Cloud Security Management Vulnerabilities

Cloud Security Management Vulnerabilities is not supported for your selected Datadog site ().

Overview

Cloud Security Management Vulnerabilities (CSM Vulnerabilities) helps you proactively secure your cloud infrastructure by detecting, prioritizing, and managing vulnerabilities across your container images and hosts. It leverages deep observability context and industry insights to help you remediate vulnerabilities that are most important to you at a given point in time.

Note: If you’re looking for vulnerability management for your application libraries and custom application code, see Software Composition Analysis.

Explore vulnerabilities

The Vulnerabilities Explorer shows a complete list of vulnerabilities detected across your infrastructure, ordering them based on their severity, offering grouping, filtering, and triaging capabilities so you can investigate, assign, and remediate problems.

The CSM Vulnerability page sorting by unique vulnerabilities with side panel

Select a specific vulnerability to see its details, including which containers and hosts are affected, severity breakdown score, and recommended remediation steps. The severity of a vulnerability is modified from the base score to take into account the following:

  • Whether the underlying infrastructure is running and how wide-spread the impact is.
  • The environment in which the underlying infrastructure is running. For example, if the environment is not production, the severity is downgraded.
  • Whether there is an active exploit for a given vulnerability from sources such as CISA KEV catalog.
Details of a specific vulnerability, highlighting next steps and severity breakdown

You can also view vulnerabilities in your container images on the container images page. Sort by source, image tag, repo digest, and more. View additional details about any vulnerability by clicking the container image and reviewing the Vulnerabilities tab.

The Container Images tab highlighting vulnerabilities and container column sort feature

On the details explorer, you can also view impacted resources in CSM to gain better insights to your overall risk.

The Container Images side panel details on the vulnerabilities tab

All vulnerabilities include a collection of links and references to websites or information sources that help you understand the context behind each vulnerability.

Triage and remediate

The Vulnerabilities Explorer also offers triaging options for detected vulnerabilities that enable you to change the status of a vulnerability, and assign it to individual members for remediation and tracking.

Note: To help you focus on the vulnerabilities that truly matter, vulnerabilities are auto-closed for infrastructure that is either no longer running, or contains the remediated fixed version of the previously-vulnerable package.

Details explorer of a specific vulnerability highlighting the ability to remediate and assign to team member

Explore infrastructure packages

The Infrastructure Packages Catalog provides a real-time inventory of all packages across hosts, host images, and container images deployed in your infrastructure. It offers an interface you can use to investigate your SBOMs, enriched with vulnerability and runtime context.

Quickly assess the impact of a critical emerging vulnerability by searching for affected package versions and identifying all of the resources that use it.

The inventory of packages deployed in the infrastructure with vulnerability context and pivot to resources using them

Video walkthrough

The following video provides an overview of how to enable and use CSM Vulnerabilities:

Further reading