Application Security Management is not supported for your selected Datadog site ().

Overview

Datadog Software Composition Analysis (SCA) helps you leverage open source with confidence. The capabilities of SCA include vulnerability detection, business risk (library inventory and licensing information), and quality evaluation of the open source libraries in your services. The key differentiation factor powering Datadog SCA is the end-to-end coverage of your software development lifecycle: from the code that your developers commit, to the production applications already running in your Datadog deployment.

Check ASM Compatibility to see if your service is supported.

Library Inventory

The Datadog SCA Library Inventory helps you understand the list of libraries and its versions that compose your application. To access the Library Explorer, navigate to Security > Application Security > Catalog > Library Explorer.

Since Datadog SCA covers your software development life cycle end-to-end, the libraries are detected throughout the entire lifecycle of the application. The library inventory contains everything you need to know about the libraries, including name and version, and other risk aspects such as licenses and quality aspects.

Software Composition Analysis (SCA) library explorer page showing library vulnerabilities grouped by library.

Explore and manage SCA vulnerabilities

The Vulnerability Explorer shows a complete list of the open source libraries detected by Datadog SCA and reports security vulnerabilities associated with them. Datadog SCA leverages two techniques to analyze your services: static code analysis in your repositories (static point of view), and runtime analysis in your deployed services (runtime point of view). The result of combining both techniques is that the open source libraries are monitored end-to-end from the code commit to the repository (static point of view), to the applications running in production (runtime point of view).

To switch to the code repository commit point of view, click on the Static button. The static view shows vulnerabilities from the source code in your repositories. To switch to the real-time point of view to the applications already running, click on the Runtime button. The runtime view is the live view of your services being monitored by Datadog.

Software Composition Analysis (SCA) explorer page showing vulnerabilities sorted by static or runtime.

Select a specific vulnerability to see its details, including which services are affected, severity breakdown score, and recommended remediation steps. On the Details Explorer, you can also view impacted infrastructure to gain better insights to your overall attack exposure.

Within ASM, the severity of a vulnerability is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

The adjusted vulnerability score includes the full context of each service:

  • The original vulnerability severity
  • Evidence of suspicious requests
  • Sensitive or internet-exposed environments
Vulnerability details page showing a modified severity score

See Getting Started with Software Composition Analysis for more information on the adjusted vulnerability score.

Remediation

The Vulnerability Explorer offers remediation recommendations for detected vulnerabilities that enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking. It also includes a collection of links and references to websites or information sources that help you understand the context behind each vulnerability.

Note: To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.

Application Vulnerability Management vulnerability details page showing affected services, links to infrastructure, suggested remediation, and links to more information.

Configure Code Analysis

Try the Beta!

Code Analysis is in public beta.

Software Composition Analysis contains additional capabilities to allow you to scan for vulnerabilities in your CI pipelines by using Code Analysis. With SCA for Code Analysis, you can identify vulnerable open source libraries that have been imported into your codebase.

To configure vulnerabilities in your CI pipelines, navigate to Security -> Configuration -> Application Security -> Setup. Click Get Started to enable Software Composition Analysis for static analysis in source code, and select and configure your CI/CD provider.

See Getting Started with Software Composition Analysis for more detailed instructions.

Software Composition Analysis setup page, showing CI setup.

Risk information in APM views

Software Composition Analysis enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the Security view embedded in the APM Service Catalog.

Vulnerability information shown in the APM Service Catalog

Further reading