Code-Level Security Fixes Get High Priority with Datadog, Snyk Partnership
Datadog has launched a GitHub Action that continuously monitors dependency and version information of code being deployed. Integrating this data with Datadog’s Continuous Profiler and Snyk’s Vulnerability database, developers gain a real-time view of code vulnerabilities.
Datadog and Snyk are teaming up to help developers find, prioritize and resolve application vulnerabilities in real-time. The team effort aims to provides real-time views into what code is actually accessible and vulnerable in production.
Datadog, a monitoring and security platform for cloud apps, has recently listed on GitHub its Datadog Vulnerability Analysis GitHub Action to continuously monitors dependency and version information of code being deployed. By integrating data from this action with Datadog’s Continuous Profiler and Snyk’s Vulnerability database, users receive a real-time view of their code and vulnerabilities. Snyk is a developer platform for building cloud-native apps securely.
The partnership with Snyk comes as Datadog expands the reach of its monitoring and security platform for cloud apps with the rollout of the Datadog Vulnerability Analysis GitHub Action.
“Maintaining strong security posture is critical for modern applications, but with traditional vulnerability analysis it can be difficult to distinguish the signal from the noise,” said Ilan Rabinovitch, Datadog’s vice president for product and community. “Integrating the Continuous Profiler with the vulnerability database highlights meaningful security vulnerabilities, while utilizing the GitHub Action automates this process by bringing security directly into application development.”
The Datadog GitHub action is also a win for GitHub, according to Jeremy Epling, vice president for product management at GitHub. “We’re moving towards a world where security, testing, and even responsibility for production operations are shifting left towards the developer. Partnering with full-stack monitoring leaders like Datadog makes it easy for developers and DevOps teams to incorporate critical operations tooling as part of their everyday work environment, so teams can focus on delivering value, at greater velocity."
How Datadog, Snyk Work Together To Automate Visibility Analysis
The offering comes at a time when developers are looking to get more speed and deeper visibility into their code – both in development and deployment.
In fact, scanning applications for known vulnerabilities can often yield a long list of issues, but they are difficult to fix in their order of priority. Thanks to the data collected by Datadog’s new GitHub action, vulnerability analysis can be automated so that results arrive more quickly and accurately, according to partnership execs.
Under the covers, the analysis will be performed by the Datadog Continuous Profiler based on Snyk vulnerability metadata. As a consequence, engineering teams can more immediately detect when and how often vulnerable methods are invoked in live environments. In turn, teams can quickly prioritize their security fixes based on real-world app behaviors.
In a recent blog post, Datadog product manager Abilash Ravikumar shared details on the mission of the Datadog/Snyk project and the technology behind it.
[T]he Datadog Vulnerability Analysis GitHub Action enables easy integration between your application, Datadog Continuous Profiler, and Snyk’s vulnerability database to provide actionable security heuristics. The action can be installed directly from the GitHub Marketplace, and does not require you to manage any additional scripts or infrastructure. You can add it directly to your CI/CD pipeline in minutes to automate vulnerability analysis with every new deployment.
Traditional methods of implementing application security are either hard to instrument, overwhelming, or expensive. This adds friction that prevents teams from making security a core part of their development process. To be effective, security features must be easy to use and actionable.
Many teams already use GitHub Actions to run automation workflows from their repositories—this provides an easy and familiar onboarding path. The Datadog GitHub Action replaces the complexities of installing a traditional vulnerability analysis tool with a quick and seamless marketplace installation process.
Once installed, Datadog Continuous Profiler can help you glean valuable insights on vulnerabilities exposed in your production environment, providing immediate value. For example, you can track how often a vulnerability is invoked by navigating to the aggregation view of Continuous Profiler. Traditional methods of implementing application security are either hard to instrument, overwhelming, or expensive. This adds friction that prevents teams from making security a core part of their development process. To be effective, security features must be easy to use and actionable.
Many teams already use GitHub Actions to run automation workflows from their repositories—this provides an easy and familiar onboarding path. The Datadog GitHub Action replaces the complexities of installing a traditional vulnerability analysis tool with a quick and seamless marketplace installation process.
Once installed, Datadog Continuous Profiler can help you glean valuable insights on vulnerabilities exposed in your production environment, providing immediate value. For example, you can track how often vulnerability is invoked by navigating to the aggregation view of Continuous Profiler.
GitHub Actions offers an easy way to set up your environment and run the scripts needed to enable vulnerability analysis on Datadog. With each new deployment, the Datadog Vulnerability Analysis GitHub Action will generate a dependency graph, which provides a list of packages and methods present in the application. This is generated by leveraging Snyk’s class-leading vulnerability database—it creates a mapping between the database and the application’s dependencies. Because a new dependency graph is generated with every deployment, you can ensure that the vulnerability analysis is always up to date. The dependency graph is then uploaded to Datadog Continuous Profiler, which kicks off the vulnerability analysis.
With vulnerability analysis now natively integrated with Datadog Continuous Profiler, you can immediately detect when vulnerable methods are invoked in production and investigate vulnerabilities in full context with invocation data from your code profiles.
The Datadog Vulnerability Analysis GitHub Action can be found and installed directly from the GitHub Marketplace without needing to manage scripts or infrastructure.