Cloud Security Management Vulnerabilities
Cloud Security Management Vulnerabilities is not supported for your selected
Datadog site (
).
Overview
Cloud Security Management Vulnerabilities (CSM Vulnerabilities) helps you improve your security posture and achieve compliance, by continuously scanning container images, hosts, host images, and serverless functions for vulnerabilities, from CI/CD pipelines to live production. Leveraging runtime observability, it helps you prioritize and remediate exploitable vulnerabilities in your daily workflows, all in a single view, and without any dependencies on other Datadog products.
With CSM Vulnerabilities, you can manage your cloud security management strategy, all in one place:
- Create a vulnerability management program, from CI/CD pipelines to production resources
- Pass compliance audits (such as SOC2, PCI, HIPAA, CIS, and FedRamp)
- Remediate emerging vulnerabilities (0-day CVEs)
Note: For vulnerability management in application libraries, see Software Composition Analysis. For application code, see Code Security.
Key capabilities
- Deploy using Agentless or unified Datadog Agent
- Quickly scan your entire infrastructure for vulnerabilities, either using Agentless, or by using the unified Datadog Agent you already have deployed.
- Inventory cloud resources, in real-time
- Inventory container images, hosts, serverless functions, and all packages deployed in your infrastructure, in real time, and export your SBOM.
- Detect vulnerabilities continuously
- Scan recent updates and newly published CVEs, across running container images, hosts, host images, and serverless, and identify vulnerable container image layers.
- Prioritize exploitable vulnerabilities, using runtime observability
- Leverage Datadog’s security scoring, which is based on CVSS, by incorporating intel from CISA KEV, EPSS, and public exploit availability. With runtime observability, you can monitor production, exposure to attacks, sensitive data processing, and privileged access.
- Take advantage of guided remediation
- See which layers are impacted, get suggestions specific to each image, and action on your vulnerability lifecycle management.
- Implement automation and integrations
- Automate the creation of Jira tickets and implement SLAs. Use Datadog’s public API to export vulnerabilities, coverage, and SBOMs.
- Explore reports
- View and monitor vulnerability data in your dashboards.
Deployment methods
Get started with CSM Vulnerabilities and cover your infrastructure in minutes, using:
You can also use both deployment methods to use the unified Datadog Agent where you already have it deployed, and Agentless elsewhere.
After you’ve enabled it, Datadog starts scanning your resources continuously, and starts reporting prioritized vulnerabilities in your CSM Vulnerability Explorer within an hour.
Use these tables to decide which solution to start with:
| Feature | Agentless | Unified Datadog Agent |
|---|
| Time to deploy across your infrastructure | Minutes | Hours to weeks |
| Vulnerability prioritization | Yes | Yes, with runtime context |
| Vulnerability scanning frequency | 12 hours | Real-time |
| Vulnerability detection scope | Agentless | Unified Datadog Agent |
|---|
| Host and host image | OS packages and app packages, mapped to image | OS packages |
| Container image | OS packages and app packages, mapped to image | OS packages |
| Cloud provider | AWS, Azure (Preview) | AWS, Azure, GCP, on-prem, etc. |
| Operating system | Linux | Linux, Windows |
| Serverless | AWS Lambda | Not applicable |
| Container registries | Amazon ECR (Preview) | Not applicable |
For more information on compatibility, see CSM Vulnerabilities Hosts and Containers Compatibility. If you need any assistance, see the troubleshooting guide, or reach out to support@datadoghq.com.
The CSM Vulnerabilities Explorer helps you investigate vulnerabilities detected across your container images, host images, running hosts, and serverless functions using filtering and grouping capabilities.
Focus on exploitable vulnerabilities first, using the Datadog Severity Score, combining the base CVSS score with many risk factors, including sensitive data, environment sensitivity, exposure to attacks, exploit availability, or threat intelligence sources.
For vulnerabilities with available fixes, the Explorer provides guided remediation steps to assist Dev and Ops teams in resolving issues more quickly and effectively. You can also triage, mute, comment, and assign vulnerabilities to manage their lifecycle.
Automation and Jira integration
Make CSM Vulnerabilities part of your daily workflow by setting up security notification rules and automation pipelines (in Preview):
- Get alerted upon detection of an exploitable vulnerability for your scope
- Automatically create Jira tickets
- Configure SLAs to remediate vulnerabilities
Tracking and reporting
Use the out-of-the-box CSM Vulnerabilities dashboard to track and report progress to stakeholders. Clone and modify it as needed to fit your unique needs.
Explore infrastructure packages
The Infrastructure Packages Catalog provides a real-time inventory of all packages across hosts, host images, and container images deployed in your infrastructure. It offers an interface you can use to investigate your SBOMs, enriched with vulnerability and runtime context.
Quickly assess the impact of a critical emerging vulnerability by searching for affected package versions and identifying all of the resources that use it.
Video walkthrough
The following video provides an overview of how to enable and use CSM Vulnerabilities:
Further reading
Additional helpful documentation, links, and articles:
