following languages.

SeverityDetection RuleJava.NETNode.jsPython
CriticalNoSQL InjectionFALSETRUETRUEFALSE
CriticalSQL InjectionTRUETRUETRUETRUE
CriticalServer-Side Request Forgery (SSRF)TRUETRUETRUETRUE
CriticalCode InjectionFALSEFALSETRUEFALSE
CriticalCommand InjectionTRUETRUETRUETRUE
HighLDAP InjectionTRUETRUETRUEFALSE
HighHardcoded SecretsTRUETRUETRUEFALSE
HighHardcoded PasswordsFALSEFALSETRUEFALSE
HighPath TraversalTRUETRUETRUETRUE
HighTrust Boundary ViolationTRUETRUEFALSEFALSE
HighCross-Site Scripting (XSS)TRUETRUEFALSEFALSE
HighUntrusted DeserializationTRUEFALSEFALSEFALSE
HighUnvalidated RedirectTRUETRUETRUEFALSE
HighXPath InjectionTRUETRUEFALSEFALSE
HighHeader InjectionTRUETRUETRUETRUE
HighDirectory Listing LeakTRUEFALSEFALSEFALSE
HighDefault HTML Escape InvalidTRUEFALSEFALSEFALSE
HighVerb TamperingTRUEFALSEFALSEFALSE
MediumNo SameSite CookieTRUETRUETRUETRUE
MediumInsecure CookieTRUETRUETRUETRUE
MediumNo HttpOnly CookieTRUETRUETRUETRUE
MediumWeak HashingTRUETRUETRUETRUE
MediumWeak CipherTRUETRUETRUETRUE
MediumStacktrace LeakTRUETRUEFALSEFALSE
MediumReflection InjectionTRUETRUEFALSEFALSE
MediumInsecure Authentication ProtocolTRUETRUEFALSEFALSE
MediumHardcoded KeyFALSETRUEFALSEFALSE
MediumInsecure JSP LayoutTRUEFALSEFALSEFALSE
LowHSTS Header MissingTRUETRUETRUEFALSE
LowX-Content-Type-Options Header MissingTRUETRUETRUEFALSE
LowWeak RandomnessTRUETRUETRUETRUE
LowAdmin Console ActiveTRUEFALSEFALSEFALSE
LowSession TimeoutTRUEFALSEFALSEFALSE
LowSession RewritingTRUEFALSEFALSEFALSE

Explore and manage code vulnerabilities

The Vulnerability Explorer uses real-time threat data to help you understand vulnerabilities endangering your system. Vulnerabilities are ordered by severity.

Code Security in the Vulnerability Explorer

To triage vulnerabilities, each vulnerability contains a brief description of the issue, including:

  • Impacted services.
  • Vulnerability type.
  • First detection.
  • The exact file and line number where the vulnerability was found.
Code Security vulnerability details

Each vulnerability detail includes a risk score (see screenshot below) and a severity rating: critical, high, medium, or low.

The risk score is tailored to the specific runtime context, including factors such as where the vulnerability is deployed and whether the service is targeted by active attacks.

Code Security vulnerability prioritization

Remediation

Datadog Code Security automatically provides the information teams need to identify where a vulnerability is in an application, from the affected filename down to the exact method and line number.

Code Security vulnerability remediation

When the GitHub integration is enabled, Code Security shows the first impacted version of a service, the commit that introduced the vulnerability, and a snippet of the vulnerable code. This information gives teams insight into where and when a vulnerability occurred and helps to prioritize their work.

Code vulnerability snippet

Detailed remediation steps are provided for each detected vulnerability.

Remediation recommendations

Recommendations enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking.

creating a Jira ticket from a vulnerability

Note: To create Jira issues for vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.

Enabling Code Security

To enable Code Security configure the Datadog Tracing Library. Detailed instructions for both methods can be found in the Security > Application Security > Settings section.

If you need additional help, contact Datadog support.

Further Reading