The Datadog Github Action continuously monitors dependency and version information of code being deployed. By integrating this data with Datadog’s Continuous Profiler and Snyk’s Vulnerability database, this provides a real-time view of what code is actually accessible and vulnerable in production. By layering Profiler data on top of Snyk's Intel Vulnerability DB, Datadog is able to provide a list of reachable vulnerabilities—those that are invoked by external users in production.
- Set up Datadog Continuous Profiler. A Datadog account with the Profiler enabled is required to create Datadog application and API keys and to access the Profiler. If you don't already have a Datadog account, sign up for a Datadog Free Trial.
- Note: When setting up Datadog Continuous Profiler, the
service
andversion
must follow the same conventions as in unified service tagging.
- Note: When setting up Datadog Continuous Profiler, the
- Set up Snyk. A Snyk account is required to create the Snyk token. Sign up for a free Snyk account, or use an already existing account of any tier.
- Note: The Snyk integration only applies to Java applications, with support for more languages coming soon.
- Start by setting up or adding onto an existing Github Actions Workflow.
- Next, identify the Datadog Profiling Services in Datadog where you want to set up Vulnerability Security tracking. You'll need the service name that is in the Service column of your Datadog Profiling page.
- Depending on your language and build system, find the matching Snyk CLI Docker Image in the following table:
Name | Snyk CLI Docker Image |
---|---|
Gradle 5.4 | snyk/snyk-cli:gradle-5.4 |
Gradle 5.4 with Java 11 | snyk/snyk-cli:gradle-5.4_java11 |
Gradle 4.4 | snyk/snyk-cli:gradle-4.4 |
Gradle 2.8 | snyk/snyk-cli:gradle-2.8 |
Maven 3.6.3 | snyk/snyk-cli:maven-3.6.3 |
Maven 3.6.3 with Java 11 | snyk/snyk-cli:maven-3.6.3_java11 |
Maven 3.5.4 | snyk/snyk-cli:maven-3.5.4 |
- Define the service and the version that should be monitored and connect Datadog and Snyk to your Github Actions workflow by editing your Github Actions workflow YAML file to include the parameters
Snyk CLI Docker Image
,build file
,service
,version
,site
,DATADOG_API_KEY
,DATADOG_APP_KEY
, andSNYK_TOKEN
. For a full list of fields, see Inputs. Here is an example yaml:
jobs:
vulnerability_analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Setup Node
uses: actions/setup-node@v1
with:
node-version: 12.x
- name: Compute dependency graph
run: docker run -e "SNYK_TOKEN=$SNYK_TOKEN" -v "$PWD:/project" <Snyk CLI Docker Image> test --print-deps --file=<build file>
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Display dependency graph computation errors
run: |
echo "-- Display snyk-error.log file"
cat snyk-error.log
- name: Upload dependency graph to Datadog
uses: datadog/github-action-vulnerability-analysis@v0.3.2
with:
service: <service>
version: <version>
site: <site> # Optional
env:
DATADOG_API_KEY: <datadog-api-key>
DATADOG_APP_KEY: <datadog-app-key>
'-v "$PWD:/project"' mount the repository path inside the docker container to perform the dependency graph computation. must be a relative and not an absolute path pointing to the build file.
- Repeat steps 2 - 3 for any other services that you want to set up Vulnerability Security monitoring (you only need to set up
datadog-api-key
,datadog-app-key
, andsnyk-token
once).
You have a service running Profiling with Datadog and you decide to add the vulnerability analysis. The service is running in the Datadog EU site (app.datadoghq.eu), is named app-name
, the version is v2.1
. The service is a Java program built with Gradle and the path to the build file is app/build.gradle
. Store the Datadog API key, the Datadog app key, and the Snyk token as Github secrets under DATADOG_API_KEY, DATADOG_APP_KEY, and SNYK_TOKEN variables.
Then the Github workflow is:
jobs:
vulnerability_analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Setup Node
uses: actions/setup-node@v1
with:
node-version: 12.x
- name: Compute dependency graph
run: docker run -e "SNYK_TOKEN=$SNYK_TOKEN" -v "$PWD:/project" snyk/snyk-cli:gradle-5.4 test --print-deps --file=my-app/build.gradle.kts
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload dependency graph to Datadog
uses: datadog/github-action-vulnerability-analysis@v0.3
with:
service: 'app-name'
version: 'v2.1'
site: 'datadoghq.eu'
env:
DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
DATADOG_APP_KEY: ${{ secrets.DATADOG_APP_KEY }}
Once you have integrated Snyk and Datadog and run your Github Actions Workflow, you will begin to see the Snyk vulnerability analysis in the Vulnerability Severity column on the Datadog Profiler search page for any implemented services.
Drilling into a profile will display a Vulnerability Intelligence section (if a vulnerability is detected) that provides a link to the Snyk vulnerability database, with details on the exposure and remediation steps.
The Search view can be used to gather insights on how often specific vulnerabilities are invoked over a period of time. You can get this view by using Vulnerabilities as a measure
, and Vulnerability as an aggregation function
. This helps to compare the relative frequency of invocations for different vulnerabilities. Now you can go ahead and remediate the higher risk vulnerabilities that are exposed to the public!
Name | Requirement | Default | Description |
---|---|---|---|
Snyk CLI Docker Image |
_required | The path to the Snyk CLI Docker Image that computes the dependency graph. Example: snyk/snyk-cli:gradle-5.4 |
|
build file |
required | The build file of the service. Example: app/build.gradle or app/build.gradle.kts |
|
service |
required | The service name. Example: app-name |
|
version |
required | The version of the application. Example: v2.1 |
|
DATADOG_API_KEY |
required | The Datadog API key. A 32-character hexadecimal string. This key is created by your Datadog organization and should be stored as a secret. | |
DATADOG_APP_KEY |
required | The Datadog APP key. A 40-character hexadecimal string. This key is created by your Datadog organization and should be stored as a secret. | |
SNYK_TOKEN |
required | The Snyk token. Ex: a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6 . This key is created from your Snyk account and should be stored as a secret. |
|
site |
optional | datadoghq.com |
The Datadog site. Needs to be set to datadoghq.eu for Datadog EU users. Ex: datadoghq.com or datadoghq.eu |