SaaS: Sysdig Secure Release Notes

On this page, you can read the most recent release notes for Software-as-a-Service (SaaS) version of Sysdig Secure. Review the entries to learn about the latest features, defect fixes, and known issues.

You may also want to review the update log for Falco rules used in the Policy Editor: Falco Rules Changelog.
The dates shown are for the initial release of a feature. The feature may not be rolled out to all regions concurrently and availability of a feature in a particular region will depend on scheduling.

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested in the same way.

December 4, 2023

Extend Posture to Use Auto-Remediation with AWS Cloud Resources

This feature allows you to automate the process of maintaining and improving the security and compliance posture of your AWS infrastructure, reducing the risk of security breaches and operational disruptions. This extends remediation to AWS Terraform resources.

First, create Terraform configuration files that define the desired state of your AWS resources. Sysdig provides automated remediation for fixing risks by opening a PR directly on the IaC code files for your acceptance.

See Compliance - Evaluate and Remediate for details.

RBAC Permissions available in Posture for Accept Risk, Open PR

Administrators can now define which roles are permitted to accept risks, manage accepted risks, and open pull requests for posture/compliance findings, using granular permission items under

Sysdig Secure → Posture:

  • ComplianceRead: Access compliance results
  • Risk AcceptanceRead, Edit: View, manage, revoke, and edit Posture risk acceptance
  • Open PREdit: Set up a pull request for posture findings remediation

Existing Default Roles: Team Manager and Advanced User now have Edit permission for Posture Risk Acceptance and Open PR.

Detailed Role Permissions provide complete details.

November 22, 2023

Event Forwarding Directly from Sysdig Agent

With Sysdig agent v. 12.18+, it is possible to send Runtime Policy Events and Activity Audit events to SIEM platforms and logging tools directly from the agent. This enables event forwarding without exposing the data collection tool on the internet.

See Agent Local Forwarding for details.

Report Policy Actions in Kubernetes Events

With Sysdig Agent v.12.18, Sysdig Secure now supports reporting threat detection policy actions in Kubernetes events.

When the agent performs a stop, pause, or kill container action as defined in a rule, the agent will generate a Kubernetes event with the triggering action details and rule name. You can then see why actions were taken directly from the kubectl events, without having to explore the event feed in Sysdig Secure.

November 13, 2023

Improved Home Page

Sysdig is pleased to announce a new and improved Home page! The Home page offers a clean, visual representation of the most important issues in your environment and a curated list of the top tasks required. The default tab Home encompasses the Dashboards and the other tab contains Recommendations.

For the Home page dashboards to display data, you must have completed basic onboarding and at least one data source must be connected. Otherwise, the page will provide prompts for completing those setup tasks.

What is displayed in Dashboards is dependent on what has been installed. To learn more, read the docs.

Star Favorite Compliance Views

You can now select specific Policy + Zone combinations you want to see tracked on the Home page. Details in the Compliance documentation.

October 26, 2023

Custom Posture Controls Available

You can now tune your compliance results by customizing your posture controls. To edit evaluation parameters on select Posture Controls, see configure evaluation parameters.

October 20, 2023

VM Registry Scanner v0.2.50 with Google Artifact Registry and Sonatype Nexus Repository Support

Sysdig is pleased to announce the release of the registry scanner v0.2.50 with chart v1.1.11. The new version offers the following:

For more information, see Install Registry Scanner.

October 10, 2023

Reporting for Image Pipeline Vulnerability Scanning

The Vulnerability Management (VM) team is pleased to announce the release of Reporting for Image Pipeline scanning. The Vulnerability Management engine now has reporting for all scanning functionality (Runtime, Registry, Host and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.

This feature enables the easy collection and reporting on Pipeline scans over a given time period. With this addition, we have completed normalizing the data output functions across the VM scanning set

September 28, 2023

Admission Controller v0.14.9 Released

Kubernetes audit events are now enriched with container metadata to give additional insight into your infrastructure. With this enhancement, all the pod events now display,, and pod.namespace labels. You can view these labels on the Secure Event detail panel for events such as Create HostNetwork Pod and Attach/Exec Pod.

September 27, 2023

Customize Posture Controls Severity

All Posture Controls can now be configured to edit the control severity.

Administrators can control which roles are permitted to see and edit posture controls using a new permission item under Sysdig Secure > Policies > Posture Controls (Read, Edit).

Existing Default Roles: Team Manager and Advanced User now have Edit permission for Posture Controls.

September 26, 2023

Exception UI Improvements for Threat Detection Rules

Introduced a new user-friendly exception builder. The new exception UI, built in to the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules. For more information, see Manage Threat Detection Rules.

September 21, 2023

Cloud Logs

Introduced a new product bundle intended for users who are interested in Cloud Detection and Response (CDR) for Cloud Logs but do not want to use Cloud security posture management (CSPM). For more information, see Cloud Logs.

