Track Changes in Your Containerized Infrastructure With Container Image Trends | Datadog

Track changes in your containerized infrastructure with Container Image Trends

Author Ivan Ilichev
Author Danny Driscoll
Author Jesse Mack

Published: May 6, 2024

Datadog’s Container Images view provides key insights into every container image used in your environment, helping you quickly detect and remediate security and performance problems that can affect multiple containers in your distributed system. In addition to having a snapshot of the performance of your container fleet, it’s also critical to understand large-scale trends in security posture and resource utilization over time.

Now, Datadog’s Container Image Trends view helps you answer key questions about image posture across your entire containerized infrastructure. You can use this view to answer questions like:

  • What are my oldest running container images?
  • How has the amount of vulnerabilities in my container images changed over time?
  • Which is the most commonly used remote image registry across my infrastructure?

In this post, we’ll show you how the Container Image Trends view can help you:

Get high-level insights about your container image ecosystem

The top section of the Container Image Trends view provides a brief summary of several key metrics—max image size, oldest image age, total vulnerability count, and total running containers.

Top metrics in the Container Image Trends view

These data points give you a high-level view of your container image ecosystem at a glance. For example, if you are trying to enforce use of lightweight images in your environment because they tend to contain fewer vulnerabilities, you can see how your max image size is trending, helping you quickly gauge how your team is progressing in this effort.

From here, you can dive deeper into the details for the running containers associated with your container images. The Running Container Images section of the Container Image Trends view shows you how many containers are running images from your registries and repositories, so you can understand the total infrastructure footprint of individual images. It also shows you your oldest running container images and the average age of an image in your environment, helping you identify which images may need to be updated and track your progress in lowering average image age over time.

Running Container Images metrics

Container images are frequently pulled from remote cloud registries and stored locally on the host to be readily available to run containers. Often, container images that are no longer used are kept in the local host registry, taking up unnecessary disk space and potentially impacting costs.

In the Pulled Container Images section of the Container Image Trends page, you can easily identify:

  • What images are present in local host registries but no longer running
  • Which image registries are the most commonly used based on the number of running containers
Pulled Container Images section

With this information, you can spot cloud registries that you may be paying for but not actively using, as well as images that are taking up unnecessary disk space in your hosts.

Track progress in remediating container image vulnerabilities

It’s important to understand where vulnerable container images are present in your environment and track your progress toward remediation. If you are using Datadog Cloud Security Monitoring (CSM), you’ll be able to see container image vulnerability data in the Container Image Trends view.

The Security Posture section shows the current vulnerabilities in your container images and allows you to compare your current state against historical data. You can see:

  • The distribution of vulnerabilities across your image registries
  • How many vulnerabilities are present in your most commonly deployed images, including the percent change since week ago
  • How the total number of vulnerabilities across your container images has changed since one week prior
Security Posture section

With this data, you can see where the most risks lie in your environment, decide which registries to prioritize for remediation, and track your recent progress in addressing these issues.

Use dashboards based on image-specific metrics for more customized monitoring

Once you’ve enabled the Container Image Trends view in Infrastructure Monitoring, several new metrics become available for your container images:

  • contimage.max_image_size: The maximum size of the container image
  • contimage.max_image_age: The age of the container image
  • contimage.running_containers: The number of containers in which the container image is running

Additionally, if you have enabled Container Vulnerability within Datadog Cloud Security Management, another metric will be available:

  • contimage.vuln_count: The total number of vulnerabilities found in the container image (for Cloud Security Management Customers)

In addition to seeing these metrics in the Container Image Trends view, you can also use them to tailor your monitoring more specifically to your needs using dashboards. For example, you can create a custom dashboard by copying individual widgets from the Container Image Trends view.

Export metrics to a dashboard

Alternatively, you can use the out-of-the-box Container Image Trends dashboard and adjust the metrics you’re viewing based on the needs of your environment by cloning the dashboard and editing your widgets as needed.

Out-of-the-box Container Image Trends dashboard

The Container Image Trends view is available to all Datadog Container Monitoring users. You can use our documentation to get started with Container Monitoring. Or, if you aren’t already a Datadog user, you can sign up for a 14-day .