Infrastructure as Code (IaC) Security

This product is not supported for your selected Datadog site. ().

Datadog Infrastructure as Code (IaC) Security detects misconfigurations in Terraform and Kubernetes configurations before they’re deployed. It flags issues such as missing encryption or overly permissive access in files stored in your connected GitHub, GitLab, or Azure DevOps repositories. Supported file types include standalone Terraform files, local modules, and Kubernetes manifests.

IaC misconfiguration side panel showing details for the high severity IMDSv1 Enabled issue, including a security summary, code snippet, detection timestamps, and remediation steps.

How it works

IaC Security integrates with your repositories to continuously scan for misconfigurations. It analyzes every commit across all branches and performs a full daily scan of each configured repository. When violations are detected, findings are surfaced and linked to the relevant repository, branch, and file path. This helps you identify, prioritize, and fix misconfigurations directly at the source.

Key capabilities

Review and fix violations in pull requests

When a pull request includes infrastructure-as-code changes, Datadog adds inline comments to flag any violations. Where applicable, it also suggests code fixes that can be applied directly in the pull request. You can also open a new pull request from Datadog to remediate a finding. For more information, see Pull Request Comments.

View and filter findings

After setting up IaC Security, each commit to a scanned repository triggers a scan. Findings are summarized on the Code Security Vulnerabilities page and grouped per repository on the Code Security Repositories page.

Use filters to narrow results by:

  • Severity
  • Status (open, muted, fixed)
  • Resource type
  • Cloud provider
  • File path
  • Team
  • Repository

Click any finding to open a side panel that shows:

  • Details: A description and the relevant code that triggered the finding. (To view code snippets, install the GitHub App.)
  • Remediation: If available, suggested code fixes are provided for findings that support remediation.

Create Jira tickets from findings

You can create a bidirectional Jira ticket directly from any finding to track and remediate issues in your existing workflows. Ticket status remains synced between Datadog and Jira. For more information, see Bidirectional ticket syncing with Jira.

Mute findings

To suppress a finding, click Mute in the finding details panel. This opens a workflow where you can create a Muting Rule for context-aware filtering by tag values (for example, by service or environment). Muting a finding hides it and excludes it from reports.

To restore a muted finding, click Unmute in the details panel. You can also use the Status filter on the Code Security Vulnerabilities page to review muted findings.

Exclude specific rules, files, or resources

You can configure exclusions to prevent certain findings from appearing in scan results. Exclusions can be based on rule ID, file path, resource type, severity, or tag.

Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see Configure IaC Security Exclusions.

Next steps

  1. Set up IaC Security in your environment.
  2. Configure scanning exclusions to reduce false positives or ignore expected results.
  3. Review and triage findings on the Code Security Vulnerabilities page.

Further reading

Additional helpful documentation, links, and articles:

Prevent cloud misconfigurations from reaching production with Datadog IaC SecurityBLOG more more Set up IaC SecurityDOCUMENTATION more more Configure IaC Security ExclusionsDOCUMENTATION more more IaC Security RulesDOCUMENTATION more more