Datadog’s 2025 DevSecOps Report Highlights Need for Smarter Vulnerability Prioritization

Datadog released its *State of DevSecOps 2025* report, revealing that only 18% of vulnerabilities labeled “critical” under the CVSS scoring system are truly critical when runtime context is applied. By incorporating factors like whether an app is in production or internet-exposed, Datadog’s prioritization algorithm filters out unnecessary noise and helps security teams focus on the most urgent issues.

Key findings include:

- Java applications lead in known-exploited vulnerabilities, with 44% of Java services affected, compared to 2% for other languages.
- Patch delays are longer in Java-based ecosystems (62 days on average), compared to .NET (46 days) and JavaScript (19 days).
- Software supply chain attacks remain a threat, with malicious packages mimicking legitimate ones on PyPI and npm repositories.
- Credential management is improving: use of long-lived credentials in GitHub Actions dropped from 63% to 58% year-over-year.
- Outdated dependencies are widespread, especially in services deployed infrequently, which are 47% more likely to run old libraries.

Datadog analyzed tens of thousands of applications and container images across cloud environments to compile this report.