Container Images View

Overview

The container images view in Datadog provides key insights into every image used in your environment to help you assess their deployment footprint. It also detects and remediates security and performance issues that can affect multiple containers. You can view container image details alongside the rest of your container data to troubleshoot image issues affecting infrastructure health. Additionally, you can view vulnerabilities found in your container images from Cloud Security Management (CSM) to help you streamline your security efforts.

The container images view highlighting vulnerabilities and container column sort feature

The container image trends view provides high-level insights across all of your images in your containerized infrastructure. Container image trends metrics can help you answer key questions about your security posture and deployment footprint over the span of weeks and months.

The container images trends view highlighting image size, image age, vulnerabilities and running container count metrics

Configure container images view

Images on the container images view are collected from several different sources (Live Containers, Image Collection, and Amazon ECR). The following instructions describe how to enable images from each of these sources.

Live Containers

To enable live container collection, see the containers documentation. It provides information on enabling the Process Agent, and excluding and including containers.

Image collection

Datadog collects container image metadata to provide enhanced debugging context for related containers and Cloud Security Management (CSM) vulnerabilities.

Enable container image collection

In Datadog Operator v1.3.0+, image collection is enabled by default. If you are using an older version of the Datadog Operator, Datadog recommends that you update it to v1.3.0+.

In the Datadog Helm chart v3.46.0+, image collection is enabled by default. To verify this, or if you are using an earlier Helm chart version, ensure that datadog.containerImageCollection.enabled is set to true in datadog-values.yaml.

datadog:
  containerImageCollection:
    enabled: true

To enable container image collection on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:

{
    "containerDefinitions": [
        {
            "name": "datadog-agent",
             ...
            "environment": [
              ...
              {
                "name": "DD_CONTAINER_IMAGE_ENABLED",
                "value": "true"
              }
            ]
        }
    ]
  ...
}

Add the following to your datadog.yaml configuration file:

container_image:
  enabled: true

Enable SBOM collection

The following instructions turn on Software Bill of Materials (SBOM) collection for CSM Vulnerabilities. SBOM collection enables automatic detection of container image vulnerabilities. Vulnerabilities are evaluated and scanned against your containers every hour. Vulnerability management for container images is included in CSM Pro and Enterprise plans.

Note: The CSM Vulnerabilities feature is not available for AWS Fargate or Windows environments.

Add the following to the spec section of your datadog-agent.yaml file:

apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    # ...
    sbom:
      enabled: true
      containerImage:
        enabled: true

Add the following to your datadog-values.yaml Helm configuration file:

datadog:
  sbom:
    containerImage:
      enabled: true

To enable container image vulnerability scanning on your ECS EC2 instances, add the following environment variables to your datadog-agent container definition:

{
    "containerDefinitions": [
        {
            "name": "datadog-agent",
             ...
            "environment": [
              ...
              {
                "name": "DD_SBOM_ENABLED",
                "value": "true"
              },
              {
                "name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
                "value": "true"
              }
            ]
        }
    ]
  ...
}

If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:

{
    "containerDefinitions": [
        {
            "name": "datadog-agent",
            "memory": 256,
            ...
        }
     ]
    ...
}

Add the following to your datadog.yaml configuration file:

sbom:
  enabled: true
  container_image:
    enabled: true

Container registries

Amazon Elastic Container Registry (Amazon ECR)

Set up the AWS integration to begin crawling Container Image metadata from Amazon ECR.

Use the container image trends configuration modal and toggle Enable Container Image Metric Collection to turn on image metric generation.

Image metrics are collected from the Live Containers and Image Check sources. Follow the same instructions as above to ensure that these collections are enabled across your entire infrastructure and take full advantage of the trends view.

The container images trends configuration modal

Container image tagging

Tag and enrich your container images with arbitrary tags by using extract labels as tags configuration on the Agent. These tags are then picked by the Container Image check.

Further reading

PREVIEWING: may/unit-testing