datadog-ci
The official Datadog CLI container image for pushing CI/CD metadata, uploading test results, running Synthetic tests, annotating deployments, and evaluating pipeline gates — designed to run as a job or step inside any CI/CD pipeline.
What is datadog-ci?
The datadog-ci image packages the datadog-ci CLI so you can integrate Datadog's observability platform directly into your CI/CD pipeline without installing the binary on the runner host. datadog-ci is Datadog's official pipeline companion tool — it uploads JUnit test reports, code coverage data, SARIF security scan results, SBOMs, sourcemaps, and git metadata so Datadog can correlate test runs with commits and releases. It also marks deployment events, evaluates deployment gates, runs Datadog Synthetic tests from within the pipeline, instruments serverless functions on Lambda, Cloud Run, and Azure App Services, and adds custom tags and measures to CI Visibility pipeline traces. The datadog-ci image is typically run as a short-lived job, step container, or sidecar in GitHub Actions, GitLab CI, CircleCI, and other CI/CD systems — it authenticates via DD_API_KEY and DD_APP_KEY environment variables and exits cleanly, making it a natural fit for containerized pipeline steps where installing Node tooling on the runner is undesirable.
What is Echo's datadog-ci image?
Echo's datadog-ci image is a hardened build of datadog-ci on Echo's hardened base. Echo images are designed to be a drop-in replacement: swap the image reference in your pipeline job definition and CVEs go to zero without disrupting your test uploads, deployment annotations, or Synthetic test execution. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants:
- Distroless variant — optimized for runtime use, with the smallest possible attack surface
- Default variant — includes essential build tools, package managers, and shells for teams that need operational access
For production datadog-ci deployments in CI/CD pipelines, the distroless variant keeps all CLI operations — test report uploads, deployment event creation, gate evaluation, and Synthetic test execution — fully intact while minimizing exposure; the default variant suits platform teams that need shell access for pipeline scripting or debugging datadog-ci command output.
What is the difference between Echo's datadog-ci image and the public datadog-ci image?
Public datadog-ci images ship on bases that include OS-level tooling convenient for development but which contribute CVEs that accumulate on a container running inside your CI/CD pipeline with access to your Datadog API credentials, test results, deployment metadata, and SBOM data. CI/CD tooling images are one of the most overlooked attack surfaces in software delivery — a compromised datadog-ci image runs at the intersection of your source code, secrets, and observability platform, with the ability to tamper with test results, forge deployment events, or exfiltrate API keys used across your entire pipeline. Echo's build retains everything datadog-ci needs for test uploads, deployment annotations, gate evaluation, and Synthetic test execution while removing the packages that don't belong in a production pipeline tooling container. As we covered in our post on how to protect your company from software supply chain attacks, CI/CD tooling images sit at the exact point in the delivery chain where supply chain attacks cause the most damage — late enough to bypass code review, early enough to affect every downstream deployment. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my datadog-ci image with Echo's datadog-ci image?
Yes. Echo's datadog-ci image is a drop-in replacement. Update the image reference in your pipeline job definition — whether that's a GitHub Actions container step, a GitLab CI image field, or a Docker run command — and your pipeline integration keeps working. Test report uploads, deployment event creation, Synthetic test execution, gate evaluation, and custom tag and measure injection all continue to work without any changes to your existing datadog-ci commands or environment variable configuration.
Is Echo's datadog-ci image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use — unlike FIPS-compliant images that haven't been validated. This matters for platform teams running CI/CD pipelines inside FedRAMP boundaries where tooling that authenticates to external APIs, transmits test results, and handles deployment credentials must meet cryptographic requirements.
What is Echo's vulnerability management SLA on the datadog-ci image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version — critical for a pipeline tooling image that runs on every CI job with access to Datadog API keys, test results, and deployment metadata across your entire software delivery process.
Is Echo's datadog-ci image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For production pipeline steps where datadog-ci runs as a short-lived job container, the distroless variant is the leaner, more secure choice; for platform teams that need shell access for pipeline scripting, debugging CLI output, or wrapping datadog-ci commands in shell logic, the default variant is the right fit.
How does Echo achieve such a drastic CVE reduction in datadog-ci?
Echo's datadog-ci image is built from source with only the absolute essentials needed to run the CI/CD CLI workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the datadog-ci version that matches your pipeline integration without forcing a disruptive toolchain change for the sake of security.
Will Echo's datadog-ci image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP — managing vulnerabilities, applying fixes, and using FIPS-validated cryptography — are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting. For platform teams running CI/CD pipelines that feed observability data into Datadog under an ATO, Echo's hardened datadog-ci image keeps the pipeline tooling layer in-boundary and compliant.
.avif)
