You can detect code-level vulnerabilities and monitor application security in Java applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Follow these steps to enable Runtime Code Analysis (IAST) in your service:

1. Update your Datadog Agent to at least version 7.41.1.

2. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.

3. Add the DD_IAST_ENABLED=true environment variable to your application configuration.

   From the command line:

   java -javaagent:/path/to/dd-java-agent.jar -Ddd.iast.enabled=true -Ddd.service=<MY SERVICE> -Ddd.env=<MY_ENV> -jar path/to/app.jar
   

   Or one of the following orchestration tool methods, depending on where your application runs.

   Note: Read-only file systems are not supported. The application must have access to a writable /tmp directory.

Docker CLI

Update your configuration container for APM by adding the following argument in your docker run command:

docker run [...] -e DD_IAST_ENABLED=true [...]

Dockerfile

Add the following environment variable value to your container Dockerfile:

DD_IAST_ENABLED=true

Kubernetes

Update your deployment configuration file for APM and add the IAST environment variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_IAST_ENABLED
              value: "true"

Amazon ECS

Update your ECS task definition JSON file, by adding this in the environment section:

"environment": [
  ...,
  {
    "name": "DD_IAST_ENABLED",
    "value": "true"
  }
]

You can detect code-level vulnerabilities and monitor application security in .NET applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Follow these steps to enable Runtime Code Analysis (IAST) in your service:

1. Update your Datadog Agent to at least version 7.41.1.

2. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.

3. Add the DD_IAST_ENABLED=true environment variable to your application configuration. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start-up script:

   $target=[System.EnvironmentVariableTarget]::Process
   [System.Environment]::SetEnvironmentVariable("DD_IAST_ENABLED","true",$target)
   

Or one of the following methods, depending on where your application runs:

Windows-Self-Hosted

In a Windows console:

rem Set environment variables
SET DD_IAST_ENABLED=true

rem Start application
dotnet.exe example.dll

IIS

Run the following PowerShell command as administrator to configure the necessary environment variables in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment and restart IIS.

$target=[System.EnvironmentVariableTarget]::Machine
[System.Environment]::SetEnvironmentVariable("DD_IAST_ENABLED","true",$target)
net stop was /y
net start w3svc

Linux

Add the following to your application configuration:

DD_IAST_ENABLED=true

Docker CLI

Update your configuration container for APM by adding the following argument in your docker run command:

docker run -d --name app -e DD_IAST_ENABLED=true company/app:latest

Dockerfile

Add the following environment variable value to your container Dockerfile:

ENV DD_IAST_ENABLED=true

Kubernetes

Update your deployment configuration file for APM and add the ASM environment variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_IAST_ENABLED
              value: "true"

AWS ECS

Update your ECS task definition JSON file, by adding this in the environment section:

"environment": [
  ...,
  {
    "name": "DD_IAST_ENABLED",
    "value": "true"
  }
]

AWS Fargate

Add the following line to your container Dockerfile:

ENV DD_IAST_ENABLED=true

To see Runtime Code Analysis (IAST) in action, browse your service and find code-level vulnerabilities in the Vulnerability Explorer.

If you need additional assistance, contact Datadog support.

You can detect code-level vulnerabilities and monitor application security in Node.js applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Follow these steps to enable Runtime Code Analysis (IAST) in your service:

1. Update your Datadog Agent to at least version 7.41.1.

2. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.

3. Add the DD_IAST_ENABLED=true environment variable to your application configuration.

   If you initialize the APM library on the command line using the --require option to Node.js:

   node --require dd-trace/init app.js
   

   Then use environment variables to enable ASM:

   DD_IAST_ENABLED=true node app.js
   

   How you do this varies depending on where your service runs:

Docker CLI

Update your configuration container for APM by adding the following argument in your docker run command:

docker run [...] -e DD_IAST_ENABLED=true [...]

Dockerfile

Add the following environment variable value to your container Dockerfile:

ENV DD_IAST_ENABLED=true

Kubernetes

Update your configuration yaml file container for APM and add the AppSec env variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_IAST_ENABLED
              value: "true"

Amazon ECS

Update your ECS task definition JSON file, by adding this in the environment section:

"environment": [
  ...,
  {
    "name": "DD_IAST_ENABLED",
    "value": "true"
  }
]

You can detect code-level vulnerabilities and monitor application security in Python applicationss running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

NOTE: Code-Level Vulnerability detection in Python is in Preview.

Follow these steps to enable Runtime Code Analysis (IAST) in your service:

1. Update your Datadog Agent to at least version 7.41.1.

2. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.

3. Add the DD_IAST_ENABLED=true environment variable to your application configuration.

   From the command line:

   DD_IAST_ENABLED=true ddtrace-run python app.py
   

   Or one of the following methods, depending on where your application runs:

Docker CLI

Update your configuration container for APM by adding the following argument in your docker run command:

docker run [...] -e DD_IAST_ENABLED=true [...]

Dockerfile

Add the following environment variable value to your container Dockerfile:

DD_IAST_ENABLED=true

Kubernetes

Update your deployment configuration file for APM and add the IAST environment variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_IAST_ENABLED
              value: "true"

Amazon ECS

Update your ECS task definition JSON file, by adding this in the environment section:

"environment": [
  ...,
  {
    "name": "DD_IAST_ENABLED",
    "value": "true"
  }
]

Third-Party Library Compatibility Note

Runtime Code Analysis (IAST) modifies Python code at runtime. This could cause conflicts with other third-party Python libraries that perform similar code transformations, particularly with the following, though not limited to them:

• Numba
• JAX
• TorchScript
• TensorFlow
• Bytecode
• Codetransformer
• PyPy

Additionally, Runtime Code Analysis (IAST) does not correctly propagate taint ranges over native (compiled) code. Therefore, if your codebase heavily relies on modules written in C or C++, using the CPython API, or on intermediate language systems like Cython, the results might be less accurate than expected.

Application Security capabilities

The following application security capabilities are supported in the Java library, for the specified tracer version:

The minimum tracer version to get all supported application security capabilities for Java is 1.31.0.

Note: Threat Protection requires enabling Remote Configuration, which is included in the listed minimum tracer version.

Supported deployment types

Note: Azure App Service is supported for web applications only. Application Security doesn’t support Azure Functions.

Language and framework compatibility

Supported Java versions

The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes.

Datadog does not officially support any early-access versions of Java.

Web framework compatibility

• Attacker source HTTP request details
• Tags for the HTTP request (status code, method, etc)
• Distributed Tracing to see attack flows through your applications

Application Security Capability Notes

• Software Composition Analysis is supported on all frameworks
• If Runtime Code Analysis (IAST) does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities.

Note: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty.

Networking framework compatibility

dd-java-agent includes support for automatically tracing the following networking frameworks.

Networking tracing provides:

• Distributed tracing through your applications
• Request-based blocking

Application Security Capability Notes

• Software Composition Analysis is supported on all frameworks
• If Runtime Code Analysis (IAST) does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities.

Data store compatibility

dd-java-agent includes support for automatically tracing the following database frameworks/drivers.

Datastore tracing provides:

• Timing request to response
• Query info (for example, a sanitized query string)
• Error and stacktrace capturing

Application Security Capability Notes

• Software Composition Analysis is supported on all frameworks
• Threat Protection also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below.
• If your framework is not supported below, Runtime Code Analysis (IAST) won’t detect SQL Injection vulnerabilities, but it continues to detect the remaining vulnerability types listed here.

dd-java-agent is also compatible with common JDBC drivers for Threat Detection, such as:

• Apache Derby
• Firebird SQL
• H2 Database Engine
• HSQLDB
• IBM DB2
• MariaDB
• MSSQL (Microsoft SQL Server)
• MySQL
• Oracle
• Postgres SQL
• ScalikeJDBC

User Authentication Frameworks compatibility

Integrations to User Authentication Frameworks provide:

• User login events, including the user IDs
• Account Takeover detection monitoring for user login events

Application Security capabilities support

The following application security capabilities are supported in the .NET library, for the specified tracer version:

The minimum tracer version to get all supported application security capabilities for .NET is 2.42.0.

Note: Threat Protection requires enabling Remote Configuration, which is included in the listed minimum tracer version.

Supported deployment types

Note: Azure App Service is supported for web applications only. Application Security capabilities are not supported for Azure Functions.

