Agentless Docs Update for Cloud Security Management#34641
Open
leo-wang-dd wants to merge 28 commits intomasterfrom
Open
Agentless Docs Update for Cloud Security Management#34641leo-wang-dd wants to merge 28 commits intomasterfrom
leo-wang-dd wants to merge 28 commits intomasterfrom
Conversation
…g overview - Add prominent explanation of Datadog's in-environment scanning architecture (data never leaves customer account) as key differentiator - Replace vague "$1/host/year" cost section with detailed cost breakdown table ($80/mo fixed per scanner, $0.10/mo per scanned host) - Add regional scanner guidance (150+ hosts threshold) - Add GovCloud/FIPS not-supported callout - Fix "Leveraging" → "Using" per style guide - Note 24-hour scanner rotation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace thin cross-account/same-account tabs with a 4-step decision tree: 1. Single vs multi-account topology 2. Regional scanner distribution (150+ host threshold, down from 250) 3. Scanner capacity limits (4 per region, 200 hosts per cycle) 4. Enterprise networking (existing VPC for SCP-restricted environments) - Add capacity limits table and ASG hard cap warning - Add scanner reboot/queue reset note - Consolidate recommended configuration section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Registry scanning caveats: - ECR: clarify it scans running images + last 1,000 pushed at-rest - GAR: clarify running workloads only, no at-rest scanning - ACR: add as coming ~end of March 2026, running containers only - Add registry comparison table with clear support levels Kubernetes caveats: - EKS: EC2 nodes only, no Fargate, scans underlying instances - AKS: VMs only, not VMSS, not ACI - GKE: Standard only, no Autopilot, no image streaming Additional coverage: - Add Kubernetes row to main compatibility table - Add Host Images row (AMI only) - Add Sensitive Data row (S3, RDS private beta) - Add Azure Container Apps/Instances coming ~end of March 2026 - Clarify GCP Cloud Run container deployment type limitation - Add GovCloud Remote Config dependency and FIPS note Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- setup/_index.md: Change "AWS hosts, Lambda functions, AMIs" to "AWS, Azure, and GCP cloud hosts, containers, serverless functions, and host images" to reflect multi-cloud GA support - vulnerabilities/_index.md: Add caveats to registry table — ECR supports running + at-rest, GAR supports running workloads only. Clarify Cloud Run container deployment type limitation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add expected timeline after deployment (0-15 min discovery, 15-30 min scanning, 30-60 min results) so users know the product is not broken during the initial wait - Add callout that first results appear within ~1 hour - Add CF parameter guidance: note that non-CSM parameters can be left at defaults for vulnerability management-only setups - Improve Terraform section intro with multi-region recommendation and link to deployment topology guide Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New page covers: - Post-deployment wait (expected 0-60 min timeline, verification steps) - VPC creation failures due to SCP restrictions - Scanner capacity limits and ASG hard cap - Scanner instances appearing as vulnerable hosts (with filter guidance) - Agent deduplication behavior explanation - Cross-region cost troubleshooting - GovCloud/FIPS limitations Also updates troubleshooting index to link to new page. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
VMSS-backed AKS nodes are supported for agentless scanning. Only AKS on ACI remains unsupported. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Restructure opening to emphasize the 3-step flow: deploy in-environment, scan locally, only SBOM leaves - Frame Datadog's approach as a deliberate choice for data privacy - Lead with data privacy as core value in benefits list - Add data residency/sovereignty framing - Replace Lambda-specific references with cloud-agnostic "serverless functions" - Clarify that only the SBOM (not raw data) is transmitted to Datadog - Remove Trivy database mention from vulnerability matching step Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…initions, capitalization
Author
|
Still adjusting a few changes |
Contributor
Contributor
|
Created DOCS-13425 for editorial review. Thanks for all the work here, @leo-wang-dd ! |
…ssues - Add data flow statement to intro (SBOM-only, data stays in customer infra) - Add before-you-begin overview with time estimate and numbered steps - Remove contradictory Quick Start callouts from CloudFormation and Terraform - Deduplicate "After setup" links from 10 instances to 3 (one per cloud tab) - Add Terraform examples directory links to all three cloud providers - Add nested stack context to CloudFormation update instructions - Fix style: remove "straightforward", "not yet", danger->warning for SDS callout, standardize bold nav formatting, merge redundant GCP steps, split long sentences, fix step numbering, add alt text to images - Clean up orphaned link references across tab scopes - Fix shortcodes: "refer to" -> "see", "Click on" -> "Click"
Hugo's tabs shortcode flattens nested {{< tabs >}} into a single tab bar,
causing "New AWS account", "Existing AWS account", etc. to appear as empty
top-level tabs. Replace inner tabs within CloudFormation, Terraform, and
Azure ARM sections with h5 headings to keep New/Existing paths visually
separated without breaking the outer cloud-provider tabs.
