このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
You can monitor App and API Protection for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
前提条件
Enabling threat detection
Get started
Update your Datadog Node.js library package to at least version 5.0.0 (for Node 18+) or 4.0.0 (for Node 16+) or 3.10.0 (for Node.js 14+), by running one of these commands:
npm install dd-trace@^5
npm install dd-trace@^4
npm install dd-trace@^3.10.0
Use this migration guide to assess any breaking changes if you upgraded your library.
App and API Protection is compatible with Express v4+ and Node.js v14+. For additional information, see Compatibility.
Where you import and initialize the Node.js library for APM, also enable AAP. This might be either in your code or with environment variables. If you initialized APM in code, add {appsec: true} to your init statement:
// This line must come before importing any instrumented module.
const tracer = require('dd-trace').init({
appsec: true
})
For TypeScript and bundlers that support EcmaScript Module syntax, initialize the tracer in a separate file in order to maintain correct load order.
// server.ts
import './tracer'; // must come before importing any instrumented module.
// tracer.ts
import tracer from 'dd-trace';
tracer.init({
appsec: true
}); // initialized in a different file to avoid hoisting.
export default tracer;
If the default config is sufficient, or all configuration is done through environment variables, you can also use dd-trace/init, which loads and initializes in one step.
Or if you initialize the APM library on the command line using the --require option to Node.js:
node --require dd-trace/init app.js
Then use environment variables to enable AAP:
DD_APPSEC_ENABLED=true node app.js
How you do this varies depending on where your service runs:
Update your configuration container for APM by adding the following argument in your docker run command:
docker run [...] -e DD_APPSEC_ENABLED=true [...]
Add the following environment variable value to your container Dockerfile:
ENV DD_APPSEC_ENABLED=true
Update your configuration yaml file container for APM and add the AppSec env variable:
spec:
template:
spec:
containers:
- name: <CONTAINER_NAME>
image: <CONTAINER_IMAGE>/<TAG>
env:
- name: DD_APPSEC_ENABLED
value: "true"
Update your ECS task definition JSON file, by adding this in the environment section:
"environment": [
...,
{
"name": "DD_APPSEC_ENABLED",
"value": "true"
}
]
Initialize AAP in your code or set DD_APPSEC_ENABLED environment variable to true in your service invocation:
DD_APPSEC_ENABLED=true node app.js
この構成が完了すると、ライブラリは、アプリケーションからセキュリティデータを収集し、Agent に送信します。Agent は、そのデータを Datadog に送信し、すぐに使える検出ルールによって、攻撃者のテクニックや潜在的な誤構成にフラグが立てられるため、是正措置を講じることができます。
Application Security Management の脅威検出の動作を見るには、既知の攻撃パターンをアプリケーションに送信してください。例えば、次の curl スクリプトを含むファイルを実行して、Security Scanner Detected ルールをトリガーします。
for ((i=1;i<=250;i++));
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A dd-test-scanner-log;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
done
注: dd-test-scanner-log の値は、最新のリリースでサポートされています。
アプリケーションを有効にして実行すると、数分後に Application Signals Explorer に脅威情報が表示され、Vulnerability Explorer に脆弱性情報が表示されます**。
If you need additional assistance, contact Datadog support.
Using AAP without APM tracing
If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:
- Configure your tracing library with the
DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable. - This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.
For more details, see [Standalone App and API Protection][standalone_billing_guide].
[standalone_billing_guide]: /security/application_security/guide/standalone_application_security/
Further Reading
