Articles

Scan Container Images for CVEs with Datadog Container Security (2026)

April 16, 2026 4 min read

Datadog Container Security can tell you if your container images have vulnerabilities, but it’s not just about listing CVEs; it’s about understanding their context and impact within your running environment.

Here’s a container running a simple web server, scanned by Datadog Container Security:

{
  "image": "nginx:1.21.6",
  "repo": "docker.io/library",
  "tag": "1.21.6",
  "scan_date": "2023-10-27T10:30:00Z",
  "vulnerabilities": [
    {
      "name": "CVE-2023-12345",
      "severity": "HIGH",
      "package": "openssl",
      "version": "1.1.1o-1",
      "fixed_version": "1.1.1p-1",
      "description": "A buffer overflow vulnerability in the SSLv3 implementation.",
      "cvss_score": 7.5,
      "exploitability": "High",
      "runs_on": [
        {
          "container_id": "a1b2c3d4e5f6",
          "container_name": "my-web-server",
          "image_id": "sha256:abcdef123456...",
          "running_process": "nginx",
          "process_pid": 1
        }
      ]
    },
    {
      "name": "CVE-2023-67890",
      "severity": "MEDIUM",
      "package": "glibc",
      "version": "2.31-7",
      "fixed_version": "2.31-8",
      "description": "A heap-based buffer overflow in the iconv conversion.",
      "cvss_score": 6.4,
      "exploitability": "Medium",
      "runs_on": []
    }
  ]
}

This output shows two vulnerabilities. CVE-2023-12345 is a high-severity issue in openssl that is running in your my-web-server container. CVE-2023-67890 is a medium-severity issue in glibc, but it’s not currently running in any detected containers. Datadog’s value here is linking the CVE to the actual running process, not just the image definition.

The core problem Datadog Container Security solves is bridging the gap between static vulnerability scans of container images and the dynamic reality of your running applications. Traditional CI/CD pipelines might scan images before deployment, but they often lack visibility into:

  • Runtime Context: Is the vulnerable package actually being used by a running process? A CVE in a library that’s never loaded or executed by an application is a non-issue in that specific deployment.
  • Exploitability in the Wild: Is there known exploit code available for this CVE, and is your container exposed to the internet or other untrusted networks?
  • Blast Radius: If a CVE is exploited, what sensitive data or critical services are at risk within that container or its network?

Datadog achieves this by combining image scanning with its agent’s runtime monitoring capabilities. When the Datadog agent runs within your Kubernetes cluster or on your hosts, it can:

  1. Scan Images: During the CI/CD pipeline (via integrations with tools like Docker, Jenkins, GitLab CI) or on deployed images, Datadog analyzes the image layers and packages against vulnerability databases.
  2. Monitor Running Processes: The agent observes processes running inside containers, mapping them back to the image they originated from.
  3. Correlate Vulnerabilities and Runtime: It then cross-references the identified vulnerabilities in the image with the running processes. If a vulnerable package is part of a loaded library or executed by a running application, the CVE is flagged as relevant.
  4. Enrich with Threat Intelligence: Datadog can also pull in external threat intelligence to assess the exploitability of a CVE, further prioritizing risks.

The primary levers you control are:

  • Scan Frequency and Trigger Points: You decide when scans happen – in your CI/CD pipeline before pushing to a registry, when images are pulled, or on a scheduled basis for already deployed images.
  • Alerting and Notification Policies: You configure Datadog to alert specific teams or individuals when critical vulnerabilities are detected in running containers, or when certain exploitability conditions are met.
  • Integration with Orchestration: Datadog integrates deeply with Kubernetes, Docker, and other orchestrators, allowing it to automatically discover and monitor containers and their associated images.
  • Policy Enforcement: You can set policies that prevent the deployment or runtime of containers that violate your security posture (e.g., no critical CVEs running in production).

The most surprising aspect for many is how Datadog prioritizes vulnerabilities not just by CVSS score, but by whether the vulnerable component is actually loaded and executed by a process within the running container. A "CRITICAL" CVE in a library that’s part of the image but never touched by nginx when it starts up, is often de-prioritized by Datadog in favor of a "HIGH" CVE in a library that nginx does actively use. This runtime context dramatically reduces alert fatigue and focuses remediation efforts on the most immediate threats.

The next step is understanding how to use this enriched vulnerability data to drive automated remediation or policy enforcement.

Want structured learning?

Take the full Datadog course →