Run Sysdig CLI Scanner in IaC Mode

Running Sysdig CLI Scanner in IaC mode allows scanning IaC resources in a local directories or as part of CI/CD cycle and report risks and compliance posture.

Prerequisites

You can include sysdig-cli-scanner in your IaC pipeline simply by running the sysdig-cli-scanner command.

  • Make sure the sysdig-cli-scanner binary is available as part of worker or runner where the pipeline is executing.

  • Define a secret containing the API Token and make it available in the pipeline using a SECURE_API_TOKEN environment variable.

  • Ensure that you have the RBAC CLI execution permission for the CLI IaC Scanner.

Parameters

Basic usage of the sysdig-cli-scanner:

sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Mandatory Parameters

OptionDescription
--iacThe first parameter of sysdig-cli-scanner must be --iac to enable the IaC scanning functionality.
SECURE_API_TOKENProvide the API token as environment variable SECURE_API_TOKEN . You can retrieve this from Settings > User Profile in Sysdig Secure.
--apiurl=<endpoint>Sysdig Secure Endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI.

Usage

sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Replace <PathsToScan> with the path to the directory containing the source code to scan. It can be an absolute or a relative path.

If is omitted, the path defaults to current directory, ./ .

For example:

SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --iac -r -f H --apiurl <sysdig-api-url> /home/user/a-git-repository /home/user/another-git-repository

Additional Parameters

To display a list of all available command line parameters:

  -h, --help                    Show this help message

Example output:

Usage:
      sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Common Options:
  -a, --apiurl string                Secure API base URL
      --console-log                  Force logs to console, mutually exclusive with --logfile
  -o, --logfile string               File destination for logs, mutually exclusive with --console-log
  -l, --loglevel string              Log level [trace|debug|info|warn|err|fatal|panic|disabled] (default "info")
      --output-json string           Output path of the scan result report in json format
  -s, --skiptlsverify                Skip TLS certificate verification

Help Options:
  -h, --help                         Show this help message

IaC Scan Options:
      --list-unsupported-resources   Toggle output of detailed list of unsupported resources
  -r, --recursive                    Scan folders for manifests recursively
  -f, --severity-threshold string    The minimum severity that will fail a scan [low|l|medium|m|high|h|never|n] (default "h")
      --version                      Show the version and exit

Exit codes:
  0: Scan evaluation "pass"
  1: Scan evaluation "fail"
  2: Invalid parameters
  3: Internal error

CLI Scanner Exit Codes

Access the container exit codes with -h

The codes are:

  • 0 : Scan success. No findings or all findings are below the fail threshold

  • 1 :Scan failed. One or more findings are equal or above the fail threshold.

  • 2 : Incorrect parameters. Implies no API token is given.

  • 3 : Other execution errors.

Sample Result in Terminal

You can view scan results in the terminal window :

$ sysdig-cli-scanner --iac -r -f H --apiurl=https://us2.app.sysdig.com /home/user/a-git-repository /home/user/another-git-repository

Summary
β€”------
Detected 1 modules/manifests in 1 folders
2 resources scrapped
3 unsupported resources (use –list-unsupported-resources for details)

Findings:
 πŸ”΄ 13 High
 🟠 17 Medium
 🟑 18 Low

Errors
------
 - /.github/workflows/approve-test-run.yaml: Object 'Kind' is missing in '{"jobs":{"approve-test-run":{"if":"${{ github.event.issue.pull_request }}","permissions":{"pull-requests":"write"},"runs-on":"ubuntu-latest","steps":[{"name":"Slash Command Dispatch","uses":"peter-evans/slash-command-dispatch@v3","with":{"commands":"approve-test-run","issue-type":"pull-request","permission":"write","reaction-token":"${{ secrets.GITHUB_TOKEN }}","token":"${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}"}}]}},"name":"Approve Test Run","true":{"issue_comment":{"types":["created"]}}}'.
 ...
 - <Path> - <Details>


Details
β€”------
Container permitting root | 🟑 Low | 2 Occurrences
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
|                 RESOURCE                  |    KIND    |                   RESOURCE LOCATION                    |                SOURCE                |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | runAsNonRoot in container harbor-scanner-sysdig-secure | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge    | Deployment | runAsNonRoot in container stackdriver-webhook-bridge   | /charts/sysdig-stackdriver-bridge    |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+

Workload container default RunAsGroup root | 🟠 Medium | 2 Occurrences
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
|                 RESOURCE                  |    KIND    |                 RESOURCE LOCATION                  |                SOURCE                |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | `runAsGroup` in workload                           | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge    | Deployment | `runAsGroup` in workload                           | /charts/sysdig-stackdriver-bridge    |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+

Workload without ServiceAccount | πŸ”΄ High | 1 Occurrences
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
|                RESOURCE                |    KIND    |                 RESOURCE LOCATION                  |              SOURCE               |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
| release-name-sysdig-stackdriver-bridge | Deployment | `serviceAccountName` in workload                   | /charts/sysdig-stackdriver-bridge |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+

...

IaC Scan SUCCESS at 2024-01-04 13:19:37.702567 -0500 EST m=+0.100174543
OK: scan complete

Scan errors

Errors that are not critical are the errors that are collected during the scan and are present in our existing scan summary model, defined per resource. They shouldn’t fail the scan execution or alter the Exit Code. Therefore, Exit Code will remain 0 or 1 in the presence of non-critical errors.

The non-critical errors are displayed in the output and as part of the JSON.