Agentless Scanning Compatibility

Docs > Datadog Security > Cloud Security Management > Setting up Cloud Security Management > Cloud Security Management Agentless Scanning > Agentless Scanning Compatibility

Availability

The following table provides a summary of Agentless scanning technologies in relation to their corresponding components for each supported cloud provider:

Component	AWS	Azure
Operating System	Linux	Linux
Host Filesystem	Btrfs, Ext2, Ext3, Ext4, xfs	Btrfs, Ext2, Ext3, Ext4, xfs
Package Manager	Deb (debian, ubuntu) RPM (amazon-linux, fedora, redhat, centos) APK (alpine)	Deb (debian, ubuntu) RPM (fedora, redhat, centos) APK (alpine)
Encryption	AWS Unencrypted Encrypted - Platform Managed Key (PMK) Note: Encrypted - Customer Managed Key (CMK) is not supported	Encrypted - Platform Managed Key (PMK): Azure Disk Storage Server-Side Encryption, Encryption at host Note: Encrypted - Customer Managed Key (CMK) is not supported
Container runtime	Docker, containerd Note: CRI-O is not supported	Docker, containerd Note: CRI-O is not supported
Serverless	AWS Lambda	To request this feature, contact Datadog Support
Application languages (in hosts and containers)	Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda	Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda

Note: AMIs must be stored in an account that uses Datadog’s AWS integration. Otherwise, Datadog can’t read the AMI’s underlying Amazon Elastic Block Store (EBS) snapshot, so it can’t scan or report on the AMI.

Linux distributions

The following Linux distributions are supported for hosts and containers scans:

Operating System	Supported Versions	Package Managers	Security Advisories
Alpine Linux	2.2-2.7, 3.0-3.19 (edge is not supported)	apk	https://secdb.alpinelinux.org/
Wolfi Linux	N/A	apk	https://packages.wolfi.dev/os/security.json
Chainguard	N/A	apk	https://packages.cgr.dev/chainguard/security.json
Red Hat Enterprise Linux	6, 7, 8	dnf/yum/rpm	https://www.redhat.com/security/data/metrics/ and https://www.redhat.com/security/data/oval/v2/
CentOS	6, 7, 8	dnf/yum/rpm	https://www.redhat.com/security/data/metrics/ and https://www.redhat.com/security/data/oval/v2/
AlmaLinux	8, 9	dnf/yum/rpm	https://errata.almalinux.org/
Rocky Linux	8, 9	dnf/yum/rpm	https://download.rockylinux.org/pub/rocky/
Oracle Linux	5, 6, 7, 8	dnf/yum/rpm	https://linux.oracle.com/security/oval/
CBL-Mariner	1.0, 2.0	dnf/yum/rpm	https://github.com/microsoft/CBL-MarinerVulnerabilityData/
Amazon Linux	1, 2, 2023	dnf/yum/rpm	https://alas.aws.amazon.com/
openSUSE Leap	42, 15	zypper/rpm	http://ftp.suse.com/pub/projects/security/cvrf/
SUSE Linux Enterprise	11, 12, 15	zypper/rpm	http://ftp.suse.com/pub/projects/security/cvrf/
Photon OS	1.0, 2.0, 3.0, 4.0	tdnf/yum/rpm	https://packages.vmware.com/photon/photon_cve_metadata/
Debian GNU/Linux	7, 8, 9, 10, 11, 12 (unstable/sid is not supported)	apt/dpkg	https://security-tracker.debian.org/tracker/ and https://www.debian.org/security/oval/
Ubuntu	All versions supported by Canonical	apt/dpkg	https://ubuntu.com/security/cve

Application libraries

The following application languages and libraries are supported for vulnerability scans on containers and Lambda instances:

Language	Supported Package Manager	Supported Files
Ruby	bundler	Gemfile.lock, gemspec
.NET	nuget	packages.lock.json, packages.config, .deps.json, *packages.props
Go	mod	Binaries built by Go, go.mod
Java	Gradle, Maven	pom.xml, *gradle.lockfile, JAR/WAR/PAR/EAR (with pom.properties)
Node.js	npm, pnpm, yarn	package-lock.json, yarn.lock, pnpm-lock.yaml, package.json
PHP	composer	composer.lock
Python	pip, poetry	pipfile.lock, poetry.lock, egg package, wheel package, conda package

Container image registries

The following container image registries are supported for container image scans:

Amazon ECR public
Amazon ECR private

Note: Container image scanning from registry is only supported if you have installed Agentless with:

Cloudformation Integrations >= v2.0.8
Terraform Agentless Module >= v0.11.7

Container runtimes

The following container runtimes are supported:

containerd: v1.5.6 or later
Docker

Note for container observations: Agentless Scanning requires uncompressed container image layers. As a workaround, you can set the configuration option discard_unpacked_layers=false in the containerd configuration file.