--- title: Troubleshooting Cloud Security Vulnerabilities description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Cloud Security > Cloud Security Troubleshooting > Troubleshooting Cloud Security Vulnerabilities --- # Troubleshooting Cloud Security Vulnerabilities ## Overview{% #overview %} If you experience issues with Cloud Security Vulnerabilities, use the following troubleshooting guidelines. If you need further assistance, contact [Datadog support](https://docs.datadoghq.com/help/). ## Error messages{% #error-messages %} ### Disk space requirements{% #disk-space-requirements %} Ensure your free disk space is equal to the size of your largest container image. This space is needed for the Datadog Agent to scan the container image for vulnerabilities (1 GB by default). The resulting error appears as: ```sh Error: failed to check current disk usage: not enough disk space to safely collect sbom, 192108482560 available, 1073741824000 required ``` Workaround: - Increase the available disk space to at least 1 GB. If your images are larger than 1 GB, increase your disk space accordingly. - If all of your images are smaller than 1 GB, you can decrease the default Agent request disk space with the environment variable: `DD_SBOM_CONTAINER_IMAGE_MIN_AVAILABLE_DISK` (default value 1GB). ### Uncompressed container image layers{% #uncompressed-container-image-layers %} The SBOM scan only works with uncompressed container image layers. Certain Kubernetes distributions (such as AWS EKS, minikube, and kind), configure their container runtime to discard the uncompressed layers, causing the scan to fail. The resulting error appears as: ```sh ERROR | (pkg/workloadmeta/collectors/internal/containerd/image_sbom_trivy.go:80 in func2) | Failed to generate SBOM for containerd image: unable to marshal report to sbom format, err: analyze error: failed to analyze layer: : unable to get uncompressed layer ``` The workaround for this issue is to set the configuration option: - For containerd: set `discard_unpacked_layers=false` in the containerd configuration file. - For Helm: set `datadog.sbom.containerImage.uncompressedLayersSupport: true` in your `values.yaml` file. - For Datadog Operator: set `features.sbom.containerImage.uncompressedLayersSupport` to `true` in your DatadogAgent CRD. ### GKE image streaming{% #gke-image-streaming %} Datadog doesn't support image streaming with Google Kubernetes Engine (GKE). If you have that option enabled in GKE, your Agent can't generate container SBOMs. The resulting error appears as: ```sh unable to mount containerd image, err: unable to scan image named: {image-name}, image is not unpacked ``` The workaround for this issue is to disable image streaming in GKE. For more information, see the [Disable Image streaming](https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable) section of the GKE docs. ## Disable Cloud Security Vulnerabilities{% #disable-cloud-security-vulnerabilities %} In the `datadog-values.yaml` file for the Agent, set the following configuration settings to `false`: ``` # datadog-values.yaml file datadog: sbom: containerImage: enabled: false # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS) # uncompressedLayersSupport: true # Enables Host Vulnerability Management host: enabled: false # Enables Container Vulnerability Management # Image collection is enabled by default with Datadog Helm version `>= 3.46.0` containerImageCollection: enabled: false ``` ## Further Reading{% #further-reading %} - [Enable SBOM collection in Cloud Security Vulnerabilities](https://docs.datadoghq.com/infrastructure/containers/container_images/#enable-sbom-collection) - [Setting up host vulnerabilities](https://docs.datadoghq.com/security/cloud_security_management/setup/csm_enterprise/?tab=aws#hosts) - [Enhance your troubleshooting workflow with Container Images in Datadog Container Monitoring](https://www.datadoghq.com/blog/datadog-container-image-view/)