Overview
The container images view in Datadog provides key insights into every image used in your environment to help you assess their deployment footprint. It also detects and remediates security and performance issues that can affect multiple containers. You can view container image details alongside the rest of your container data to troubleshoot image issues affecting infrastructure health. Additionally, you can view vulnerabilities found in your container images from Cloud Security Management (CSM) to help you streamline your security efforts.
The container image trends view provides high-level insights across all of your images in your containerized infrastructure. Container image trends metrics can help you answer key questions about your security posture and deployment footprint over the span of weeks and months.
Images on the container images view are collected from several different sources (Live Containers, Image Collection, and Amazon ECR). The following instructions describe how to enable images from each of these sources.
Live Containers
To enable live container collection, see the containers documentation. It provides information on enabling the Process Agent, and excluding and including containers.
Image collection
Datadog collects container image metadata to provide enhanced debugging context for related containers and Cloud Security Management (CSM) vulnerabilities.
Enable container image collection
In Datadog Operator v1.3.0+, image collection is enabled by default. If you are using an older version of the Datadog Operator, Datadog recommends that you update it to v1.3.0+.
In the Datadog Helm chart v3.46.0+, image collection is enabled by default. To verify this, or if you are using an earlier Helm chart version, ensure that datadog.containerImageCollection.enabled
is set to true
in datadog-values.yaml
.
datadog:
containerImageCollection:
enabled: true
To enable container image collection on your ECS EC2 instances, add the following environment variables to your datadog-agent
container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_CONTAINER_IMAGE_ENABLED",
"value": "true"
}
]
}
]
...
}
Add the following to your datadog.yaml
configuration file:
container_image:
enabled: true
Enable SBOM collection
The following instructions turn on Software Bill of Materials (SBOM) collection for CSM Vulnerabilities. SBOM collection enables automatic detection of container image vulnerabilities. Vulnerabilities are evaluated and scanned against your containers every hour. Vulnerability management for container images is included in CSM Pro and Enterprise plans.
Note: The CSM Vulnerabilities feature is not available for AWS Fargate or Windows environments.
Add the following to the spec section of your datadog-agent.yaml
file:
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
features:
# ...
sbom:
enabled: true
containerImage:
enabled: true
Add the following to your datadog-values.yaml
Helm configuration file:
datadog:
sbom:
containerImage:
enabled: true
To enable container image vulnerability scanning on your ECS EC2 instances, add the following environment variables to your datadog-agent
container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
...
"environment": [
...
{
"name": "DD_SBOM_ENABLED",
"value": "true"
},
{
"name": "DD_SBOM_CONTAINER_IMAGE_ENABLED",
"value": "true"
}
]
}
]
...
}
If the Agent fails to extract the SBOM from the container image, increase the Agent memory in the container definition:
{
"containerDefinitions": [
{
"name": "datadog-agent",
"memory": 256,
...
}
]
...
}
Add the following to your datadog.yaml
configuration file:
sbom:
enabled: true
container_image:
enabled: true
Container registries
Amazon Elastic Container Registry (Amazon ECR)
Set up the AWS integration to begin crawling Container Image metadata from Amazon ECR.
Use the container image trends configuration modal and toggle Enable Container Image Metric Collection to turn on image metric generation.
Image metrics are collected from the Live Containers and Image Check sources. Follow the same instructions as above to ensure that these collections are enabled across your entire infrastructure and take full advantage of the trends view.
Container image tagging
Tag and enrich your container images with arbitrary tags by using extract labels as tags configuration on the Agent. These tags are then picked by the Container Image check.
Further reading
Additional helpful documentation, links, and articles: