Reduce CVE noise with OpenVEX assessments in Datadog

Software composition analysis (SCA) tools have become essential in modern security programs. They continuously scan software supply chains and match component fingerprints against Common Vulnerabilities and Exposures (CVE) databases to surface vulnerabilities in dependencies. SCA tools are effective at scale, but they introduce a persistent challenge: Not every flagged vulnerability actually presents a risk.

If you run Datadog software such as the Agent, container images, or packages, there’s a good chance your scanner has flagged one of our artifacts for a CVE. From there, your security team is left in a difficult position: spend time investigating a vulnerability in software you don’t own and can’t fully inspect, or accept the risk and move on. Either way, the burden falls on you to make a call without the full picture.

The Datadog Public Artifact Vulnerabilities page offers visibility by sharing exploitability assessments for Datadog-managed software to help you make informed decisions about findings that affect our artifacts and libraries. We use the OpenVEX specification to provide human-readable and machine-readable data about vulnerabilities in Datadog artifacts. By incorporating this context into your workflows, you can reduce noise in your scans and prioritize issues that require action.

Reduce CVE noise with OpenVEX assessments in Datadog | Datadog

Other newsrooms on this story

Related reading

Vulnerability Management: Using Runtime Context | OpenSSF

Introducing the Datadog Code Security MCP | Datadog

Introducing our open source AI-native SAST | Datadog

OpenAI Introduces Daybreak: A Cybersecurity Initiative That Puts Codex Security…

5 ways to fix misleading vulnerability severities with policy

Rethinking Post-Deployment Vulnerability Detection | OpenSSF