--- title: Troubleshooting Agentless Scanning description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Cloud Security > Cloud Security Troubleshooting > Troubleshooting Agentless Scanning --- # Troubleshooting Agentless Scanning {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Overview{% #overview %} If you experience issues with Agentless Scanning, use the following troubleshooting guidelines. If you need further assistance, contact [Datadog Support](https://docs.datadoghq.com/help/). ## No results after deployment{% #no-results-after-deployment %} After deploying Agentless Scanning, results do not appear immediately. First results typically appear within 30 minutes of deployment. In rare cases, such as IAM configuration issues, it can take up to two hours. If no results appear after two hours: - Verify that the scanner infrastructure was deployed. In your cloud provider console, check that scanner instances are running. - Confirm that [Remote Configuration](https://docs.datadoghq.com/remote_configuration) is enabled on the API key you used to set up Agentless Scanning. Scanners receive their scan instructions through Remote Configuration. - Check that the cloud integration is properly configured. On the [Cloud Security Setup](https://app.datadoghq.com/security/configuration/csm/setup) page, verify that your cloud account appears with Agentless Scanning enabled. ## GCP: Failed to create state bucket (storage.buckets.create 403){% #gcp-failed-to-create-state-bucket-storagebucketscreate-403 %} If the GCP Cloud Shell setup fails at **"Setting up Terraform state storage"** with an error like: ``` Failed to create state bucket: datadog-agentless-tfstate- HTTPError 403: ... does not have storage.buckets.create access to the Google Cloud project. ``` the identity running the script does not have permission to create or manage GCS buckets in the scanner project. **Fix (choose one):** 1. **Grant Storage permissions** on the scanner project to the user (or service account) running the script. For example, grant **Storage Admin** (`roles/storage.admin`) on that project, or a custom role that includes `storage.buckets.create`, `storage.buckets.get`, and `storage.buckets.update`. 1. **Reuse an existing bucket:** Use a bucket that already exists (create it with an identity that has Storage permissions if needed), then set `TF_STATE_BUCKET` to that bucket name when running the script. The script will use the existing bucket for Terraform state and will not try to create one. ## Deployment fails due to VPC creation restrictions{% #deployment-fails-due-to-vpc-creation-restrictions %} If your organization is using Terraform and uses Service Control Policies (SCPs) that restrict Virtual Private Cloud (VPC) creation, scanner deployment fails because the scanner creates a new VPC by default. To fix this, use the [**custom VPC**](https://github.com/DataDog/terraform-module-datadog-agentless-scanner/tree/main/examples/custom_vpc) option during setup to deploy the scanner into an existing VPC instead of creating a new one. ## Scanner instances appear as vulnerable hosts{% #scanner-instances-appear-as-vulnerable-hosts %} Agentless scanner instances are ephemeral EC2 instances (or equivalent) deployed within your cloud account to perform scans. Because they run a standard operating system image (for example, the latest Ubuntu LTS), they may appear in vulnerability findings related to OS packages. These findings reflect vulnerabilities identified in the underlying OS image and do not indicate a misconfiguration of your environment. If desired, you can use tag-based filtering in the [Cloud Security Vulnerabilities Explorer](https://app.datadoghq.com/security/csm/vm) to exclude Datadog-managed scanner instances from your vulnerability views. ## Hosts with the Datadog Agent are not scanned{% #hosts-with-the-datadog-agent-are-not-scanned %} This is expected behavior. Agentless Scanning excludes hosts that have the Datadog Agent installed with [Cloud Security Vulnerabilities](https://docs.datadoghq.com/security/cloud_security_management/vulnerabilities) enabled. This prevents duplicate scanning. Hosts that have the Datadog Agent installed **without** Vulnerabilities features enabled are still scanned by Agentless Scanning. ## Unexpected cross-region scanning costs{% #unexpected-cross-region-scanning-costs %} In some deployments, cross-region data transfer may contribute to cloud provider network costs, depending on how scanners and resources are distributed across regions. To optimize traffic locality, consider deploying scanners in regions that contain a significant number of hosts. As a general guideline, Datadog recommends deploying a scanner in each region that contains more than 150 hosts. See [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods) for detailed guidance on recommended deployment topologies. ## Unavailable for GovCloud and FIPS{% #unavailable-for-govcloud-and-fips %} Agentless Scanning is not available in GovCloud because it requires [Remote Configuration](https://docs.datadoghq.com/remote_configuration), which is not available in GovCloud environments. Agentless Scanning is not FIPS compliant. ## Further reading{% #further-reading %} - [Setting up Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning) - [Deploying Agentless Scanning](https://docs.datadoghq.com/security/cloud_security_management/setup/agentless_scanning/deployment_methods)