You can monitor application security for Python apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.
Prerequisites
Enabling Code Security
NOTE: Code-Level Vulnerability detection in Python is currently in beta.
If your service runs a tracing library version that supports Vulnerability Management for Code-Level vulnerability detection, enable the capability by setting the DD_IAST_ENABLED=true
environment variable and restarting your service.
To detect code-level vulnerabilities for your service:
Update your Datadog Agent to at least version 7.41.1.
Update your tracing library to at least the minimum version needed to turn on code-level vulnerability detection. For details, see ASM capabilities support.
Add the DD_IAST_ENABLED=true
environment variable to your application configuration.
From the command line:
DD_IAST_ENABLED=true ddtrace-run python app.py
Or one of the following methods, depending on where your application runs:
Update your configuration container for APM by adding the following argument in your docker run
command:
docker run [...] -e DD_IAST_ENABLED=true [...]
Add the following environment variable value to your container Dockerfile:
Update your deployment configuration file for APM and add the IAST environment variable:
spec:
template:
spec:
containers:
- name: <CONTAINER_NAME>
image: <CONTAINER_IMAGE>/<TAG>
env:
- name: DD_IAST_ENABLED
value: "true"
Update your ECS task definition JSON file, by adding this in the environment section:
"environment": [
...,
{
"name": "DD_IAST_ENABLED",
"value": "true"
}
]
- Restart your service.
- To see Application Vulnerability Management for code-level vulnerabilities in action, browse your service and the code-level vulnerabilities appear in the Vulnerability Explorer. The
SOURCE
column shows the Code value.
If you need additional assistance, contact Datadog support.
Further Reading
Additional helpful documentation, links, and articles: