From fe7399a4c4e298f3a62caaa88818b4e43db837e9 Mon Sep 17 00:00:00 2001 From: Cyril Bouchiat Date: Fri, 24 Apr 2026 12:14:36 +0200 Subject: [PATCH 1/3] docs(csm): document application library SBOM scanning for Kubernetes and Linux Add documentation for the languages analyzer introduced in Agent 7.70. Users can opt into scanning application libraries (npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, Bundler, etc.) alongside OS packages by setting analyzers: ["os", "languages"] in their SBOM configuration. Covers: - Kubernetes: Datadog Operator (spec.features.sbom) and Helm (datadog.sbom) - Linux: /etc/datadog-agent/datadog.yaml Both pages include a 7.70+ version note and a supported package manager table covering all 13 ecosystems. Internal reference: https://datadoghq.atlassian.net/wiki/spaces/SAAL/pages/5244553414 --- .../setup/agent/kubernetes.md | 32 ++++++++++++++++++- .../setup/agent/linux.md | 32 +++++++++++++++++-- 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/content/en/security/cloud_security_management/setup/agent/kubernetes.md b/content/en/security/cloud_security_management/setup/agent/kubernetes.md index a18b769bf07..042377d0dd0 100644 --- a/content/en/security/cloud_security_management/setup/agent/kubernetes.md +++ b/content/en/security/cloud_security_management/setup/agent/kubernetes.md @@ -48,10 +48,14 @@ Use the following instructions to enable Misconfigurations and Vulnerability Man # Enables Container Vulnerability Management containerImage: enabled: true - + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] + # Enables Host Vulnerability Management host: enabled: true + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] ``` 2. Apply the changes and restart the Agent. @@ -79,10 +83,14 @@ Use the following instructions to enable Misconfigurations and Vulnerability Man # Enables Container Vulnerability Management containerImage: enabled: true + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] # Enables Host Vulnerability Management host: enabled: true + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] ``` 2. Restart the Agent. @@ -91,6 +99,28 @@ Use the following instructions to enable Misconfigurations and Vulnerability Man {{< /tabs >}} +**Note**: The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by package managers such as npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, and Bundler, in addition to OS packages. When the `analyzers` field is omitted, only OS packages are scanned for container images. See [Supported application library package managers](#supported-application-library-package-managers) for the full list. + +### Supported application library package managers + +The `languages` analyzer covers the following package ecosystems: + +| Ecosystem | Package manager / format | +|-----------|--------------------------| +| Ruby | Bundler, GemSpec | +| Rust | Cargo, Rust binary | +| PHP | Composer | +| Java | Jar, Maven (pom.xml), Gradle lock, Sbt lock | +| JavaScript | npm (package-lock.json), Yarn, pnpm, Node package | +| .NET | NuGet, .NET Core, PackagesProps | +| Python | Python package (egg), pip, Pipenv, Poetry, uv, Conda package, Conda environment | +| Go | Go binary, Go modules | +| C/C++ | Conan lock | +| Swift / Objective-C | CocoaPods, Swift | +| Dart | PubSpec lock | +| Elixir | Mix lock | +| Julia | Julia | + [1]: /security/cloud_security_management/misconfigurations/ [2]: /security/threats [3]: /security/cloud_security_management/vulnerabilities diff --git a/content/en/security/cloud_security_management/setup/agent/linux.md b/content/en/security/cloud_security_management/setup/agent/linux.md index 4a7f0df22dc..025069464d8 100644 --- a/content/en/security/cloud_security_management/setup/agent/linux.md +++ b/content/en/security/cloud_security_management/setup/agent/linux.md @@ -37,9 +37,13 @@ sbom: # Set to true to enable Container Vulnerability Management container_image: enabled: true - # Set to true to enable Host Vulnerability Management + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] + # Set to true to enable Host Vulnerability Management host: enabled: true + # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) + analyzers: ["os", "languages"] {{< /code-block >}} {{< code-block lang="bash" filename="/etc/datadog-agent/security-agent.yaml" disable_copy="false" collapsible="true" >}} @@ -52,7 +56,29 @@ compliance_config: enabled: true {{< /code-block >}} -**Notes**: +**Note**: The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by package managers such as npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, and Bundler, in addition to OS packages. When the `analyzers` field is omitted, only OS packages are scanned for container images. See [Supported application library package managers](#supported-application-library-package-managers) for the full list. + +### Supported application library package managers + +The `languages` analyzer covers the following package ecosystems: + +| Ecosystem | Package manager / format | +|-----------|--------------------------| +| Ruby | Bundler, GemSpec | +| Rust | Cargo, Rust binary | +| PHP | Composer | +| Java | Jar, Maven (pom.xml), Gradle lock, Sbt lock | +| JavaScript | npm (package-lock.json), Yarn, pnpm, Node package | +| .NET | NuGet, .NET Core, PackagesProps | +| Python | Python package (egg), pip, Pipenv, Poetry, uv, Conda package, Conda environment | +| Go | Go binary, Go modules | +| C/C++ | Conan lock | +| Swift / Objective-C | CocoaPods, Swift | +| Dart | PubSpec lock | +| Elixir | Mix lock | +| Julia | Julia | + +**Notes**: - You can also use the following [Agent install script][5] to automatically enable Misconfigurations and Threat Detection: @@ -73,4 +99,4 @@ sudo chgrp dd-agent /etc/datadog-agent/security-agent.yaml [3]: /security/cloud_security_management/vulnerabilities [4]: /security/cloud_security_management/setup#supported-deployment-types-and-features [5]: /getting_started/agent/#installation -[6]: /agent/?tab=Linux \ No newline at end of file +[6]: /agent/?tab=Linux From 8f1ef9e2a6890362d3bc98ae139184a11ab253d3 Mon Sep 17 00:00:00 2001 From: cyrbouchiat <119294501+cyrbouchiat@users.noreply.github.com> Date: Tue, 28 Apr 2026 11:12:32 +0200 Subject: [PATCH 2/3] Update content/en/security/cloud_security_management/setup/agent/kubernetes.md Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- .../cloud_security_management/setup/agent/kubernetes.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/en/security/cloud_security_management/setup/agent/kubernetes.md b/content/en/security/cloud_security_management/setup/agent/kubernetes.md index 042377d0dd0..1ef2081a0c9 100644 --- a/content/en/security/cloud_security_management/setup/agent/kubernetes.md +++ b/content/en/security/cloud_security_management/setup/agent/kubernetes.md @@ -99,10 +99,12 @@ Use the following instructions to enable Misconfigurations and Vulnerability Man {{< /tabs >}} -**Note**: The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by package managers such as npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, and Bundler, in addition to OS packages. When the `analyzers` field is omitted, only OS packages are scanned for container images. See [Supported application library package managers](#supported-application-library-package-managers) for the full list. - ### Supported application library package managers +The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by the package managers below, in addition to OS packages. + +When the `analyzers` field is omitted, Datadog only scans OS packages for container images. + The `languages` analyzer covers the following package ecosystems: | Ecosystem | Package manager / format | From f60316a7c5b4a38d4ca8c45adaec343b24f22059 Mon Sep 17 00:00:00 2001 From: cyrbouchiat <119294501+cyrbouchiat@users.noreply.github.com> Date: Tue, 28 Apr 2026 11:12:39 +0200 Subject: [PATCH 3/3] Update content/en/security/cloud_security_management/setup/agent/linux.md Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- .../security/cloud_security_management/setup/agent/linux.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/en/security/cloud_security_management/setup/agent/linux.md b/content/en/security/cloud_security_management/setup/agent/linux.md index 025069464d8..7ed932aaee6 100644 --- a/content/en/security/cloud_security_management/setup/agent/linux.md +++ b/content/en/security/cloud_security_management/setup/agent/linux.md @@ -56,10 +56,12 @@ compliance_config: enabled: true {{< /code-block >}} -**Note**: The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by package managers such as npm, pip, Maven/Gradle, NuGet, Go modules, Cargo, and Bundler, in addition to OS packages. When the `analyzers` field is omitted, only OS packages are scanned for container images. See [Supported application library package managers](#supported-application-library-package-managers) for the full list. - ### Supported application library package managers +The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by the package managers below, in addition to OS packages. + +When the `analyzers` field is omitted, Datadog only scans OS packages for container images. + The `languages` analyzer covers the following package ecosystems: | Ecosystem | Package manager / format |