7.79.2

Agent

Prelude

Released on: 2026-06-03

• Please refer to the 7.79.2 tag on integrations-core for the list of changes on the Core Checks

Security Notes

• Bumped containerd dependencies to mitigate CVE-2026-46680: github.com/containerd/containerd to v1.7.32 and pinned github.com/containerd/containerd/v2 to v2.0.9 (the EOL v2.1.x line has no fix).

Bug Fixes

• Use the Docker daemon's /ping endpoint instead of /info to verify connectivity during DockerUtil initialization. Some daemons emit DefaultAddressPools[].Base values in /info that are not valid CIDRs, which fail the strict netip.Prefix decoding introduced by the moby v29 client and previously caused DockerUtil to fail to initialize. This cascaded into the Docker workloadmeta collector and the Docker core check being unavailable, leading to missing container/image tags on metrics and traces from Docker containers.

• Fix the Agent's Docker integration against Docker daemons that return malformed values in their /info response. The failure was visible in Agent logs as:

  Docker init error: temporary failure in dockerutil, will retry later:
  Error reading remote info: netip.ParsePrefix("invalid Prefix"): no '/'
  

  When triggered, it prevented the Docker integration from initializing, which cascaded into:

  • missing container and image tags on metrics, traces and logs collected from Docker containers,
  • missing docker_version and docker_swarm entries in host metadata,
  • missing docker_swarm_node_role host tag on Docker Swarm nodes,
  • in containerized deployments without an explicit DD_HOSTNAME, the Agent could refuse to start because the Docker hostname provider could no longer determine a hostname.

• Add the macOS hardened-runtime Location Services entitlement (com.apple.security.personal-information.location) to signed Agent binaries in order to trigger the system location permission prompt properly.

Datadog Cluster Agent

Prelude

Released on: 2026-06-03 Pinned to datadog-agent v7.79.2: CHANGELOG.

Bug Fixes

• Cluster Agent: Evaluate AppSec sidecar admission webhook match conditions against the deleted object for pod deletion requests.
• Cluster Agent: Prevent disabled AppSec proxy injection cleanup from enabling the AppSec sidecar admission webhook.

7.79.1

Agent

Prelude

Released on: 2026-05-28

• Please refer to the 7.79.1 tag on integrations-core for the list of changes on the Core Checks

Security Notes

• Bump github.com/prometheus/prometheus to v0.311.4 to address CVE-2026-42151 and CVE-2026-42154.

Bug Fixes

• Windows: Fix CD-ROM drives being monitored by the disk check since Agent 7.73.0. The diskv2 check now uses the Windows GetDriveType() API to properly detect and exclude CD-ROM drives, matching the behavior of the previous Python disk check. This fixes false alerts on system.disk.in_use for CD-ROM drives with inserted media.
• Fix a bug in the workload autoscaling controller where annotation-only edits (e.g. autoscaling.datadoghq.com/preview) on a locally-owned DatadogPodAutoscaler were not picked up until the next .spec change or cluster-agent restart, because the controller gated re-sync on .metadata.generation (which annotations do not bump). Toggling burstable mode via the preview annotation now takes effect on the next reconcile.
• MacOS agent GUI app needs to ignore SIGPIPE to avoid process termination.
• On macOS, preserve user customizations to system-probe.yaml across Agent upgrades.
• Fixed a bug on Windows where the NPM TCP failure rate could exceed 100% and climb indefinitely.

Datadog Cluster Agent

Prelude

Released on: 2026-05-28 Pinned to datadog-agent v7.79.1: CHANGELOG.

7.79.0

Agent

Prelude

Released on: 2026-05-20

• Please refer to the 7.79.0 tag on integrations-core for the list of changes on the Core Checks

Upgrade Notes

• Upgraded JMXFetch to 0.52.0, which adds JMX metrics mappings for Generational Shenandoah GC and introduces the use_canonical_bean_name option to guarantee consistent key property ordering in bean names. See 0.52.0 for more details.
• On macOS, the Agent now installs as a system-wide LaunchDaemon running under a dedicated _dd-agent service user instead of a per-user LaunchAgent. Existing per-user installations will need to uninstall and reinstall to adopt the new mode. The previous install script is preserved as install_mac_os_v1.sh for versions prior to 7.79.0.

New Features

• Flares now include a connectivity/resolved_endpoints.txt file that lists the IP addresses each configured Datadog intake endpoint hostname resolves to at flare-generation time. This makes it straightforward to determine whether the Agent is using PrivateLink (private IPs) or the public Datadog intake.
• Added a capacity-type:spot host tag on AWS EC2 Spot instances. The tag is collected from IMDS and added alongside the other EC2 instance info host tags when collect_ec2_instance_info is enabled.
• Adds cluster agent processing of select actions on kubernetes resources
• APM: Add a context-aware shutdown API to the trace agent, allowing callers to specify a timeout when waiting for the agent to stop gracefully.
• Add a native Go core check for the Datadog CSI driver (datadog_csi_driver), replacing the Python OpenMetrics integration. The check scrapes the CSI driver's Prometheus endpoint and submits datadog.csi_driver.node_publish_volume_attempts.count and datadog.csi_driver.node_unpublish_volume_attempts.count as monotonic count metrics. Metric names, tags, and autodiscovery identifiers are unchanged; no user action is required.
• Add DNS monitoring support on macOS using libpcap packet capture.
• Add the comp/dataobs/queryactions agent component for Data Observability query actions. When enabled via data_observability.query_actions.enabled: true, the component subscribes to the DO_QUERY_ACTIONS Remote Configuration product and schedules a do_query_actions Python check to execute SQL queries against monitored Postgres instances on configurable intervals. Results are forwarded to the data-obs-intake.<site>/api/v2/query-actions event platform endpoint.
• Add agent experimental check-config and agent experimental onboard commands that run a 6-stage validation pipeline on datadog.yaml without requiring a running agent: file permissions, YAML syntax (with line-level error messages), API key format, site/region validity, live API key validation (skippable with --no-api), and a product enablement summary. These commands are experimental and subject to change.
• On macOS, the Agent now collects CPU L1/L2/L3 cache sizes, CPU package count, and hardware platform in host metadata.
• Kata core check to gather kata metrics, see details - https://github.com/kata-containers/kata-containers/blob/main/docs/design/kata-2-0-metrics.md#metrics-architecture
• The macOS install script now accepts DD_INFRASTRUCTURE_MODE to set the Agent's infrastructure_mode at install time.
• Add support for Cloud Network Monitoring (CNM) on macOS via BPF filters.
• The macOS install script now performs a system-wide installation by default. The Agent runs as a dedicated _dd-agent user via LaunchDaemon.
• New gauge metric datadog.dogstatsd.offline_duration reports how long (in seconds) the DogStatsD server was offline between the previous shutdown and the current startup. Enable with telemetry.offlinereporter.enabled: true (disabled by default).

Enhancement Notes

• Added support for all public registries to the K8s SSI gradual rollout feature.

  • The default list of Datadog registries is now:
    • gcr.io/datadoghq
    • docker.io/datadog
    • public.ecr.aws/datadog
    • datadoghq.azurecr.io
    • us-docker.pkg.dev/datadoghq/gcr.io
    • europe-docker.pkg.dev/datadoghq/eu.gcr.io
    • asia-docker.pkg.dev/datadoghq/asia.gcr.io
    • registry.datad0g.com
    • registry.datadoghq.com

• Sends status updates for kubernetes actions through the EVP pipeline.

• Add datadog-apm-library-nginx to the fleet installer so it is installed alongside the other APM libraries when APM instrumentation is enabled.

• The cluster agent readiness probe now includes the admission controller webhook server. Newly started cluster agents will not be marked as ready until the webhook can serve requests, preventing missed pod mutations during rollouts.

• Added new additional_metric_tags field to APM metrics payload to allow tracers to send customer configured span derived primary tags.

• APM: Fetch Org Propagation Marker on startup to Org Propagation Guard. The trace-agent now fetches /api/v2/validate at startup to derive an Org Propagation Marker (OPM) and exposes it in the /info endpoint.

• Agents are now built with Go 1.25.10.

• Bump rshell to v0.0.10 for the Private Action Runner. Shell commands now follow symlinks that cross between allowed roots and resolve host-mounted paths correctly in containerized deployments.

• Bump rshell to v0.0.14.

• Added internal telemetry counters to measure the impact of enabling auto_multi_line_detection by default. The counters track how many log lines would be combined and how many would risk truncation, without changing any log processing behavior.

• system-probe: The discovery module (discovery.enabled) and system-probe-lite (discovery.use_system_probe_lite) are now enabled by default on Linux. When discovery is the only enabled system-probe module, system-probe-lite is automatically used to minimize resource usage. To disable discovery, set discovery.enabled: false in system-probe.yaml.

• Add ECS Fargate task ARN to X-Datadog-Additional-Tags header on data-streams-message HTTP requests.

• Dynamic Instrumentation: Add support for conditional probes via the when clause. Probes can now include equality conditions that compare captured variables against literal values (integers, floats, booleans, strings, and null). When a condition evaluates to false, the probe event is suppressed, reducing overhead for high-traffic instrumentation points.

• Dynamic Instrumentation: Add support for probing Go generic functions. Snapshots and log probes now display concrete types for generic parameters.

• Enables network monitoring for devices with infrastructure_mode: end_user_device.

• When using RDS Aurora Autodiscovery, tags present on the cluster are now inherited by the instances. For example, if a cluster has the tag datadoghq.com/dbm: true, all instances in that cluster will have extra_dbm_enabled: true`. Tags on the instances will override tags on the cluster.

• Add SandboxId field to the workloadmeta structure. Update collectors (crio and containerd) accordingly.

• The kubelet core check now reports container kubernetes.containers.cpu.requests, kubernetes.containers.cpu.limits, kubernetes.containers.memory.requests, and kubernetes.containers.memory.limits metrics using the live values from pod.status.containerStatuses[].resources when available, so the metrics reflect the effective runtime values after an in-place vertical resize. Resources declared only in the pod spec (for example GPUs or custom resources) are preserved, and clusters where the kubelet does not yet populate status.resources continue to report the spec values as before.

• The logs agent now retries log payloads on HTTP 403 (Forbidden) responses instead of dropping them, when the endpoint's API key was resolved from a secrets backend. On 403, the agent triggers an asynchronous secrets refresh and retries the payload. This applies to the core logs agent, CWS security reporter, compliance reporter, and the event platform forwarder. Endpoints whose API key is not managed by the secrets backend retain the original drop behavior.

• Hide DMG mount in MacOS agent installation process.

• Send device metadata for devices monitored by Network Configuration Management.

• NPM connection payloads now include a process_name:<name> tag identifying the process executable that owns each connection. The tag is populated from the process agent's process list and requires process_config.process_collection.enabled to be set to true.

• Switch config implementation to an improved version by default. Can be disabled with the env var DD_CONF_NODETREEMODEL=viper, or the config setting conf_nodetreemodel: viper in datadog.yaml.

• The OTel Agent now supports a standalone mode (DD_OTEL_STANDALONE=true) that runs without a co-resident core Datadog Agent. In standalone mode a new dogtelextension OpenTelemetry Collector extension provides Datadog Agent functionality directly.

• OTLP ingest configuration keys now register explicit default values matching the upstream OpenTelemetry Collector defaults. Previously these keys were bound without defaults, which caused agent config and similar introspection commands to omit them. Runtime behavior is unchanged: only user-configured values are forwarded to the OTel Collector pipeline, so unconfigured settings continue to use the Collector's own built-in defaults.

  Notable default changes in pkg/config/config_template.yaml:

  • Receiver endpoints — localhost:4317 (gRPC) and localhost:4318 (HTTP) instead of the former 0.0.0.0 bind address (see [7.56.0 Upgrade Notes](https://github.com/DataDog/datadog-...

7.78.4

Agent

Prelude

Released on: 2026-05-14

• Please refer to the 7.78.4 tag on integrations-core for the list of changes on the Core Checks

Security Notes

• Upgrade github.com/moby/spdystream to 0.5.1 to address CVE-2026-35469. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.

Datadog Cluster Agent

Prelude

Released on: 2026-05-14 Pinned to datadog-agent v7.78.4: CHANGELOG.

7.78.3

Agent

Prelude

Released on: 2026-05-07

• Please refer to the 7.78.3 tag on integrations-core for the list of changes on the Core Checks

Security Notes

• Upgrade go.opentelemetry.io/otel/sdk to v1.43.0 to address CVE-2026-39883, a PATH-hijacking vulnerability in the OpenTelemetry Go SDK's host detection on BSD and Solaris platforms (the SDK invoked the kenv command without an absolute path). The Datadog Agent's primary supported platforms (Linux, Windows, macOS) are not affected at runtime, but the dependency is upgraded to keep the shipped binary free of the vulnerable code.

Datadog Cluster Agent

Prelude

Released on: 2026-05-07 Pinned to datadog-agent v7.78.3: CHANGELOG.

7.78.2

Agent

Prelude

Released on: 2026-04-29

• Please refer to the 7.78.2 tag on integrations-core for the list of changes on the Core Checks

Enhancement Notes

• Adds datadog-agent otel command to install/remove DDOT from an OCI package.

Deprecation Notes

• The Install-Datadog.ps1 PowerShell script is deprecated and will be removed in a future version. Please use datadog-installer.exe or the MSI installer instead. Visit the in-app installation guide for complete up-to-date installation instructions.

Bug Fixes

• The signature check in Install-Datadog.ps1 is now more accomodating to formatting variations in the CN field. Refer to the Agent Data Security page for more information on validating signatures.
• Fixes user-defined network_path.collector.filters being silently dropped when infrastructure_mode is set to end_user_device. Custom filters are now correctly appended to the built-in EUDM defaults.

Datadog Cluster Agent

Prelude

Released on: 2026-04-29 Pinned to datadog-agent v7.78.2: CHANGELOG.

7.78.1

Agent

Prelude

Released on: 2026-04-23

• Please refer to the 7.78.1 tag on integrations-core for the list of changes on the Core Checks

Enhancement Notes

• The Agent's embedded Python has been upgraded from 3.13.12 to 3.13.13
• Agents are now built with Go 1.25.9.

Bug Fixes

• Fix missing signature on macOS Agent packages
• Fix the system-probe SELinux policy module failing to load on RHEL 7 with policydb module version 21 does not match my version range 4-19. The module is now compiled against modular policy version 19, which is the highest version supported by RHEL 7 and is backward-compatible with newer RHEL releases.
• Add logic to include integrations that do not have a manifest.json file in the Agent.
• Adds the tasks/agent.py file to the list of files used to compute the global omnibus cache.

Datadog Cluster Agent

Prelude

Released on: 2026-04-23 Pinned to datadog-agent v7.78.1: CHANGELOG.

Bug Fixes

• Fixed a Cluster Agent issue where container-targeted APM library injection could mount a tracing library into all application containers in a pod instead of only the annotated container.

7.78.0

Agent

Prelude

Released on: 2026-04-15

• Please refer to the 7.78.0 tag on integrations-core for the list of changes on the Core Checks

Upgrade Notes

• APM OTLP: Changed attribute precedence behavior when looking up OpenTelemetry semantic convention attributes that have multiple equivalent keys (e.g., http.status_code vs http.response.status_code, deployment.environment vs deployment.environment.name).

  Previous behavior: When both old and new semantic convention keys existed, the lookup would check ALL keys in span attributes before checking ANY key in resource attributes. So whichever key appeared in span attributes would win, regardless of which key was in resource attributes.

  New behavior: The lookup now uses a per-concept precedence order. For each semantic concept, the registry defines an ordered list of attribute keys; the first key that has a value is returned. The precedence order (which key takes priority) depends on the concept and may prefer either the newer or the older convention key. Span vs resource precedence (which map is checked first) is unchanged and still depends on the function.

  Who is affected: This change only affects users who have the same concept represented by different convention-version keys in span vs resource attributes. The returned value may now come from a different key than before, according to the concept's precedence order.

  This is an uncommon configuration since most instrumentation libraries use consistent semantic convention versions across span and resource attributes.

New Features

• Allows the Agent to get an API key in exchange for an AWS cloud authorization proof. This allows you to use your AWS credentials against Datadog and removes the need for you to manage an API key. More details can be found here: https://docs.datadoghq.com/account_management/cloud_provider_authentication/

• The autoscaling vertical controller now supports in-place vertical pod resizing.

• Add a new configuration provider, which schedules new instances of KSM checks to generate metrics from CustomResourceDefinitions.

  This new provider works with the kube_crd listener which listens for CustomResourceDefinitions created on the cluster and triggers a new autodiscovery-service for each one.

  This new configuration provider must use the standard kubernetes GroupVersionKind format in its AdvancedADIdentifier section to apply to a matching CustomResourceDefinition.

  The rest of the configuration is a standard KSM configuration instance.

• CNM - Add 7 per-connection TCP congestion signals: rto_count (RTO loss events), recovery_count (fast recovery events), reord_seen (send-side reordering), rcv_ooopack (receive-side out-of-order packets), delivered_ce (ECN CE-marked segments), ecn_negotiated (ECN negotiation status), and probe0_count (zero-window probes). Collected via eBPF on CO-RE and runtime-compiled tracers, Linux only.

• dd-procmgrd can now read process definitions and manage child process lifecycles with graceful shutdown.

• dd-procmgrd now supervises managed processes with configurable restart policies, exponential backoff, and burst limiting.

• dd-procmgrd can now manage the DDOT (Datadog Distribution of OpenTelemetry) collector process via a dual-mode mechanism. When a processes.d/datadog-agent-ddot.yaml config is present, dd-procmgrd takes over DDOT lifecycle management; otherwise the existing systemd unit manages it directly.

• Automatic SBOM generation for running containers via system-probe

• Runtime usage tracking - identifies which files and packages are actively accessed by running processes

• Security enrichment - flags SUID binaries and processes running as root

• gRPC streaming from system-probe to core agent for efficient SBOM forwarding

• Automatic CWS policy generation based on running container SBOMs.

• On Windows, the APM SSI installer now automatically enables system-probe to report injection telemetry from the ddinjector driver.

• Kubernetes pod check annotations: Invalid JSON in pod check annotations (ad.datadoghq.com/<container>.checks) now produces a clear error message in the "Configuration Errors" section of agent status. A new CLI command agent validate-pod-annotation validates annotation JSON from a file or stdin and exits with an error on invalid syntax, so you can catch mistakes before applying annotations to pods.

Enhancement Notes

• The agent now supports explicitly set cluster names that start with a digit or contain underscores.
• Add source and provider fields to rtloader API and add integration_security configuration properties.
• secrets-generic-connector: Allow configuration of X-Vault-AWS-IAM-Server-ID header for Hashicorp Vault AWS authentication method. Helps to prevent different types of replay attacks.
• APM: When a 403 is received from the backend, trigger an API Key refresh, and retry the payload submission.
• Secret Generic Connector: The Azure Key Vault backend now supports Service Principal authentication with client secret or client certificate, in addition to Managed Identity. Credentials are configured under the azure_session block (azure_tenant_id, azure_client_id, azure_client_secret or azure_client_certificate_path).
• Agents are now built with Go 1.25.8.
• dd-procmgr: Add CLI for the dd-procmgrd process manager. Processes are addressable by name or UUID.
• dd-procmgrd: Add gRPC server over Unix socket with read-only RPCs (List, Describe, GetStatus) for querying managed process state.
• dd-procmgrd: Add multi-process startup ordering via after/before config fields with topological sort and reverse shutdown order.
• dd-procmgrd: Add write RPCs (Create, Start, Stop, ReloadConfig, GetConfig) for runtime control of managed processes.
• The disk check now falls back to lsblk when blkid fails or returns no labels for disk label tagging. This ensures label and device_label tags are present on disk metrics even when the agent runs as a non-root user, since lsblk reads from sysfs and does not require elevated privileges.
• Document kubernetes_use_endpoint_slices flag
• Add X-Datadog-Additional-Tags header with hostname and agent version to data-streams-message HTTP requests.
• DSM: The kafka_actions check now automatically inherits Schema Registry configuration (URL, credentials, TLS, OAuth) from the kafka_consumer integration, enabling schema registry support without additional configuration.
• DDOT now sets deployment_type on the Datadog extension to daemonset by default, or gateway when Gateway mode is enabled.
• The podman_db_path configuration option now accepts a comma-separated list of paths to support monitoring containers from multiple users simultaneously (e.g. root and rootless users). Example: podman_db_path: "/var/lib/containers/storage/db.sql,/home/myuser/.local/share/containers/storage/db.sql". When podman_db_path is not set, the Agent automatically discovers Podman databases for the root user and for all users under /home/. Log collection (logs_config.use_podman_logs) is also updated to work correctly with both explicit multi-path configuration and auto-discovery.
• FIPS variants of the ddot-collector and agent -full images are now published.
• Remote Agent Management is now enabled by default on FIPS environments when Remote Configuration is explicitly enabled.
• The resource discovery agent (system-probe-lite) now wraps system-probe, acting as a loader for it. system-probe-lite will automatically fallback to system-probe when one of the following is true:
  • `discovery.enabled is set to false
  • discovery.useSystemProbeLite is set to false (the default).
  • Any other non-discovery feature of system-probe is enabled.
• Bumped the Security Agent policies to v0.78.0

Security Notes

• The CMD API gRPC server is now configured to require client certificates (mTLS).

Bug Fixes

• APM: Fix an issue where SQL stats group resources longer than 5000 characters were truncated before obfuscation, causing the trace-agent to fail to parse mid-token fragments and log an error instead of correctly obfuscating the query.

• Use atomic file replacement (write to temp file then rename) when writing APM workload selection policy files, preventing concurrent readers from seeing partially-written data.

• Fixed a race condition in the logs auditor where Flush() could write a stale registry to disk during a transport restart. The auditor now drains all pending payloads from its input channel before flushing, ensuring file offsets are up to date and reducing duplicate log processing after a TCP-to-HTTP transport switch.

• [DBM] Bump go-sqllexer to v0.2.1 to fix the following bugs:

  • Fixes table name metadata extraction to correctly collect all table names from comma-separated table lists (e.g., SELECT * FROM t1, t2).

• The diagnose command now returns an error if an API key is not configured.

• Fixes panic when advanced dispatching is disabled when KSM Core is ran as a cluster check.

• Fix support of Kafka actions for configurations where kafka_connect_str is a list.

• Fixed a bug in the disk Go check (diskv2) where partition enumeration could hang indefinitely on Windows when an orphaned or offline volume is present on the system. The check now applies the configured timeout (default 5s) to partition discovery and guards against spawning duplicate goroutines on subsequent check runs, preventing permanent worker starvation, goroutine buildup, and high CPU utilization.

• The process check now reports the correct...

7.77.3

Agent

Prelude

Released on: 2026-04-08

• Please refer to the 7.77.3 tag on integrations-core for the list of changes on the Core Checks

Bug Fixes

• Fixes an issue where Cloud Network Monitoring would not resolve NAT'd cluster IPs when using Cilium to replace kube-proxy.

Datadog Cluster Agent

Prelude

Released on: 2026-04-08 Pinned to datadog-agent v7.77.3: CHANGELOG.

7.77.2

Agent

Prelude

Released on: 2026-04-01

• Please refer to the 7.77.2 tag on integrations-core for the list of changes on the Core Checks

Enhancement Notes

• Hide GUI app by default for MacOS agent per-user install.
• Windows: Add PAR self-enrollment to installer.

Bug Fixes

• Fixes Workload Protection raw-packet eBPF programs when multiple packet filters are compiled together. The generated assembly reused register R8 both as the event pointer expected by the filter chain and to hold immediate values, which corrupted the pointer and caused the kernel BPF verifier to reject the program. The code now uses a separate register for those immediates so the pointer is preserved across filters.
• Workload Protection: resolves an issue in in-kernel cgroup tracking, enabling packet filtering to be correctly applied to containers.

Datadog Cluster Agent

Prelude

Released on: 2026-04-01 Pinned to datadog-agent v7.77.2: CHANGELOG.