Use the following instructions to enable container image metadata collection and Software Bill of Materials (SBOM) collection in the Datadog Agent for CSM Vulnerabilities. This allows you to scan the libraries in container images to detect vulnerabilities. Vulnerabilities are evaluated and and scanned against your containers every hour.

To learn more about the supported deployment types for each CSM feature, see Setting Up Cloud Security Management.

  1. Add the following environment variables to your datadog-agent container definition:

    {
        "containerDefinitions": [
            {
                "name": "datadog-agent",
                ...
                "environment": [
                  ...
                  {
                    "name": "DD_CONTAINER_IMAGE_ENABLED",
                    "value": "true"
                  },
                  {
                    "name": "DD_SBOM_ENABLED",
                    "value": "true"
                  },
                  {
                    "name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
                    "value": "true"
                  }
                ]
            }
        ]
      ...
    }
    
  2. If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:

    {
        "containerDefinitions": [
            {
                "name": "datadog-agent",
                "memory": 256,
                ...
            }
        ]
        ...
    }