Language and framework compatibility

Supported .NET versions

These are supported on the following architectures:

• Linux (GNU) x86-64, ARM64
• Alpine Linux (musl) x86-64, ARM64
• macOS (Darwin) x86-64, ARM64
• Windows (msvc) x86, x86-64

Web framework compatibility

• Attacker source HTTP request details
• Tags for the HTTP request (status code, method, etc)
• Distributed Tracing to see attack flows through your applications

Application Security capability notes

• Software Composition Analysis is supported on all frameworks.
• If your framework is not listed below, Runtime Code Analysis (IAST) continues to detect Insecure Cookie vulnerabilities.

Data store compatibility

Datastore tracing provides:

• SQL attack detection
• query info (for example, a sanitized query string)
• error and stacktrace capturing

Application Security Capability Notes

• Threat Protection also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below.

User Authentication Frameworks compatibility

Integrations to User Authentication Frameworks provides:

• User login events including the user IDs
• User signup events (apps using built-in SignInManager)
• Account Takeover detection monitoring for user login events

Application Security capabilities

The following application security capabilities are supported in the Node.js library, for the specified tracer version:

The minimum tracer version to get all supported application security capabilities for Node.js is 4.30.0.

Note:

• Threat Protection requires enabling Remote Configuration, which is included in the listed minimum tracer version.

Supported deployment types

Language and framework compatibility

Node.js Version Support

When the Node.js project drops support for an LTS major release line (when it goes End of Life), support for it is dropped in the next major version of dd-trace. The last major supporting release line of dd-trace library supports that EOL version of Node.js for at least another year on a maintenance mode basis.

Some issues cannot be solved in dd-trace and instead must be solved in Node.js. When this happens and the Node.js release in question is EOL, it’s not possible to solve the issue without moving to another non-EOL release. Datadog does not make new releases of dd-trace to provide specific support for non-LTS Node.js major release lines (odd numbered versions).

For the best level of support, always run the latest LTS release of Node.js, and the latest major version of dd-trace. Whatever release line of Node.js you use, also use the latest version of Node.js on that release line, to ensure you have the latest security fixes.

For more information about Node.js release, see the official Node.js documentation.

Operating system support

The following operating systems are officially supported by dd-trace. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported.

Web framework compatibility

• Attacker source HTTP request details
• Tags for the HTTP request (status code, method, etc)
• Distributed Tracing to see attack flows through your applications

Application Security Capability Notes

• Software Composition Analysis is supported on all frameworks
• If your framework is not listed below, Runtime Code Analysis (IAST) it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities.

Networking framework compatibility

Networking tracing provides:

• Distributed tracing through your applications
• Request-based blocking

Application Security capability notes

• Software Composition Analysis is supported on all frameworks

Data store compatibility

Datastore tracing provides:

• Timing request to response
• Query info (for example, a sanitized query string)
• Error and stacktrace capturing

Application Security capability notes

• Software Composition Analysis is supported on all frameworks
• Threat Protection also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below.

User authentication frameworks compatibility

Integrations to User Authentication Frameworks provide:

• User login events, including the user IDs
• The Account Takeover detection monitoring the user login events

Application Security capabilities support

The following application security capabilities are supported in the Python library, for the specified tracer version:

Note: Threat Protection requires enabling Remote Configuration, which is included in the listed minimum tracer version.

Supported deployment types

Language and framework compatibility

Supported Python versions

The Python Application Security Client library follows a versioning policy that specifies the support level for the different versions of the library and Python runtime.

Two release branches are supported:

And the library supports the following runtimes:

Web framework compatibility

• Attacker source HTTP request details
• Tags for the HTTP request (status code, method, etc)
• Distributed Tracing to see attack flows through your applications

Application Security Capability Notes

• Software Composition Analysis is supported on all frameworks

Supported frameworks

Support for query strings is not available for Flask.

Data store compatibility

Datastore tracing provides:

• timing request to response
• query info (for example, a sanitized query string)
• error and stacktrace capturing

Application Security capability notes

• Software Composition Analysis is supported on all frameworks.
• Threat Protection also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below.

The Python library supports the database API specifications and supports all generic SQL databases. This includes databases such as SQLite, Mysql, Postgres and MariaDB.

User Authentication Frameworks compatibility

Integrations to User Authentication Frameworks provide:

• User login events, including the user IDs
• Account Takeover detection monitoring for user login events