--- title: Set up Runtime Code Analysis (IAST) description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Runtime Code Analysis (IAST) > Set up Runtime Code Analysis (IAST) --- # Set up Runtime Code Analysis (IAST) {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Prerequisites{% #prerequisites %} Before setting up Runtime Code Analysis (IAST), ensure the following prerequisites are met: 1. **Datadog Agent Installation:** The Datadog Agent is installed and configured for your application's operating system or container, cloud, or virtual environment. 1. **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Runtime Code Analysis (IAST) capabilities for the language of your application or service. For more details, see the **Compatibility Requirements** section below. ## Using Datadog Tracing Libraries{% #using-datadog-tracing-libraries %} Select your application language for details on how to enable Runtime Code Analysis (IAST) for your language and infrastructure types. {% collapsible-section %} #### Java You can detect code-level vulnerabilities and monitor application security in Java applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. Follow these steps to enable Runtime Code Analysis (IAST) in your service: 1. [Update your Datadog Agent](https://docs.datadoghq.com/agent/versions/upgrade_between_agent_minor_versions/) to at least version 7.41.1. 1. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the **Compatibility Requirements** below. 1. Add the `DD_IAST_ENABLED=true` environment variable to your application configuration. From the command line: ```shell java -javaagent:/path/to/dd-java-agent.jar -Ddd.iast.enabled=true -Ddd.service= -Ddd.env= -jar path/to/app.jar ``` Or one of the following orchestration tool methods, depending on where your application runs. **Note**: Read-only file systems are not supported. The application must have access to a writable `/tmp` directory. #### Docker CLI{% #docker-cli %} Update your configuration container for APM by adding the following argument in your `docker run` command: ```shell docker run [...] -e DD_IAST_ENABLED=true [...] ``` #### Dockerfile{% #dockerfile %} Add the following environment variable value to your container Dockerfile: ```Dockerfile DD_IAST_ENABLED=true ``` #### Kubernetes{% #kubernetes %} Update your deployment configuration file for APM and add the IAST environment variable: ```yaml spec: template: spec: containers: - name: image: / env: - name: DD_IAST_ENABLED value: "true" ``` #### Amazon ECS{% #amazon-ecs %} Update your ECS task definition JSON file, by adding this in the environment section: ```json "environment": [ ..., { "name": "DD_IAST_ENABLED", "value": "true" } ] ``` #### APM tracing disabled{% #apm-tracing-disabled %} To disable APM tracing while keeping IAST enabled, you must set the APM tracing variable to false. {% tab title="Using system properties" %} Start your Java application with the Datadog Agent and IAST enabled using system properties: ```bash java -javaagent:/path/to/dd-java-agent.jar -Ddd.iast.enabled=true -Ddd.apm.tracing.enabled=false -Ddd.service= -Ddd.env= -jar path/to/app.jar ``` {% /tab %} {% tab title="Using environment variables" %} Set the required environment variables: ```Dockerfile DD_IAST_ENABLED=true DD_APM_TRACING_ENABLED=false DD_SERVICE= DD_ENV= ``` {% /tab %} {% /collapsible-section %} {% collapsible-section %} #### .NET You can detect code-level vulnerabilities and monitor application security in .NET applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. Follow these steps to enable Runtime Code Analysis (IAST) in your service: 1. [Update your Datadog Agent](https://docs.datadoghq.com/security/code_security/iast/setup/) to at least version 7.41.1. 1. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the **Compatibility Requirements** below. 1. Add the `DD_IAST_ENABLED=true` environment variable to your application configuration. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start-up script: ```sh $target=[System.EnvironmentVariableTarget]::Process [System.Environment]::SetEnvironmentVariable("DD_IAST_ENABLED","true",$target) ``` Or one of the following methods, depending on where your application runs: #### Windows-Self-Hosted{% #windows-self-hosted %} In a Windows console: ```sh rem Set environment variables SET DD_IAST_ENABLED=true rem Start application dotnet.exe example.dll ``` #### IIS{% #iis %} Run the following PowerShell command as administrator to configure the necessary environment variables in the registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment` and restart IIS. ```sh $target=[System.EnvironmentVariableTarget]::Machine [System.Environment]::SetEnvironmentVariable("DD_IAST_ENABLED","true",$target) net stop was /y net start w3svc ``` #### Linux{% #linux %} Add the following to your application configuration: ``` DD_IAST_ENABLED=true ``` #### Docker CLI{% #docker-cli-1 %} Update your configuration container for APM by adding the following argument in your docker run command: ``` docker run -d --name app -e DD_IAST_ENABLED=true company/app:latest ``` #### Dockerfile{% #dockerfile-1 %} Add the following environment variable value to your container Dockerfile: ``` ENV DD_IAST_ENABLED=true ``` #### Kubernetes{% #kubernetes-1 %} Update your deployment configuration file for APM and add the Runtime Code Analysis (IAST) environment variable: ```yaml spec: template: spec: containers: - name: image: / env: - name: DD_IAST_ENABLED value: "true" ``` #### AWS ECS{% #aws-ecs %} Update your ECS task definition JSON file, by adding this in the environment section: ```yaml "environment": [ ..., { "name": "DD_IAST_ENABLED", "value": "true" } ] ``` #### AWS Fargate{% #aws-fargate %} Add the following line to your container Dockerfile: ``` ENV DD_IAST_ENABLED=true ``` #### APM tracing disabled{% #apm-tracing-disabled-1 %} To disable APM tracing while keeping IAST enabled, you must set the APM tracing variable to false. ```Dockerfile DD_IAST_ENABLED=true DD_APM_TRACING_ENABLED=false DD_SERVICE= DD_ENV= ``` To see Runtime Code Analysis (IAST) in action, browse your service and find code-level vulnerabilities in the [Vulnerability Explorer](https://app.datadoghq.com/security/appsec/vm). {% video url="https://datadog-docs.imgix.net/images//security/application_security/Code-Level-Vulnerability-Details-New.mp4" /%} If you need additional assistance, contact [Datadog support](https://docs.datadoghq.com/help). {% /collapsible-section %} {% collapsible-section %} #### Node.js You can detect code-level vulnerabilities and monitor application security in Node.js applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. Follow these steps to enable Runtime Code Analysis (IAST) in your service: 1. [Update your Datadog Agent](https://app.datadoghq.com/security/appsec/vm) to at least version 7.41.1. 1. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the **Compatibility Requirements** below. 1. Add the `DD_IAST_ENABLED=true` environment variable to your application configuration. If you initialize the APM library on the command line using the `--require` option to Node.js: ```shell node --require dd-trace/init app.js ``` Then use environment variables to enable Runtime Code Analysis (IAST): ```shell DD_IAST_ENABLED=true node app.js ``` How you do this varies depending on where your service runs: #### Docker CLI{% #docker-cli-2 %} Update your configuration container for APM by adding the following argument in your `docker run` command: ```shell docker run [...] -e DD_IAST_ENABLED=true [...] ``` #### Dockerfile{% #dockerfile-2 %} Add the following environment variable value to your container Dockerfile: ```Dockerfile ENV DD_IAST_ENABLED=true ``` #### Kubernetes{% #kubernetes-2 %} Update your configuration yaml file container for APM and add the AppSec env variable: ```yaml spec: template: spec: containers: - name: image: / env: - name: DD_IAST_ENABLED value: "true" ``` #### Amazon ECS{% #amazon-ecs-1 %} Update your ECS task definition JSON file, by adding this in the environment section: ```json "environment": [ ..., { "name": "DD_IAST_ENABLED", "value": "true" } ] ``` #### APM tracing disabled{% #apm-tracing-disabled-2 %} To disable APM tracing while keeping IAST enabled, you must set the APM tracing variable to false. ```Dockerfile DD_IAST_ENABLED=true DD_APM_TRACING_ENABLED=false DD_SERVICE= DD_ENV= ``` {% /collapsible-section %} {% collapsible-section %} #### Python You can detect code-level vulnerabilities and monitor application security in Python applicationss running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. Follow these steps to enable Runtime Code Analysis (IAST) in your service: 1. [Update your Datadog Agent](https://docs.datadoghq.com/agent/versions/upgrade_between_agent_minor_versions/) to at least version 7.41.1. 1. Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the **Compatibility Requirements** below. 1. Add the `DD_IAST_ENABLED=true` environment variable to your application configuration. From the command line: ```shell DD_IAST_ENABLED=true ddtrace-run python app.py ``` Or one of the following methods, depending on where your application runs: #### Docker CLI{% #docker-cli-3 %} Update your configuration container for APM by adding the following argument in your `docker run` command: ```shell docker run [...] -e DD_IAST_ENABLED=true [...] ``` #### Dockerfile{% #dockerfile-3 %} Add the following environment variable value to your container Dockerfile: ```Dockerfile DD_IAST_ENABLED=true ``` #### Kubernetes{% #kubernetes-3 %} Update your deployment configuration file for APM and add the IAST environment variable: ```yaml spec: template: spec: containers: - name: image: / env: - name: DD_IAST_ENABLED value: "true" ``` #### Amazon ECS{% #amazon-ecs-2 %} Update your ECS task definition JSON file, by adding this in the environment section: ```json "environment": [ ..., { "name": "DD_IAST_ENABLED", "value": "true" } ] ``` #### APM tracing disabled{% #apm-tracing-disabled-3 %} To disable APM tracing while keeping IAST enabled, you must set the APM tracing variable to false. ```Dockerfile DD_IAST_ENABLED=true DD_APM_TRACING_ENABLED=false DD_SERVICE= DD_ENV= ``` #### Third-Party Library Compatibility Note{% #third-party-library-compatibility-note %} Runtime Code Analysis (IAST) modifies Python code at runtime. This could cause conflicts with other third-party Python libraries that perform similar code transformations, particularly with the following, though not limited to them: - Numba - JAX - TorchScript - TensorFlow - Bytecode - Codetransformer - PyPy Additionally, Runtime Code Analysis (IAST) does not correctly propagate taint ranges over native (compiled) code. Therefore, if your codebase heavily relies on modules written in C or C++, using the CPython API, or on intermediate language systems like Cython, the results might be less accurate than expected. {% /collapsible-section %} ### Finishing setup{% #finishing-setup %} 1. Restart your service. 1. To see Runtime Code Analysis (IAST) in action, browse your service and find IAST vulnerabilities in the [Runtime Code (IAST) Vulnerability Explorer](https://app.datadoghq.com/security/appsec/vm). If you need additional assistance, contact [Datadog support](https://docs.datadoghq.com/help). ## Compatibility Requirements{% #compatibility-requirements %} The following code security capabilities are supported relative to each language's tracing library: | Code Security capability | Java | .NET | Node.js | Python | Go | Ruby | PHP | | ------------------------------------------- | ------ | ------ | ------- | ------ | ------------- | ------------- | ------------- | | Runtime Software Composition Analysis (SCA) | 1.1.4 | 2.16.0 | 4.0.0 | 1.5.0 | 1.49.0 | 1.11.0 | 0.90.0 | | Runtime Code Analysis (IAST) | 1.15.0 | 2.42.0 | 4.18.0 | 3.18.0 | not supported | not supported | not supported | **Note**: **Static Software Composition Analysis (SCA)** and **Static Code Analysis (SAST)** capabilities do not require Datadog's tracing library. Therefore, the requirements listed below do not apply to these two Code Security capabilities. Select your application language for details about framework compatibility and feature support. {% collapsible-section %} #### Java ### Code Security capabilities{% #code-security-capabilities %} The following code security capabilities are supported in the Java library, for the specified tracer version: | Code Security capability | Minimum Java tracer version | | ------------------------------------------- | --------------------------- | | Runtime Software Composition Analysis (SCA) | 1.1.4 | | Runtime Code Analysis (IAST) | 1.15.0 | The minimum tracer version to get all supported code security capabilities for Java is 1.15.0. #### Supported deployment types{% #supported-deployment-types %} | Type | Runtime Software Composition Analysis (SCA) | Runtime Code Analysis (IAST) | | ----------------- | ------------------------------------------- | ---------------------------- | | Docker | yes | yes | | Kubernetes | yes | yes | | Amazon ECS | yes | yes | | AWS Fargate | yes | Preview (1.15.0) | | AWS Lambda | | Azure App Service | yes | yes | **Note**: Azure App Service is supported for **web applications only**. Code Security doesn't support Azure Functions. ### Language and framework compatibility{% #language-and-framework-compatibility %} #### Supported Java versions{% #supported-java-versions %} The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes. | JVM versions | Operating Systems | Support level | Tracer version | | ------------ | ------------------------------------------------------------------------ | ------------- | -------------- | | 8 to 21 | Windows (x86-64)Linux (glibc, musl) (arm64, x86-64)MacOS (arm64, x86-64) | Supported | Latest | Datadog does not officially support any early-access versions of Java. Versions 22 and above are supported as in Preview. #### Web framework compatibility{% #web-framework-compatibility %} ##### Code Security Capability Notes{% #code-security-capability-notes %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If **Runtime Code Analysis (IAST)** does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. | Framework | Versions | Runtime Code Analysis (IAST) | | ---------------- | ------------- | ---------------------------- | | Grizzly | 2.0+ | yes | | Glassfish | yes | | Java Servlet | 2.3+, 3.0+ | yes | | Jetty | 7.0-9.x, 10.x | yes | | Spring Boot | 1.5 | yes | | Spring Web (MVC) | 4.0+ | yes | | Spring WebFlux | 5.0+ | yes | | Tomcat | 5.5+ | yes | | Vert.x | 3.4-3.9.x | yes | **Note**: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty. {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} #### Networking framework compatibility{% #networking-framework-compatibility %} `dd-java-agent` includes support for automatically tracing the following networking frameworks. ##### Code Security Capability Notes{% #code-security-capability-notes-1 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If **Runtime Code Analysis (IAST)** does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities. | Framework | Versions | Runtime Code Analysis (IAST) | | ---------------------------------- | -------- | ---------------------------- | | Apache HTTP Client | 4.0+ | | gRPC | 1.5+ | | HttpURLConnection | all | | Jax RS Clients | 2.0+ | yes | | Jersey Server | 1.9-2.29 | yes | | Netty HTTP Server | 3.8+ | | RESTEasy | 3.0.x | | Spring SessionAwareMessageListener | 3.1+ | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} #### Data store compatibility{% #data-store-compatibility %} `dd-java-agent` includes support for automatically tracing the following database frameworks/drivers. **Datastore tracing provides:** - Timing request to response - Query info (for example, a sanitized query string) - Error and stacktrace capturing ##### Code Security Capability Notes{% #code-security-capability-notes-2 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If your framework is not supported below, **Runtime Code Analysis (IAST)** won't detect SQL Injection vulnerabilities, but it continues to detect the remaining vulnerability types listed [here](https://docs.datadoghq.com/security/code_security/iast/setup/). | Database | Versions | Runtime Code Analysis (IAST) | | --------- | -------- | ---------------------------- | | Aerospike | 4.0+ | | Couchbase | 2.0+ | | JDBC | N/A | yes | | MongoDB | 3.0-4.0+ | {% alert level="info" %} If you don't see your framework of choice listed, let us know. Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} {% /collapsible-section %} {% collapsible-section %} #### .NET ### Code Security capabilities support{% #code-security-capabilities-support %} The following code security capabilities are supported in the .NET library, for the specified tracer version: | Code Security capability | Minimum .NET tracer version | | ------------------------------------------- | --------------------------- | | Runtime Software Composition Analysis (SCA) | 2.16.0 | | Runtime Code Analysis (IAST) | 2.42.0 | The minimum tracer version to get all supported code security capabilities for .NET is 2.42.0. #### Supported deployment types{% #supported-deployment-types-1 %} | Type | Runtime Software Composition Analysis (SCA) | Runtime Code Analysis (IAST) | | ----------------- | ------------------------------------------- | ---------------------------- | | Docker | yes | yes | | Kubernetes | yes | yes | | Amazon ECS | yes | yes | | AWS Fargate | yes | Preview (2.42.0) | | AWS Lambda | | Azure App Service | yes | yes | **Note**: Azure App Service is supported for **web applications only**. Code Security capabilities are not supported for Azure Functions. ### Language and framework compatibility{% #language-and-framework-compatibility-1 %} #### Supported .NET versions{% #supported-net-versions %} | .NET Framework Version | Microsoft End of Life | Support level | Package version | | ---------------------- | --------------------- | ------------- | --------------- | | 4.8 | GA | latest | | 4.7.2 | GA | latest | | 4.7 | GA | latest | | 4.6.2 | GA | latest | | 4.6.1 | 04/26/2022 | GA | latest | These are supported on the following architectures: - Linux (GNU) x86-64, ARM64 - Alpine Linux (musl) x86-64, ARM64 - macOS (Darwin) x86-64, ARM64 - Windows (msvc) x86, x86-64 #### Web framework compatibility{% #web-framework-compatibility-1 %} ##### Code Security capability notes{% #code-security-capability-notes-3 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks. - If your framework is not listed below, **Runtime Code Analysis (IAST)** continues to detect Insecure Cookie vulnerabilities. | Framework | Runtime Code Analysis (IAST) | | ----------------- | ---------------------------- | | ASP.NET MVC | yes | | ASP.NET Web API 2 | yes | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Networking framework compatibility{% #networking-framework-compatibility-1 %} ##### Code