…ontent cleanup - Remove Kubernetes EC2 implementation detail from compatibility table - Rewrite regional distribution section for clarity in deployment_methods - Simplify recommended config section to just summary bullets - Convert numbered link refs to inline links (fix broken refs in collapse-content) - Wrap Azure ARM and GCP Cloud Shell in collapse-content for consistency - Trim Quick Start to minimal description with first-time-only callout - Add multi-subscription Terraform recommendation for Azure - Remove CloudFormation template parameters and exclude resources sections - Update verify timing to 20-minute first scan cycle
…iew and setup - Move "Updating your deployment" to dedicated update.md page - Reorder overview: cloud provider cost above security considerations, on-demand scanning to bottom - Condense security considerations from 8 bullets to 4 - Replace "Agent installations" section with inline info callout - Fix setup overview: agentless provides breadth, Agent adds depth - Trim enable.md: permissions transparency note, 30-min scan cycle
…ify cloud storage - Replace deployment topology callout with inline Step 1: Plan your deployment - Add Step 2: Deploy heading for cloud provider tabs - Remove Cloud Storage Scanning private beta callout (now GA) - Shorten Cloud Storage section to concise description - Update permissions transparency wording - Set first scan cycle to 30 minutes
Author
|
Finished changes on my side |
Contributor
mohamed-challal
left a comment
mohamed-challal
left a comment
There was a problem hiding this comment.
Great job Leo! I think we should reword some sections before merging.
I will continue the review on Monday
content/en/security/cloud_security_management/troubleshooting/agentless_scanning.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/troubleshooting/agentless_scanning.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/setup/agentless_scanning/_index.md
Show resolved
Hide resolved
Comment on lines
-48
to
-53
| This is useful when you need to: | ||
| - Verify a vulnerability has been patched | ||
| - Get immediate results for newly deployed resources | ||
| - Validate security posture before production deployment | ||
|
|
||
| For more information, see the [On-Demand Scanning API documentation][14]. |
Contributor
There was a problem hiding this comment.
We are removing this part?
Author
There was a problem hiding this comment.
We moved it to the bottom of the page
Contributor
There was a problem hiding this comment.
Yes, but we removed the use cases examples, is it intentional?
content/en/security/cloud_security_management/troubleshooting/agentless_scanning.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/troubleshooting/agentless_scanning.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/setup/agentless_scanning/compatibility.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/setup/agentless_scanning/enable.md
Outdated
Show resolved
Hide resolved
content/en/security/cloud_security_management/setup/agentless_scanning/update.md
Show resolved
Hide resolved
…agentless_scanning.md Co-authored-by: Mohamed Challal <mohamed.challal@datadoghq.com>
- Reword Agent exclusion: SBOM collection → Vulnerability Management features - Link to docs page instead of app for Vulnerability Management - Expand scanner-as-vulnerable-host explanation (cause before fix) - Rename cross-region costs heading, softer wording - Add back exclude resources one-liner with link to resource filters - Remove "only" from AMI in compatibility table - Remove Azure Cloud Shell not-available callout
Contributor
mohamed-challal
left a comment
mohamed-challal
left a comment
There was a problem hiding this comment.
Could you add the new pages (upate and troobleshooting) to the navigation bar and the further reading sections, to access them easily, please
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Comprehensive audit and improvement of the Agentless Scanning documentation. Key changes:
privacy model (SBOM is the only data that leaves the customer's environment)
host)
capacity limits → enterprise networking)
running-only), added Host Images and SDS rows
pages
Fixes DOCS-XXXXX
Merge instructions
Merge readiness:
Additional notes
GA.