You can use Datadog Software Composition Analysis (SCA) to monitor the open source libraries in your apps.

SCA is configured by setting the flag or the DD_APPSEC_SCA_ENABLED environment variable to true in supported languages:

  • Java
  • .NET
  • Go
  • Ruby
  • PHP
  • Node.js
  • Python

This topic explains how to set up SCA using a Java example.

Example: enabling Software Composition Analysis in Java

  1. Update your Datadog Java library to at least version 0.94.0 (at least version 1.1.4 for Software Composition Analysis detection features):

    wget -O dd-java-agent.jar ''
    curl -Lo dd-java-agent.jar ''
    ADD '' dd-java-agent.jar
    To check that your service’s language and framework versions are supported for ASM capabilities, see Compatibility.

  2. Run your Java application with SCA enabled. From the command line:

    java -javaagent:/path/to/dd-java-agent.jar -Ddd.service=<MY SERVICE> -Ddd.env=<MY_ENV> -jar path/to/app.jar

    Or one of the following methods, depending on where your application runs:

    Note: Read-only file systems are not supported at this time. The application must have access to a writable /tmp directory.

    Update your configuration container for APM by adding the following argument in your docker run command:

    docker run [...] -e DD_APPSEC_SCA_ENABLED=true [...]

    Add the following environment variable value to your container Dockerfile:


    Update your deployment configuration file for APM and add the SCA environment variable:

            - name: <CONTAINER_NAME>
              image: <CONTAINER_IMAGE>/<TAG>
                - name: DD_APPSEC_SCA_ENABLED
                  value: "true"

    Update your ECS task definition JSON file, by adding this in the environment section:

    "environment": [
        "name": "DD_APPSEC_SCA_ENABLED",
        "value": "true"

    Set the flag or the DD_APPSEC_SCA_ENABLED environment variable to true in your service invocation:

    java -javaagent:dd-java-agent.jar \ \
         -jar <YOUR_SERVICE>.jar \