diff --git a/content/en/security/cloud_security_management/vulnerabilities/_index.md b/content/en/security/cloud_security_management/vulnerabilities/_index.md index d20c94ea8e6..377124ed1ac 100644 --- a/content/en/security/cloud_security_management/vulnerabilities/_index.md +++ b/content/en/security/cloud_security_management/vulnerabilities/_index.md @@ -19,6 +19,9 @@ further_reading: - link: "https://www.datadoghq.com/blog/datadog-container-image-view/" tag: "Blog" text: "Enhance your troubleshooting workflow with Container Images in Datadog Container Monitoring" +- link: "/security/cloud_security_management/setup/ci_cd/#link-dockerfile-to-vulnerabilities" + tag: "Documentation" + text: "Link a Dockerfile to vulnerabilities detected in production" --- ## Overview @@ -102,6 +105,16 @@ In [Container Images][7], you can trace vulnerabilities found in an image to spe {{< img src="infrastructure/containerimages/image_layer_vulnerabilities.png" alt="A list of vulnerabilities associated with each layer of an image" width="100%">}} +## Trace production vulnerabilities to source code + +When a CVE is detected on a running container image, Datadog can link it directly to the Dockerfile and commit that introduced the vulnerable package. This closes the gap between a production alert and the code change that caused it, giving developers the context they need to remediate at the source rather than chasing package versions across registries. + +To enable this code-to-cloud mapping, add OCI image annotations to your container images at build time. Datadog uses these annotations to display a preview of the Dockerfile inside the Container Image Vulnerabilities panel and to surface the exact repository, commit, and file path associated with the vulnerability. + +{{< img src="security/vulnerabilities/csm-vm-dockerfile-panel.png" alt="The Container Image Vulnerabilities panel showing a Dockerfile preview linked to a detected CVE" width="100%">}} + +To set up source linking, see [Link Dockerfile to vulnerabilities][22] in the CI/CD container image scanning guide. + ## Automation and Jira integration Make Cloud Security Vulnerabilities part of your daily workflow by setting up [security notification rules][17] and [automation pipelines (in Preview)][20]: - Get alerted upon detection of an exploitable vulnerability for your scope @@ -142,6 +155,7 @@ Quickly assess the impact of a critical emerging vulnerability by searching for [19]: https://app.datadoghq.com/security/catalog/libraries [20]: https://www.datadoghq.com/product-preview/security-automation-pipelines/ [21]: /security/cloud_security_management/setup/ci_cd +[22]: /security/cloud_security_management/setup/ci_cd/#link-dockerfile-to-vulnerabilities ## Further reading diff --git a/static/images/security/vulnerabilities/csm-vm-dockerfile-panel-dark.png b/static/images/security/vulnerabilities/csm-vm-dockerfile-panel-dark.png new file mode 100644 index 00000000000..7ed31dd03a9 Binary files /dev/null and b/static/images/security/vulnerabilities/csm-vm-dockerfile-panel-dark.png differ diff --git a/static/images/security/vulnerabilities/csm-vm-dockerfile-panel.png b/static/images/security/vulnerabilities/csm-vm-dockerfile-panel.png new file mode 100644 index 00000000000..beca9b2e43a Binary files /dev/null and b/static/images/security/vulnerabilities/csm-vm-dockerfile-panel.png differ