Before setting up Runtime Code Analysis (IAST), ensure the following prerequisites are met:
Datadog Agent Installation: The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
Datadog APM Configuration: Datadog APM is configured for your application or service, and web traces (type:web) are being received by Datadog.
Supported Tracing Library: The Datadog Tracing Library used by your application or service supports Runtime Code Analysis (IAST) capabilities for the language of your application or service. For more details, see the Compatibility Requirements section below.
Select your application language for details on how to enable Runtime Code Analysis (IAST) for your language and infrastructure types.
Java
You can detect code-level vulnerabilities and monitor application security in Java applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
Follow these steps to enable Runtime Code Analysis (IAST) in your service:
Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.
Add the DD_IAST_ENABLED=true environment variable to your application configuration.
You can detect code-level vulnerabilities and monitor application security in .NET applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
Follow these steps to enable Runtime Code Analysis (IAST) in your service:
Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.
Add the DD_IAST_ENABLED=true environment variable to your application configuration. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start-up script:
Run the following PowerShell command as administrator to configure the necessary environment variables in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment and restart IIS.
$target=[System.EnvironmentVariableTarget]::Machine
[System.Environment]::SetEnvironmentVariable("DD_IAST_ENABLED","true",$target)net stop was /y
net start w3svc
You can detect code-level vulnerabilities and monitor application security in Node.js applications running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
Follow these steps to enable Runtime Code Analysis (IAST) in your service:
Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.
Add the DD_IAST_ENABLED=true environment variable to your application configuration.
If you initialize the APM library on the command line using the --require option to Node.js:
node --require dd-trace/init app.js
Then use environment variables to enable Runtime Code Analysis (IAST):
DD_IAST_ENABLED=true node app.js
How you do this varies depending on where your service runs:
You can detect code-level vulnerabilities and monitor application security in Python applicationss running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
NOTE: Runtime Code Analysis (IAST) in Python is in Preview.
Follow these steps to enable Runtime Code Analysis (IAST) in your service:
Update your Datadog Tracing Library to at least the minimum version needed to turn on Runtime Code Analysis (IAST). For details, see the Compatibility Requirements below.
Add the DD_IAST_ENABLED=true environment variable to your application configuration.
From the command line:
DD_IAST_ENABLED=true ddtrace-run python app.py
Or one of the following methods, depending on where your application runs:
Runtime Code Analysis (IAST) modifies Python code at runtime. This could cause conflicts with other third-party Python libraries that perform similar code transformations, particularly with the following, though not limited to them:
Numba
JAX
TorchScript
TensorFlow
Bytecode
Codetransformer
PyPy
Additionally, Runtime Code Analysis (IAST) does not correctly propagate taint ranges over native (compiled) code. Therefore, if your codebase heavily relies on modules written in C or C++,
using the CPython API, or on intermediate language systems like Cython, the results might be less accurate than expected.
The following code security capabilities are supported relative to each language’s tracing library:
Code Security capability
Java
.NET
Node.js
Python
Go
Ruby
PHP
Runtime Software Composition Analysis (SCA)
1.1.4
2.16.0
4.0.0
1.5.0
1.49.0
1.11.0
0.90.0
Runtime Code Analysis (IAST)
1.15.0
2.42.0
4.18.0
Preview
not supported
not supported
not supported
Note: Static Software Composition Analysis (SCA) and Static Code Analysis (SAST) capabilities do not require Datadog’s tracing library. Therefore, the requirements listed below do not apply to these two Code Security capabilities.
Select your application language for details about framework compatibility and feature support.
Runtime Software Composition Analysis (SCA) is supported on all frameworks
If Runtime Code Analysis (IAST) does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities.
Framework
Versions
Runtime Code Analysis (IAST)
Grizzly
2.0+
Glassfish
Java Servlet
2.3+, 3.0+
Jetty
7.0-9.x, 10.x
Spring Boot
1.5
Spring Web (MVC)
4.0+
Spring WebFlux
5.0+
Tomcat
5.5+
Vert.x
3.4-3.9.x
Note: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty.
Runtime Software Composition Analysis (SCA) is supported on all frameworks
If Runtime Code Analysis (IAST) does not support your framework, it continues to detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities.
Runtime Software Composition Analysis (SCA) is supported on all frameworks
If your framework is not supported below, Runtime Code Analysis (IAST) won’t detect SQL Injection vulnerabilities, but it continues to detect the remaining vulnerability types listed here.
When the Node.js project drops support for an LTS major release line (when it goes End of Life), support for it is dropped in the next major version of dd-trace.
The last major supporting release line of dd-trace library supports that EOL version of Node.js for at least another year on a maintenance mode basis.
Some issues cannot be solved in dd-trace and instead must be solved in Node.js. When this happens and the Node.js release in question is EOL, it’s not possible to solve the issue without moving to another non-EOL release.
Datadog does not make new releases of dd-trace to provide specific support for non-LTS Node.js major release lines (odd numbered versions).
For the best level of support, always run the latest LTS release of Node.js, and the latest major version of dd-trace. Whatever release line of Node.js you use, also use the latest version of Node.js on that release line, to ensure you have the latest security fixes.
The following operating systems are officially supported by dd-trace. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported.
Runtime Software Composition Analysis (SCA) is supported on all frameworks
If your framework is not listed below, Runtime Code Analysis (IAST) it continues to detect Weak Cipher, Weak Hashing, Weak Randomness, Insecure Cookie, Cookie without HttpOnly Flag, Cookie without SameSite Flag, HSTS Header Missing, and X-Content-Type-Options Header Missing vulnerabilities.
Framework
Versions
Runtime Code Analysis (IAST)
express
>=4
nextjs
>=11.1
If you would like to see support added for any of the unsupported capabilities or for your Node.js framework, let us know! Fill out this short form to send details.
The Python Application Security Client library follows a versioning policy that specifies the support level for the different versions of the library and Python runtime.
Runtime Software Composition Analysis (SCA) is supported on all frameworks.
The Python library supports the database API specifications and supports all generic SQL databases. This includes databases such as SQLite, Mysql, Postgres and MariaDB.