Code Security is in beta. To use it for your service, follow the steps described in Enabling Code Security.

Overview

Datadog Code Security identifies code-level vulnerabilities in your services and provides actionable insights and recommended fixes.

For a list of supported services, see Library Compatibility Requirements.

Code Security uses an Interactive Application Security Testing (IAST) approach to find vulnerabilities within your application code. IAST uses instrumentation embedded in your code like application performance monitoring (APM).

Code Security also monitors your code’s interactions with other components of your stack, such as libraries and infrastructure.

IAST enables Datadog to identify vulnerabilities using legitimate application traffic instead of relying on external tests that could require extra configuration or periodic scheduling.

Code Security’s runtime application monitoring provides an up-to-date view of your attack surface that enables you to quickly identify potential issues.

Code-level vulnerabilities list

The Code Security detection rules support the following languages.

SeverityDetection RuleJava.NETNode.js
CriticalNoSQL InjectionFALSETRUETRUE
CriticalSQL InjectionTRUETRUETRUE
CriticalServer-Side Request Forgery (SSRF)TRUETRUETRUE
CriticalCommand InjectionTRUETRUETRUE
HighLDAP InjectionTRUETRUETRUE
HighHardcoded SecretsTRUETRUETRUE
HighHardcoded PasswordsFALSEFALSETRUE
HighPath TraversalTRUETRUETRUE
HighTrust Boundary ViolationTRUETRUEFALSE
HighCross-Site Scripting (XSS)TRUETRUEFALSE
HighUnvalidated RedirectTRUETRUETRUE
HighXPath InjectionTRUETRUEFALSE
HighHeader InjectionTRUETRUETRUE
HighDirectory Listing LeakTRUEFALSEFALSE
HighDefault HTML Escape InvalidTRUEFALSEFALSE
HighVerb TamperingTRUEFALSEFALSE
MediumNo SameSite CookieTRUETRUETRUE
MediumInsecure CookieTRUETRUETRUE
MediumNo HttpOnly CookieTRUETRUETRUE
MediumWeak HashingTRUETRUETRUE
MediumWeak CipherTRUETRUETRUE
MediumStacktrace LeakTRUETRUEFALSE
MediumReflection InjectionTRUETRUEFALSE
MediumInsecure Authentication ProtocolTRUETRUEFALSE
MediumHardcoded KeyFALSETRUEFALSE
MediumInsecure JSP LayoutTRUEFALSEFALSE
LowHSTS Header MissingTRUETRUETRUE
LowX-Content-Type-Options Header MissingTRUETRUETRUE
LowWeak RandomnessTRUETRUETRUE
LowAdmin Console ActiveTRUEFALSEFALSE
LowSession TimeoutTRUEFALSEFALSE
LowSession RewritingTRUEFALSEFALSE

Note: Python is in private beta. Fill out this form to request a beta.

Explore and manage code vulnerabilities

The Vulnerability Explorer uses real-time threat data to help you understand vulnerabilities endangering your system. Vulnerabilities are ordered by severity.

Code Security in the Vulnerability Explorer

To triage vulnerabilities, each vulnerability contains a brief description of the issue, including:

  • Impacted services.
  • Vulnerability type.
  • First detection.
  • The exact file and line number where the vulnerability was found.
Code Security vulnerability details

Each vulnerability detail includes a risk score (see screenshot below) and a severity rating: critical, high, medium, or low.

The risk score is tailored to the specific runtime context, including factors such as where the vulnerability is deployed and whether the service is targeted by active attacks.

Code Security vulnerability prioritization

Remediation

Datadog Code Security automatically provides the information teams need to identify where a vulnerability is in an application, from the affected filename down to the exact method and line number.

Code Security vulnerability remediation

When the GitHub integration is enabled, Code Security shows the first impacted version of a service, the commit that introduced the vulnerability, and a snippet of the vulnerable code. This information gives teams insight into where and when a vulnerability occurred and helps to prioritize their work.

Code vulnerability snippet

Detailed remediation steps are provided for each detected vulnerability.

Remediation recommendations

Recommendations enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking.

creating a Jira ticket from a vulnerability

Note: To create Jira issues for vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.

Enabling Code Security

To enable Code Security, you can use Single Step Instrumentation or configure the Datadog Tracing Library. Detailed instructions for both methods can be found in the Security > Application Security > Settings section.

If you need additional help, contact Datadog support.

Further Reading