Skip to content

[K9VULN-12046] Add compliance_host option for Agentless Scanning #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ktmq merged 5 commits into from
Mar 9, 2026
Merged

[K9VULN-12046] Add compliance_host option for Agentless Scanning #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c3ed9a5
[K9VULN-12046] Add compliance_host option for Agentless Scanning
Valette-DataDog Mar 2, 2026
81ea446
[K9VULN-12046] Bump version to v4.6.6
Valette-DataDog Mar 2, 2026
3e87afc
[K9VULN-12046] Bump version to v4.7.0
Valette-DataDog Mar 2, 2026
bf038fd
Trigger CI
Valette-DataDog Mar 9, 2026
0337c8a
Trigger CI
Valette-DataDog Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions aws_quickstart/datadog_agentless_api_call.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ def call_datadog_agentless_api(context, event, method):
account_id = event["ResourceProperties"]["AccountId"]
vulnerability_scanning = event["ResourceProperties"]["VulnerabilityScanning"]
sensitive_data = event["ResourceProperties"]["SensitiveData"]
compliance_host = event["ResourceProperties"]["ComplianceHost"]
# Optional parameters
launch_template_id = event["ResourceProperties"].get("LaunchTemplateId")
asg_arn = event["ResourceProperties"].get("AutoScalingGroupArn")
Expand Down Expand Up @@ -78,6 +79,7 @@ def call_datadog_agentless_api(context, event, method):
"vuln_host_os": vulnerability_scanning == "true",
"lambda": vulnerability_scanning == "true",
"sensitive_data": sensitive_data == "true",
"compliance_host": compliance_host == "true",
},
},
}
Expand Down
1 change: 1 addition & 0 deletions aws_quickstart/datadog_agentless_api_call_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ def setUp(self):
"AccountId": "123456789012",
"VulnerabilityScanning": "true",
"SensitiveData": "false",
"ComplianceHost": "false",
},
"StackId": "arn:aws:cloudformation:us-east-1:358251252154:stack/DatadogAgentlessIntegration/22b23bca-de8b-451c-99e4-c69b9ad20ec7",
}
Expand Down
10 changes: 10 additions & 0 deletions aws_quickstart/datadog_agentless_delegate_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,14 @@ Parameters:
Description: Enable Agentless Scanning of datastores (S3 buckets).
Default: false

AgentlessComplianceHostScanning:
Type: String
AllowedValues:
- true
- false
Description: Enable Agentless Compliance Scanning for hosts.
Default: false

ScannerInstanceRoleARN:
Type: CommaDelimitedList
Description: The ARNs of the roles of the Datadog Agentless Scanner instances that will assume the delegate role.
Expand Down Expand Up @@ -339,6 +347,7 @@ Resources:
AccountId: !Ref "AWS::AccountId"
VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning"
SensitiveData: !Ref "AgentlessSensitiveDataScanning"
ComplianceHost: !Ref "AgentlessComplianceHostScanning"
IntegrationRoleName: !Ref "DatadogIntegrationRoleName"
Partition: !Ref "AWS::Partition"
# Optional parameters
Expand Down Expand Up @@ -375,4 +384,5 @@ Metadata:
default: "Advanced"
Parameters:
- AgentlessSensitiveDataScanning
- AgentlessComplianceHostScanning
- AccountId
10 changes: 10 additions & 0 deletions aws_quickstart/datadog_agentless_delegate_role_stackset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,14 @@ Parameters:
Description: Enable Agentless Scanning of datastores (S3 buckets).
Default: false

AgentlessComplianceHostScanning:
Type: String
AllowedValues:
- true
- false
Description: Enable Agentless Compliance Scanning for hosts.
Default: false

DatadogIntegrationRoleName:
Type: String
Description: The name of IAM role used by the Datadog AWS integration. If provided, the SecurityAudit policy will be attached to this role.
Expand Down Expand Up @@ -323,6 +331,7 @@ Resources:
AccountId: !Ref "AWS::AccountId"
VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning"
SensitiveData: !Ref "AgentlessSensitiveDataScanning"
ComplianceHost: !Ref "AgentlessComplianceHostScanning"
IntegrationRoleName: !Ref "DatadogIntegrationRoleName"
Partition: !Ref "AWS::Partition"
# Optional parameters
Expand Down Expand Up @@ -389,3 +398,4 @@ Metadata:
Parameters:
- AgentlessVulnerabilityScanning
- AgentlessSensitiveDataScanning
- AgentlessComplianceHostScanning
13 changes: 13 additions & 0 deletions aws_quickstart/datadog_agentless_scanning.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,15 @@ Parameters:
Enable Agentless Scanning of datastores (S3 buckets).
Default: false

AgentlessComplianceHostScanning:
Type: String
AllowedValues:
- true
- false
Description: >-
Enable Agentless Compliance Scanning for hosts.
Default: false

DatadogAPIKeySecretArn:
Type: String
Description: The ARN of the secret storing the Datadog API key, if you already have it stored in Secrets Manager. You must store the secret as a plaintext, rather than a key-value pair.
Expand Down Expand Up @@ -1058,6 +1067,7 @@ Resources:
AccountId: !Ref "AWS::AccountId"
VulnerabilityScanning: !Ref "AgentlessVulnerabilityScanning"
SensitiveData: !Ref "AgentlessSensitiveDataScanning"
ComplianceHost: !Ref "AgentlessComplianceHostScanning"
IntegrationRoleName: !Ref "DatadogIntegrationRoleName"
Partition: !Ref "AWS::Partition"
# Optional parameters
Expand Down Expand Up @@ -1099,6 +1109,7 @@ Metadata:
- DatadogSite
- AgentlessVulnerabilityScanning
- AgentlessSensitiveDataScanning
- AgentlessComplianceHostScanning
- Label:
default: Advanced
Parameters:
Expand Down Expand Up @@ -1130,3 +1141,5 @@ Metadata:
default: "AgentlessVulnerabilityScanning *"
AgentlessSensitiveDataScanning:
default: "AgentlessSensitiveDataScanning *"
AgentlessComplianceHostScanning:
default: "AgentlessComplianceHostScanning *"
18 changes: 18 additions & 0 deletions aws_quickstart/main_extended.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,14 @@ Parameters:
Description: >-
Enable Agentless Scanning of datastores (S3 buckets).
Default: false
AgentlessComplianceHostScanning:
Type: String
AllowedValues:
- true
- false
Description: >-
Enable Agentless Compliance Scanning for hosts.
Default: false
ScannerDelegateRoleName:
Type: String
Description: The name of the role assumed by the Datadog Agentless Scanner
Expand Down Expand Up @@ -141,6 +149,9 @@ Rules:
- Fn::Equals:
- Ref: AgentlessSensitiveDataScanning
- 'true'
- Fn::Equals:
- Ref: AgentlessComplianceHostScanning
- 'true'
AssertDescription: Agentless Scanning options require ResourceCollection, must enable ResourceCollection
Conditions:
InstallForwarder:
Expand All @@ -164,6 +175,9 @@ Conditions:
- Fn::Equals:
- !Ref AgentlessSensitiveDataScanning
- true
- Fn::Equals:
- !Ref AgentlessComplianceHostScanning
- true
IsAP1:
Fn::Equals:
- !Ref DatadogSite
Expand Down Expand Up @@ -203,6 +217,7 @@ Resources:
AccountId: !Ref AWS::AccountId
AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning
AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning
AgentlessComplianceHostScanning: !Ref AgentlessComplianceHostScanning
ScannerDelegateRoleName: !Ref ScannerDelegateRoleName
ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"]
DatadogIntegrationRoleName: !If [IsCrossAccountScanning, !Ref "AWS::NoValue", !Ref "IAMRoleName"]
Expand Down Expand Up @@ -283,6 +298,7 @@ Metadata:
- CloudSecurityPostureManagement
- AgentlessVulnerabilityScanning
- AgentlessSensitiveDataScanning
- AgentlessComplianceHostScanning
- Label:
default: Advanced
Parameters:
Expand All @@ -303,5 +319,7 @@ Metadata:
default: "AgentlessVulnerabilityScanning *"
AgentlessSensitiveDataScanning:
default: "AgentlessSensitiveDataScanning *"
AgentlessComplianceHostScanning:
default: "AgentlessComplianceHostScanning *"
InstallLambdaLogForwarder:
default: "InstallLambdaLogForwarder *"
18 changes: 18 additions & 0 deletions aws_quickstart/main_extended_workflow.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,14 @@ Parameters:
Description: >-
Enable Agentless Scanning of datastores (S3 buckets).
Default: false
AgentlessComplianceHostScanning:
Type: String
AllowedValues:
- true
- false
Description: >-
Enable Agentless Compliance Scanning for hosts.
Default: false
ScannerDelegateRoleName:
Type: String
Description: The name of the role assumed by the Datadog Agentless Scanner
Expand Down Expand Up @@ -161,6 +169,9 @@ Rules:
- Fn::Equals:
- Ref: AgentlessSensitiveDataScanning
- 'true'
- Fn::Equals:
- Ref: AgentlessComplianceHostScanning
- 'true'
AssertDescription: Agentless Scanning options require ResourceCollection, must enable ResourceCollection
Conditions:
InstallForwarder:
Expand All @@ -187,6 +198,9 @@ Conditions:
- Fn::Equals:
- !Ref AgentlessSensitiveDataScanning
- true
- Fn::Equals:
- !Ref AgentlessComplianceHostScanning
- true
NoAgentlessScanning:
Fn::Not:
- Condition: EnableAgentlessScanning
Expand Down Expand Up @@ -549,6 +563,7 @@ Resources:
AccountId: !Ref AWS::AccountId
AgentlessVulnerabilityScanning: !Ref AgentlessVulnerabilityScanning
AgentlessSensitiveDataScanning: !Ref AgentlessSensitiveDataScanning
AgentlessComplianceHostScanning: !Ref AgentlessComplianceHostScanning
ScannerDelegateRoleName: !Ref ScannerDelegateRoleName
ScannerInstanceRoleARN: !If [IsCrossAccountScanning, !Join [",", !Ref "ScannerInstanceRoleARN"], !Ref "AWS::NoValue"]
DatadogIntegrationRoleName: !If [IsCrossAccountScanning, !Ref "AWS::NoValue", !Ref "IAMRoleName"]
Expand Down Expand Up @@ -702,6 +717,7 @@ Metadata:
- CloudSecurityPostureManagement
- AgentlessVulnerabilityScanning
- AgentlessSensitiveDataScanning
- AgentlessComplianceHostScanning
- Label:
default: Advanced
Parameters:
Expand All @@ -726,5 +742,7 @@ Metadata:
default: "AgentlessVulnerabilityScanning *"
AgentlessSensitiveDataScanning:
default: "AgentlessSensitiveDataScanning *"
AgentlessComplianceHostScanning:
default: "AgentlessComplianceHostScanning *"
InstallLambdaLogForwarder:
default: "InstallLambdaLogForwarder *"
2 changes: 1 addition & 1 deletion aws_quickstart/version.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v4.6.5
v4.7.0
Loading