Automate Vulnerability Analysis With the Datadog GitHub Action | Datadog

Automate vulnerability analysis with the Datadog GitHub Action

Author Abilash Ravikumar

Published: December 9, 2020

To enhance and automate your vulnerability analysis, we’re excited to launch the Datadog Vulnerability Analysis GitHub Action. The action enables easy integration between your application, Datadog Continuous Profiler, and Snyk’s vulnerability database to provide actionable security heuristics. The action can be installed directly from the GitHub Marketplace, and does not require you to manage any additional scripts or infrastructure. You can add it directly to your CI/CD pipeline in minutes to automate vulnerability analysis with every new deployment.

Traditional methods of implementing application security are either hard to instrument, overwhelming, or expensive. This adds friction that prevents teams from making security a core part of their development process. To be effective, security features must be easy to use and actionable.

Many teams already use GitHub Actions to run automation workflows from their repositories—this provides an easy and familiar onboarding path. The Datadog GitHub Action replaces the complexities of installing a traditional vulnerability analysis tool with a quick and seamless marketplace installation process.

Once installed, Datadog Continuous Profiler can help you glean valuable insights on vulnerabilities exposed in your production environment, providing immediate value. For example, you can track how often a vulnerability is invoked by navigating to the aggregation view of Continuous Profiler.

Once you've installed the Datadog GitHub action, you can track how often vulnerabilities are invoked in the Datadog Continuous Profiler aggregation view.

Continuous vulnerability analysis with Continuous Profiler

Oftentimes, when teams scan their applications for known vulnerabilities for the first time, they are overwhelmed by a long list of potential exposures. This can be disheartening, and may prevent teams from even attempting to clean up their applications. To ingrain good security hygiene, you need actionable security heuristics—not a laundry list of potential issues.

Datadog Continuous Profiler provides granular, method-level visibility into which parts of the application ran, how often, and for how long. By layering Profiler data on top of Snyk’s vulnerability analysis, Datadog is able to provide a list of truly reachable vulnerabilities—those that are invoked by external users in production.

How the Datadog GitHub Action works

GitHub Actions offers an easy way to set up your environment and run the scripts needed to enable vulnerability analysis on Datadog. With each new deployment, the Datadog Vulnerability Analysis GitHub Action will generate a dependency graph, which provides a list of packages and methods present in the application. This is generated by leveraging Snyk’s class-leading vulnerability database—it creates a mapping between the database and the application’s dependencies. Because a new dependency graph is generated with every deployment, you can ensure that the vulnerability analysis is always up to date. The dependency graph is then uploaded to Datadog Continuous Profiler, which kicks off the vulnerability analysis.

The datadog github action automatically generates a new dependency graph with each deployment, ensuring that your vulnerability analysis is always up to date.

Get started with the Datadog GitHub Action

With vulnerability analysis now natively integrated with Datadog Continuous Profiler, you can immediately detect when vulnerable methods are invoked in production and investigate vulnerabilities in full context with invocation data from your code profiles. You can head directly to the GitHub Marketplace to install the Datadog Vulnerability Analysis GitHub Action. Or, if you’re not using Datadog yet, sign up for a to get started.