Overview

Datadog Software Composition Analysis (SCA) continuously monitors your production environment for vulnerabilities in the open source libraries your applications rely on. You can identify and prioritize the remediation of the highest vulnerabilities by business impact.

This guide walks you through best practices for getting your team up and running with SCA.

Phase 1: Enable

First, see the Library Compatibility requirements page to verify if the Datadog Tracing Library used by your application or service supports the Software Composition Analysis (SCA) capability for your application’s or service’s programming language.

Enable SCA on your services using the Quick Start Guide

  1. In Datadog, go to Application Security > Settings > Quick Start Guide.

  2. Expand Enable Vulnerability Detection, select Open source vulnerabilities, and click Start Activation. A list of services appears.

  3. Select the service(s) you want to monitor for vulnerabilities, then click Next. The number of selected services and their names are listed.

  4. Click Enable for Selected Service(s) to complete the activation of Software Composition Analysis (SCA) for the chosen service(s).

Enable SCA on your repositories and services using the Settings page

  1. In Datadog, go to Application Security > Settings.
  2. Click Get Started to expand the Software Composition Analysis (SCA) capability.

Enable SCA on GitHub repositories

  1. Click Select Repositories on your desired GitHub account and toggle Enable Software Composition Analysis (SCA) to enable for all repositories. If you do not see any GitHub accounts listed, create a new GitHub App to get started.
enable SCA for all repositories

Optionally, you can select specific GitHub repositories to enable SCA by clicking the toggle for each repository.

enable SCA for all repositories

Enable SCA on services

  1. Click Select Services. A list of services should appear.
  2. Select the service(s) you want to monitor for vulnerabilities, then click Next. You should see the number of selected services and their names.
  3. Click Enable for Selected Service(s) to complete the activation of Software Composition Analysis (SCA) for the chosen service(s).

Phase 2: Identify

  1. Identify Vulnerabilities: Navigate to Vulnerabilities.

    • Sort by Status, Vulnerability Source, and Severity.
    • To switch to the code repository commit point of view, click on the static button. To switch to the real-time point of view to the applications already running, click on the runtime button.
    Software Composition Analysis (SCA) explorer page showing vulnerabilities sorted by static or runtime.

    Each vulnerability has its own status to help prioritize and manage findings:

    StatusDescription
    OpenThe vulnerability has been detected by Datadog.
    In ProgressA user has marked the vulnerability as In Progress, but Datadog still detects it.
    MutedA user has ignored the vulnerability, making it no longer visible on the Open list, but Datadog still detects it.
    RemediatedA user has marked the vulnerability as resolved, but Datadog still sees the vulnerability.
    Auto-ClosedThe vulnerability is no longer detected by Datadog.

    Note: Remediated and Auto-Closed vulnerabilities re-open if the vulnerability is detected again by Datadog.

  2. View additional details by clicking on the vulnerability. This opens a panel which includes information about:

    • Which services are affected.

    • The date on which the vulnerability was last detected.

    • A description of the vulnerability.

    • Recommended remediation steps.

    • Vulnerability score.

      Application Vulnerability Management detailed view of the vulnerability.

      Note: The severity of a vulnerability within SCA is modified from the base score to take into account the presence of attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

      The adjusted vulnerability score includes the full context of each service:

      • The original vulnerability severity.
      • Evidence of suspicious requests.
      • Sensitive or internet-exposed environments.

      Severities are scored by the following:

      CVSS ScoreQualitative Rating
      0.0None
      0.1 - 3.9Low
      4.0 - 6.9Medium
      7.0 – 8.9High
      9.0 – 10.0Critical
  3. Optionally, download the library inventory (list of libraries and versions in CycloneDX format) for your service. While viewing the details of a vulnerability, click View in Service Catalog. From here you can navigate to the Security view of your service, and download the library inventory under the libraries tab.

Phase 3: Remediate

  1. Prioritize Response and Remediate: While on the Vulnerability Explorer, take action:

    • Change the status of a vulnerability.
    • Assign it to a team member for further review.
    • Create a Jira issue. To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.
    • Review recommended remediation steps.
    • View links and information sources to understand the context behind each vulnerability.

    Note: Adding an assignee to the vulnerability does not generate a notification regarding the assignment. This action only lists their name as an annotation of the vulnerability.

    Application Vulnerability Management recommended remediation steps of the vulnerability.

Further reading

PREVIEWING: rtrieu/product-analytics-ui-changes