Set up IaC Security

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Use the following instructions to enable Infrastructure as Code (IaC) Security for Code Security. IaC Security supports Terraform and Kubernetes configurations stored in GitHub, GitLab, or Azure DevOps repositories.

    Install the GitHub integration

    To connect your GitHub repositories and enable PR comments, see the setup instructions in Pull Request Comments.

    Enable IaC Security for your repositories

    After setting up the GitHub integration, enable IaC Security for your repositories.

    1. On the Code Security Setup page, expand the Activate scanning for your repositories section.
    2. Under Select your source code management provider, select GitHub.
    3. Under Select where your scans should run, select Datadog.
    4. Under Connect your GitHub repositories, do one of the following:
      • To connect a new GitHub account, click Add GitHub Account.
      • To enable IaC Security for an existing account, click Select repositories, or Edit if Code Security is already enabled.
    5. To enable IaC Security, do one of the following:
      • To enable it for all repositories, toggle Enable Infrastructure as Code Scanning (IaC) to the ON position.
      • To enable it for a single repository, toggle the IaC switch to ON for that repository.

    Install the GitLab integration

    To connect your GitLab repositories and enable PR comments, see the setup instructions in GitLab Source Code.

    Enable IaC Security for your repositories

    After setting up the GitLab integration, enable IaC Security for your repositories.

    1. On the Code Security Setup page, expand the Activate scanning for your repositories section.
    2. Under Select your source code management provider, select GitLab.
    3. Under Select where your scans should run, select Datadog.
    4. Under Connect your GitLab repositories, do one of the following:
      • To connect a new GitLab instance, click Connect GitLab Instance.
      • To enable IaC Security for an existing account, click Select repositories, or Edit if Code Security is already enabled.
    5. To enable IaC Security, do one of the following:
      • To enable it for all repositories, toggle Enable Infrastructure as Code Scanning (IaC) to the ON position.
      • To enable it for a single repository, toggle the IaC switch to ON for that repository.

    Install the Azure DevOps integration

    To connect your Azure DevOps repositories and enable PR comments, see the setup instructions in Azure DevOps Source Code.

    Enable IaC Security for your repositories

    After setting up the Azure DevOps integration, enable IaC Security for your repositories.

    1. On the Code Security Setup page, expand the Activate scanning for your repositories section.
    2. Under Select your source code management provider, select Azure DevOps.
    3. Under Select where your scans should run, select Datadog.
    4. Under Connect your Azure DevOps repositories, do one of the following:
      • To connect a new Azure DevOps organization, click Connect Microsoft Entra App.
      • To enable IaC Security for an existing account, click Select repositories, or Edit if Code Security is already enabled.
    5. To enable IaC Security, do one of the following:
      • To enable it for all repositories, toggle Enable Infrastructure as Code Scanning (IaC) to the ON position.
      • To enable it for a single repository, toggle the IaC switch to ON for that repository.

    Upload third-party static analysis results to IaC Security

    You can import SARIF results from third-party Infrastructure-as-Code (IaC) scanners, including Checkov, into IaC Security. See Upload third-party static analysis results for SARIF-compliant tools supported for SAST. Node.js version 14 or later is required.

    To upload a SARIF report:

    1. Ensure the DD_API_KEY and DD_APP_KEY variables are defined.

    2. Optionally, set a DD_SITE variable (this defaults to datadoghq.com).

    3. Install the datadog-ci utility (version 2.0 or later):

      npm install -g @datadog/datadog-ci

    4. Run the third-party IaC scanning tool (e.g., Checkov, Trivy, KICS) on your code and output the results in the SARIF v2.1.0 format.

    5. Upload the results to Datadog:

      datadog-ci sarif upload $OUTPUT_LOCATION
      • Upload Options
        • --tags: Add custom tags (format: key:value)
        • --max-concurrency: Set concurrent uploads (default: 20)
        • --dry-run: Validate without uploading

    Required SARIF Attributes

    To ensure proper ingestion and display in Datadog IaC Scanning for third-party scanners (excluding Checkov), your SARIF file MUST include the following attributes to be recognized as an IaC security finding:

    1. Runs[...].tool.driver.name: Datadog IaC Scanning
    2. Runs[...].tool.driver.version: "code_update" or "full_scan"
      • "full_scan” for complete repository scans
      • "code_update" for pull request / incremental scans
    3. Runs[...].tool.driver.rules[...].properties.tags:
      • ["DATADOG_RULE_TYPE:IAC_SCANNING"]
      • [“DATADOG_SCANNED_FILE_COUNT: <number>”], where "number" specifies the number of scanned files
    4. Runs[...].results[...].locations[...].physicalLocation:
      • artifactLocation.uri: Relative path to file from repository root
      • region.startLine: Starting line number
      • region.endLine: Ending line number
      • region.startColumn: Starting column number
      • region.endColumn: Ending column number
    Suppressions silently drop violations. If results[ ].suppressions exists, the violation is completely ignored.

    Further reading

    Más enlaces, artículos y documentación útiles:

    Code SecurityDOCUMENTATION more more IaC SecurityDOCUMENTATION more more Configure IaC Security ExclusionsDOCUMENTATION more more IaC Security RulesDOCUMENTATION more more