Security capability notes{% #code-security-capability-notes-4 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks | Framework | Runtime Code Analysis (IAST) | | --------- | ---------------------------- | | http | yes | | https | yes | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} #### Data store compatibility{% #data-store-compatibility-1 %} **Datastore tracing provides:** - query info (for example, a sanitized query string) - error and stacktrace capturing ##### Code Security Capability Notes{% #code-security-capability-notes-5 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks. | Framework | Runtime Code Analysis (IAST) | | ---------- | ---------------------------- | | OracleDB | yes | | ADO.NET | yes | | SQL Server | yes | | MySQL | yes | | SQLite | yes | {% /collapsible-section %} {% collapsible-section %} #### Node.js ### Code Security capabilities{% #code-security-capabilities-1 %} The following code security capabilities are supported in the Node.js library, for the specified tracer version: | Code Security capability | Minimum Node.js tracer version | | ------------------------------------------- | ------------------------------------------------ | | Runtime Software Composition Analysis (SCA) | 4.0.0 | | Runtime Code Analysis (IAST) | 4.18.0 for Node.js 16+, or 5.0.0 for Node.js 18+ | The minimum tracer version to get all supported code security capabilities is 4.30.0 for Node.js 16+ and 5.0.0 for Node.js 18+. #### Supported deployment types{% #supported-deployment-types-2 %} | Type | Runtime Software Composition Analysis (SCA) | Runtime Code Analysis (IAST) | | ----------- | ------------------------------------------- | ---------------------------------------------------------- | | Docker | yes | yes | | Kubernetes | yes | yes | | Amazon ECS | yes | yes | | AWS Fargate | yes | Preview (4.18.0 for Node.js 16+, or 5.0.0 for Node.js 18+) | | AWS Lambda | yes | not supported | ### Language and framework compatibility{% #language-and-framework-compatibility-2 %} #### Node.js Version Support{% #nodejs-version-support %} When the Node.js project drops support for an LTS major release line (when it goes End of Life), support for it is dropped in the next major version of `dd-trace`. The last major supporting release line of `dd-trace` library supports that EOL version of Node.js for at least another year on a maintenance mode basis. Some issues cannot be solved in `dd-trace` and instead must be solved in Node.js. When this happens and the Node.js release in question is EOL, it's not possible to solve the issue without moving to another non-EOL release. Datadog does not make new releases of `dd-trace` to provide specific support for non-LTS Node.js major release lines (odd numbered versions). For the best level of support, always run the latest LTS release of Node.js, and the latest major version of `dd-trace`. Whatever release line of Node.js you use, also use the latest version of Node.js on that release line, to ensure you have the latest security fixes. For more information about Node.js release, see the [official Node.js documentation](https://app.datadoghq.com/security/appsec/vm). #### Operating system support{% #operating-system-support %} The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. | Operating System | Architectures | Minimum Versions | | ---------------- | ------------- | ---------------------------------------- | | Linux (glibc) | arm64, x64 | CentOS 7, Debian 9, RHEL 7, Ubuntu 14.04 | | Linux (musl) | arm64, x64 | Alpine 3.13 | | macOS | arm64, x64 | Catalina (10.15) | | Windows | x64 | Windows 8.1, Windows Server 2012 | #### Web framework compatibility{% #web-framework-compatibility-2 %} ##### Code Security Capability Notes{% #code-security-capability-notes-6 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks - If your framework is not listed below, **Runtime Code Analysis (IAST)** it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities. | Framework | Versions | Runtime Code Analysis (IAST) | | --------- | -------- | ---------------------------- | | express | \>=4 | yes | | fastify | \>=2 | yes | | nextjs | \>=11.1 | {% alert level="info" %} If you would like to see support added for any of the unsupported capabilities or for your Node.js framework, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Networking framework compatibility{% #networking-framework-compatibility-2 %} ##### Code Security capability notes{% #code-security-capability-notes-7 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks | Framework | Runtime Code Analysis (IAST) | | --------- | ---------------------------- | | http | yes | | https | yes | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} ### Data store compatibility{% #data-store-compatibility-2 %} Datastore tracing provides: - Query info (for example, a sanitized query string) - Error and stacktrace capturing ##### Code Security capability notes{% #code-security-capability-notes-8 %} - **Runtime Software Composition Analysis (SCA)** is supported on all framework | Framework | Versions | Runtime Code Analysis (IAST) | | ---------------------------------------------------------------------- | -------- | ---------------------------- | | [@apollo/server](https://github.com/apollographql/apollo-server) | `>=4` | | [apollo-server-core](https://www.npmjs.com/package/apollo-server-core) | `>=3` | | [cassandra-driver](https://github.com/datastax/nodejs-driver) | `>=3` | | [couchbase](https://github.com/couchbase/couchnode) | `^2.4.2` | | [elasticsearch](https://github.com/elastic/elasticsearch-js) | `>=10` | | [ioredis](https://github.com/luin/ioredis) | `>=2` | | [knex](https://knexjs.org) | `>=0.8` | | [mariadb](https://docs.datadoghq.com/help) | `>=3` | | [memcached](https://github.com/3rd-Eden/memcached) | `>=2.2` | | [mongodb-core](https://www.mongodb.com/docs/drivers/node/current/) | `>=2` | yes | | [mysql](https://github.com/mysqljs/mysql) | `>=2` | yes | | [mysql2](https://github.com/sidorares/node-mysql2) | `>=1` | yes | | [oracledb](https://oracle.github.io/node-oracledb/) | `>=5` | | [pg](https://node-postgres.com) | `>=4` | yes | | [redis](https://github.com/NodeRedis/node_redis) | `>=0.12` | | [sharedb](https://share.github.io/sharedb/) | `>=1` | | [tedious](http://tediousjs.github.io/tedious) | `>=1` | | [sequelize](https://github.com/sequelize/sequelize) | `>=4` | yes | {% /collapsible-section %} {% collapsible-section %} #### Python ### Code Security capabilities support{% #code-security-capabilities-support-1 %} The following code security capabilities are supported in the Python library, for the specified tracer version: | Code Security capability | Minimum Python tracer version | | ------------------------------------------- | ----------------------------- | | Runtime Software Composition Analysis (SCA) | 1.5.0 | | Runtime Code Analysis (IAST) | 3.18.0 | #### Supported deployment types{% #supported-deployment-types-3 %} | Type | Runtime Code Analysis (IAST) | | ----------- | ---------------------------- | | Docker | yes | | Kubernetes | yes | | Amazon ECS | yes | | AWS Fargate | Preview (2.9.3) | | AWS Lambda | ### Language and framework compatibility{% #language-and-framework-compatibility-3 %} #### Supported Python versions{% #supported-python-versions %} The Python Application Security Client library follows a [versioning policy](https://docs.datadoghq.com/security/code_security/iast/setup/) that specifies the support level for the different versions of the library and Python runtime. Two release branches are supported: | Release | Support level | Minimum Datadog Agent | | ---------- | -------------------------------- | --------------------- | | `>=4.0,<5` | General Availability | 7.28 | | `>=3.0,<4` | Maintenence (until May 31, 2026) | 7.28 | | `>=2.0,<3` | End of Life | 7.28 | | `<2` | End of Life | And the library supports the following runtimes: | OS | CPU | Runtime | Runtime version | Supported ddtrace versions | | ----- | --------------------- | ------- | --------------- | -------------------------- | | Linux | x86-64, AArch64 | CPython | 3.9+ | \>=4, <5 | | macOS | Intel, Apple Silicon | CPython | 3.9+ | \>=4, <5 | | Linux | x86-64, i686, AArch64 | CPython | 3.8+ | \>=3, <4 | | macOS | Intel, Apple Silicon | CPython | 3.8+ | \>=3, <4 | #### Web framework compatibility{% #web-framework-compatibility-3 %} ##### Code Security Capability Notes{% #code-security-capability-notes-9 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks #### Supported frameworks{% #supported-frameworks %} | Framework | Versions | Runtime Code Analysis (IAST) | | --------- | -------- | ---------------------------- | | Django | 2.2 | yes | | FastAPI | 0.86 | yes | | Flask | 1.1 | yes | {% alert level="info" %} If you don't see your framework of choice listed, let us know! Fill out [this short form to send details](https://forms.gle/gHrxGQMEnAobukfn7). {% /alert %} #### Data store compatibility{% #data-store-compatibility-3 %} Datastore tracing provides: - query info (for example, a sanitized query string) - error and stacktrace capturing ##### Code Security capability notes{% #code-security-capability-notes-10 %} - **Runtime Software Composition Analysis (SCA)** is supported on all frameworks. The Python library supports the [database API specifications](https://app.datadoghq.com/security/appsec/vm) and supports all generic SQL databases. This includes databases such as SQLite, Mysql, Postgres and MariaDB. {% /collapsible-section %}