Use the following instructions to enable container image metadata collection and Software Bill of Materials (SBOM) collection in the Datadog Agent for CSM Vulnerabilities. This allows you to scan the libraries in container images to detect vulnerabilities. Vulnerabilities are evaluated and and scanned against your containers every hour.

To learn more about the supported deployment types for each CSM feature, see Setting Up Cloud Security Management.

  1. Add the following to the spec section of the datadog-agent.yaml file:

    apiVersion: datadoghq.com/v2alpha1
    kind: DatadogAgent
    metadata:
      name: datadog
    spec:
      features:
        # ...
        sbom:
          enabled: true
          # Image collection is enabled by default with Datadog Operator version `>= 1.3.0`.
          containerImage:
            enabled: true
    
  2. Apply the changes and restart the Agent.

  1. Add the following to the datadog section of the datadog-values.yaml file:

    datadog:
      # Image collection is enabled by default with Datadog Helm version `>= 3.46.0`.
      containerImageCollection:
        enabled: true
      sbom:
        containerImage:
          enabled: true
          # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
          # uncompressedLayersSupport: true
    
  2. Restart the Agent.