--- title: Agentless Scanning Compatibility description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Cloud Security > Setting up Cloud Security > Cloud Security Agentless Scanning > Agentless Scanning Compatibility --- # Agentless Scanning Compatibility {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Availability{% #availability %} Agentless Scanning is supported on AWS, Azure, and GCP. The following table provides a summary of Agentless Scanning technologies in relation to their corresponding components for each supported cloud provider: | Component | AWS | Azure | GCP | | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Operating System | Linux; Windows Server 2016 or later; Windows 10 or later | Linux; Windows Server 2016 or later; Windows 10 or later | Linux; Windows Server 2016 or later; Windows 10 or later | | Host File System | Btrfs, Ext2, Ext3, Ext4, xfs, NTFS | Btrfs, Ext2, Ext3, Ext4, xfs, NTFS | Btrfs, Ext2, Ext3, Ext4, xfs, NTFS | | Package Manager | Deb (debian, ubuntu)RPM (amazon-linux, fedora, redhat, centos)APK (alpine) | Deb (debian, ubuntu)RPM (fedora, redhat, centos)APK (alpine) | Deb (debian, ubuntu)RPM (fedora, redhat, centos)APK (alpine) | | Encryption | AWSUnencryptedEncrypted - Platform Managed Key (PMK) and Customer Managed Key (CMK) | Encrypted - Platform Managed Key (PMK): Azure Disk Storage Server-Side Encryption, Encryption at host**Note**: Encrypted - Customer Managed Key (CMK) is **not** supported | Encrypted - Platform Managed Key (PMK): Persistent Disk Encryption, Confidential VM**Note**: Encrypted - Customer Managed Encryption Key (CMEK) and Customer-Supplied Encryption Keys (CSEK) are **not** supported | | Container runtime | Docker, containerd**Note**: CRI-O is **not** supported | Docker, containerd**Note**: CRI-O is **not** supported | Docker, containerd**Note**: CRI-O is **not** supported | | Serverless | AWS LambdaAWS Fargate for ECS | Azure Container Apps and Azure Container Instances**Note**: Requires the latest agentless scanner. See [Update Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/update). | Cloud Run (container deployment only — not from GitHub repos or inline editors) | | Kubernetes | EKS on EC2 nodes only**Note**: Fargate-backed EKS nodes are **not** supported | AKS on virtual machines and Virtual Machine Scale Sets (VMSS)**Note**: AKS on ACI is **not** supported | GKE Standard only**Note**: GKE Autopilot and image streaming are **not** supported | | Application languages (in hosts and containers) | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | Java, .Net, Python, Node.js, Go, Ruby, Rust, PHP, Swift, Dart, Elixir, Conan, Conda | | Container Registries | Amazon ECR (public and private): scans running container images and the last 1,000 pushed images at rest | ACR: scans running container images only**Note:** To request at-rest registry scanning, contact [Datadog Support](https://docs.datadoghq.com/help) | Google Artifact Registry: scans images from running workloads only**Note:** To request at-rest registry scanning, contact [Datadog Support](https://docs.datadoghq.com/help) | | Host Images | AMI | Not supported | Not supported | | Sensitive Data (SDS) | S3, RDS (private beta) | Not supported | Not supported | **Note**: AMIs must be stored in an account that uses Datadog's AWS integration. Otherwise, Datadog can't read the AMI's underlying Amazon Elastic Block Store (EBS) snapshot, so it can't scan or report on the AMI. ## Linux distributions{% #linux-distributions %} The following Linux distributions are supported for hosts and containers scans: | Operating System | Supported Versions | Package Managers | Security Advisories | | ------------------------ | --------------------------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Alpine Linux | 2.2-2.7, 3.0-3.19 (edge is not supported) | apk | [https://secdb.alpinelinux.org/](https://secdb.alpinelinux.org/) | | Wolfi Linux | N/A | apk | [https://packages.wolfi.dev/os/security.json](https://packages.wolfi.dev/os/security.json) | | Chainguard | N/A | apk | [https://packages.cgr.dev/chainguard/security.json](https://packages.cgr.dev/chainguard/security.json) | | Red Hat Enterprise Linux | 6, 7, 8 | dnf/yum/rpm | [https://www.redhat.com/security/data/metrics/](https://www.redhat.com/security/data/metrics/) and [https://www.redhat.com/security/data/oval/v2/](https://www.redhat.com/security/data/oval/v2/) | | CentOS | 6, 7, 8 | dnf/yum/rpm | [https://www.redhat.com/security/data/metrics/](https://www.redhat.com/security/data/metrics/) and [https://www.redhat.com/security/data/oval/v2/](https://www.redhat.com/security/data/oval/v2/) | | AlmaLinux | 8, 9 | dnf/yum/rpm | [https://errata.almalinux.org/](https://errata.almalinux.org/) | | Rocky Linux | 8, 9 | dnf/yum/rpm | [https://download.rockylinux.org/pub/rocky/](https://download.rockylinux.org/pub/rocky/) | | Oracle Linux | 5, 6, 7, 8 | dnf/yum/rpm | [https://linux.oracle.com/security/oval/](https://linux.oracle.com/security/oval/) | | CBL-Mariner | 1.0, 2.0 | dnf/yum/rpm | [https://github.com/microsoft/CBL-MarinerVulnerabilityData/](https://github.com/microsoft/CBL-MarinerVulnerabilityData/) | | Amazon Linux | 1, 2, 2023 | dnf/yum/rpm | [https://alas.aws.amazon.com/](https://alas.aws.amazon.com/) | | openSUSE Leap | 42, 15 | zypper/rpm | [http://ftp.suse.com/pub/projects/security/cvrf/](http://ftp.suse.com/pub/projects/security/cvrf/) | | SUSE Linux Enterprise | 11, 12, 15 | zypper/rpm | [http://ftp.suse.com/pub/projects/security/cvrf/](http://ftp.suse.com/pub/projects/security/cvrf/) | | Photon OS | 1.0, 2.0, 3.0, 4.0 | tdnf/yum/rpm | [https://packages.vmware.com/photon/photon_cve_metadata/](https://packages.vmware.com/photon/photon_cve_metadata/) | | Debian GNU/Linux | 7, 8, 9, 10, 11, 12 (unstable/sid is not supported) | apt/dpkg | [https://security-tracker.debian.org/tracker/](https://security-tracker.debian.org/tracker/) and [https://www.debian.org/security/oval/](https://www.debian.org/security/oval/) | | Ubuntu | All versions supported by Canonical | apt/dpkg | [https://ubuntu.com/security/cve](https://ubuntu.com/security/cve) | ## Application libraries{% #application-libraries %} The following application languages and libraries are supported for vulnerability scans on container images, Lambda functions, and containers running in hosts: | Language | Supported Package Manager | Supported Files | | -------- | ------------------------- | -------------------------------------------------------------------- | | Ruby | bundler | Gemfile.lock, gemspec | | .NET | nuget | packages.lock.json, packages.config, .deps.json, *packages.props | | Go | mod | Binaries built by Go, go.mod | | Java | Gradle, Maven | pom.xml, *gradle.lockfile, JAR/WAR/PAR/EAR (with pom.properties) | | Node.js | npm, pnpm, yarn | package-lock.json, yarn.lock, pnpm-lock.yaml, package.json | | PHP | composer | composer.lock | | Python | pip, poetry | pipfile.lock, poetry.lock, egg package, wheel package, conda package | ## Container image registries{% #container-image-registries %} The following container image registries are supported for container image scans: | Registry | Support level | Notes | | ------------------------------- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Amazon ECR (public and private) | GA | Scans running container images **and** the last 1,000 pushed images at rest (by date). This is the only registry with at-rest scanning support | | Google Artifact Registry (GAR) | GA | Scans images tied to running workloads (Cloud Run, GKE) only**Note**: To request at-rest registry scanning, contact [Datadog Support](https://docs.datadoghq.com/help) | | Azure Container Registry (ACR) | GA | Scans running container images from Azure Container Apps and Azure Container Instances only**Note**: To request at-rest registry scanning, contact [Datadog Support](https://docs.datadoghq.com/help) | **Note**: Container image scanning from registry is only supported if you have installed Agentless with: - CloudFormation Integrations >= v2.0.8 - Terraform Agentless Module >= v0.11.7 ## Container runtimes{% #container-runtimes %} The following container runtimes are supported: - containerd: v1.5.6 or later - Docker **Note for container observations**: Agentless Scanning requires uncompressed container image layers. As a workaround, you can set the configuration option `discard_unpacked_layers=false` in the containerd configuration file.