Setting up Cloud Security Management Vulnerabilities
CSM Vulnerabilities is not available on the US1-FED Datadog site.
CSM Vulnerabilities is in beta.
Prerequisites
Setup for container image scanning
The following instructions enables the container image metadata collection and Software Bill of Materials (SBOM) collection in the Datadog Agent. This allows you to scan the libraries in container images to detect vulnerabilities.
Add the following to your values.yaml helm configuration file:
agents:
containers:
agent:
env:
- name: DD_CONTAINER_IMAGE_ENABLED
value: "true"
- name: DD_SBOM_ENABLED
value: "true"
- name: DD_SBOM_CONTAINER_IMAGE_ENABLED
value: "true"
To enable container image vulnerability scanning on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_CONTAINER_IMAGE_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
"value": "true"
}
]
}
]
...
}
If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
"memory": 256,
...
}
]
...
}
Add the following to your datadog.yaml configuration file:
sbom:
enabled: true
container_image:
enabled: true
container_image:
enabled: true
Setup for host vulnerability scanning
Note: Container and host SBOM can be enabled at the same time by combining the containers setup with the following setup for hosts configuration:
agents:
containers:
agent:
env:
- name: DD_SBOM_ENABLED
value: "true"
- name: DD_SBOM_HOST_ENABLED
value: "true"
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_SBOM_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_HOST_ENABLED",
"value": "true"
}
]
}
]
...
}
sbom:
enabled: true
host:
enabled: true
Further reading
Additional helpful documentation, links, and articles:
