Code security vulnerability detection is in beta. To use it for your service, follow the Setup instructions.

Overview

Datadog code security vulnerability detection scans for code vulnerabilities in your ASM enabled services, as seen below in the Vulnerability Explorer, sorted by the affected service and code.

Software Composition Analysis (SCA) explorer page showing code security vulnerabilities.

Enabling code security vulnerability detection

To enable code security vulnerability detection capability, set the DD_IAST_ENABLED environment variable to true in your application configuration, and restart your service.

Datadog is able to indicate the filename and line number where the vulnerability is located, without scanning the source code.

The available code security vulnerability types include the following:

  • Weak Cipher
  • Weak Hash
  • SQL injection
  • Path traversal
  • LDAP injection
  • Command Injection
  • Server Side Request Forgery (SSRF)
  • Insecure Cookie
  • Cookie without HttpOnly Flag
  • Cookie without SameSite Flag
  • Unvalidated Redirect

Disabling code security vulnerability detection

To disable code security vulnerability detection capability, remove the DD_IAST_ENABLED=true environment variable from your application configuration, and restart your service.

If you need additional help, contact Datadog support.

Further Reading

Additional helpful documentation, links, and articles: