Enabling Code Security for Node.js

Docs > Datadog Security > Code Security > Runtime Code Analysis (IAST) > Set up Runtime Code Analysis (IAST) > Enabling Code Security for Node.js

You can detect code-level vulnerabilities and monitor application security in Node.js applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Follow these steps to enable Code Security in your service:

Update your Datadog Agent to at least version 7.41.1.
Update your Datadog Tracing Library to at least the minimum version needed to turn on Code Security. For details, see Library Compatibility page.
Add the DD_IAST_ENABLED=true environment variable to your application configuration.
If you initialize the APM library on the command line using the --require option to Node.js:
```
node --require dd-trace/init app.js
```
Then use environment variables to enable AAP:
```
DD_IAST_ENABLED=true node app.js
```
How you do this varies depending on where your service runs:
Update your configuration container for APM by adding the following argument in your docker run command:
docker run [...] -e DD_IAST_ENABLED=true [...]
Add the following environment variable value to your container Dockerfile:
ENV DD_IAST_ENABLED=true
Update your configuration yaml file container for APM and add the AppSec env variable:
spec: template: spec: containers: - name: <CONTAINER_NAME> image: <CONTAINER_IMAGE>/<TAG> env: - name: DD_IAST_ENABLED value: "true"
Update your ECS task definition JSON file, by adding this in the environment section:
"environment": [ ..., { "name": "DD_IAST_ENABLED", "value": "true" } ]
Restart your service.
To see Code Security in action, browse your service and the code-level vulnerabilities appear in the Vulnerability Explorer.

If you need additional assistance, contact Datadog support.

Bundling with esbuild

dd-trace provides an esbuild plugin. Starting in dd-trace@5.69.0, the plugin also supports IAST for CommonJS bundled applications.

Here’s an example of how one might use dd-trace with esbuild:

// esbuild/esbuilder.js

const ddPlugin = require('dd-trace/esbuild')
const esbuild = require('esbuild')

esbuild.build({
  entryPoints: ['app.js'],
  bundle: true,
  outfile: 'out.js',
  sourcemap: true, // required for correct vulnearability location
  plugins: [ddPlugin],
  platform: 'node', // allows built-in modules to be required
  target: ['node18'],
  external: [
    '@datadog/native-iast-taint-tracking' // required for Datadog IAST features
  ]
}).catch((err) => {
  console.error(err)
  process.exit(1)
})

To enable IAST during bundling, set the DD_IAST_ENABLED environment variable:

DD_IAST_ENABLED=true node esbuild/esbuilder.js

Because the tracer uses native modules, you must list them in external and ship a node_modules directory alongside the bundled app. Native modules used by dd-trace are published under the @datadog/* scope.

To generate a minimal node_modules directory that contains only the required native modules and their dependencies:

Determine the required package versions.
Install them into a temporary directory.
Copy the resulting node_modules directory to the application’s output directory.

cd path/to/project
npm ls @datadog/native-iast-taint-tracking
# dd-trace@5.69.0
# └── @datadog/native-iast-taint-tracking@4.0.0
mkdir temp && cd temp
npm init -y
npm install @datadog/native-iast-taint-tracking@4.0.0
cp -R ./node_modules path/to/bundle