docs(csm-vm): add code-to-cloud Dockerfile source linking section#36897
Open
cyrbouchiat wants to merge 4 commits into
Open
docs(csm-vm): add code-to-cloud Dockerfile source linking section#36897cyrbouchiat wants to merge 4 commits into
cyrbouchiat wants to merge 4 commits into
Conversation
Add a new "Trace production vulnerabilities to source code" section to the Cloud Security Vulnerabilities overview page. This section explains how Datadog links CVEs detected on running container images back to the Dockerfile and commit that introduced the vulnerable package, and cross-references the CI/CD setup guide for OCI annotation configuration. Also adds two screenshots (light/dark) showing the Dockerfile preview panel in the vulnerability detail view. Co-authored-by: Cursor <cursoragent@cursor.com>
cyrbouchiat
force-pushed
the
cyril/csm-vm-dockerfile-source-linking
branch
from
7b7c3cd to
1f12f59
Compare
Contributor
Preview links (active after the
|
janine-c
approved these changes
May 21, 2026
Contributor
janine-c
left a comment
janine-c
left a comment
There was a problem hiding this comment.
Looks great, thank you, Cyril! Just some very minor feedback, but nothing to get in the way of merging when we're ready.
|
|
||
| ## Trace production vulnerabilities to source code | ||
|
|
||
| When a CVE is detected on a running container image, Datadog can link it directly to the Dockerfile and commit that introduced the vulnerable package. This closes the gap between a production alert and the code change that caused it, giving developers the context they need to remediate at the source rather than chasing package versions across registries. |
Contributor
There was a problem hiding this comment.
Suggested change
| When a CVE is detected on a running container image, Datadog can link it directly to the Dockerfile and commit that introduced the vulnerable package. This closes the gap between a production alert and the code change that caused it, giving developers the context they need to remediate at the source rather than chasing package versions across registries. | |
| When Datadog detects a CVE on a running container image, it can link the CVE directly to the Dockerfile and commit that introduced the vulnerable package. This closes the gap between a production alert and the code change that caused it, giving developers the context they need to remediate at the source rather than chasing package versions across registries. |
Hopefully clarifies what "it" in "can link it directly" refers to?
Contributor
There was a problem hiding this comment.
Docs don't use dark images, so you're good to remove this file 🙂
|
|
||
| To enable this code-to-cloud mapping, add OCI image annotations to your container images at build time. Datadog uses these annotations to display a preview of the Dockerfile inside the Container Image Vulnerabilities panel and to surface the exact repository, commit, and file path associated with the vulnerability. | ||
|
|
||
| {{< img src="security/vulnerabilities/csm-vm-dockerfile-panel.png" alt="The Container Image Vulnerabilities panel showing a Dockerfile preview linked to a detected CVE" width="100%">}} |
Contributor
There was a problem hiding this comment.
This image seems to have gotten compressed somehow, so it's a bit blurry. It also shows a lot of the Ui, so it's hard to see which part is the relevant part of the page. I can help you make a more cropped version if you send me the URL, or maybe we don't need an image here?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Context
This section is part of DASH preparation, making the code-to-cloud remediation workflow more discoverable from the main vulnerabilities page.
Test plan
[Link Dockerfile to vulnerabilities]link resolves to the correct CI/CD anchorfurther_readingentry appears in the "Further reading" section at the bottomMade with Cursor