September 20, 2023

Agent Tags Support through Zone Scopes in Posture

Do you need to scope your Zones using the Agent Tags applied to your hosts and clusters?

You can now add Zone scopes: Kubernetes and Host with Agent Tags attributes. Add Agent Tags Key:Value pairs just as you add Labels. See the Posture Host Analyzer installation for details.

September 7, 2023

Advanced Users Can Apply Tuning Suggestions (Preview)

To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply tuning suggestions from Insights and Event detail pages.

To enable:

  1. Log in to Sysdig Secure as Admin and go to Settings.
  2. Toggle Advanced User Tuner Enablement on.

This will become default behavior starting Oct 15th, 2023.

September 6, 2023

Sysdig Secure Support for Rancher Kubernetes Engine (RKE2)

We are happy to announce the support for Rancher Kubernetes Engine (RKE2) which, lacking an official Center for Internet Security (CIS) benchmark, is supported by the addition of a new in-house policy.

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure posture control library has been expanded to improve its Amazon Web Services (AWS) resources coverage. The control library now includes 26 new controls providing support for 17 new resource types (both deployed and from Terraform code) across the following AWS services:

  • Amazon DynamoDB
  • Amazon EC2
  • Amazon Elastic File System (EFS)
  • Amazon Kinesis
  • Amazon RDS
  • Amazon SageMaker
  • Amazon Simple Queue Service (SQS)
  • AWS Elastic Beanstalk
  • AWS Network Firewall
  • AWS Systems Manager (SSM)

OOTB Policy Content Updates

The following policies have gone through updates:

  • Sysdig Mirantis Kubernetes Engine (MKE) Benchmark v1.1.0
    In collaboration with Mirantis, we have updated some of the audits in order to provide more accurate results.

  • AWS Well Architected Framework
    The Well Architected Framework has been augmented with 26 new controls providing support for the recently added resource types, as well as for some of the already existing.

As a fundamental part of the support for Rancher Kubernetes Engine, Sysdig now provides the following new policy:

  • Sysdig Rancher Kubernetes Engine (RKE2) Benchmark v1.6.0
    The hardening guide provides prescriptive guidance for hardening a production installation of RKE2, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes benchmark. It is to be used by RKE2 operators, security teams, auditors, and decision makers.

August 24, 2023

Agentless Threat Detection for GitHub (CA)

Your GitHub organizations can be now secured with Sysdig agentless cloud dection and response (CDR), which extends its capabilities adding the first Git provider to the list of supported sources. By installing the Sysdig app on GitHub, it will be possible to enable our Falco-powered threat detection capabilities. You will also find policies and rules provided and maintained constantly by our Threat Research Team, along with the possibility to create your own custom ones.

For installation instructions, see Git Integrations.

This feature is currently in controlled availability (CA).

August 21, 2023

Agentless Threat Detection for Okta (Preview)

Sysdig agentless CDR extends its coverage by adding support for Okta, the first identity provider (IdP) in the list of supported sources. You can now connect Okta organizations to Sysdig and use the power of Falco rules to detect threats in your environment. Along with the customizability of Falco rules, Sysdig provides managed policies and rules that are constantly being updated.

August 10, 2023

Control Access to Zones and Posture Policies

Sysdig is introducing two new permission items under Sysdig Secure Policies:

  • Zones (Read, Edit)
  • Posture Policies (Read, Edit)

These permission items enable administrators to control who can edit access to Zones and Posture Policies, including APIs.

Existing roles are updated with the following permissions:

  • Default Roles; Team Manager, Advanced User:
    • Zones: Edit
    • Posture Policies: Edit
  • All Existing Custom Roles and Default Roles; Service Manager, Standard User, View Only:
    • Zones: Read
    • Posture Policies: Read

August 7, 2023

Runtime Rule Tuner Updated

Simplified and improved the interface of the Runtime Rule Tuner:

  • Exception information is now presented in easy-to-understand name/value pairs.

  • Values can be freely edited.

  • Added explicit Apply buttons for each exception, making the choices conscious and avoiding security blindspots.

  • If you are using Terraform to manage exceptions, you can now view the suggested exception as Terraform snippet and copy/paste it in to your Terraform file.

  • Impacted policies and any already-applied exceptions are displayed to help you make more informed decisions.

See how to use the improved feature in the Events feed. You can also access it from Insights.

August 2, 2023

CLI Scanner v1.5.1 Released

Sysdig released the new version of cli-scanner with a breaking change in tech preview. The format of the JSON scan result has been changed in command line (CLI) Scanner v1.5.1.

When you run cli-scanner with the --json-scan-result parameter, the severities in JSON keys are not capitalized anymore. For example:

"vulnTotalBySeverity": {
      "Critical": 2,
      "High": 65,
      "Low": 24,
      "Medium": 107,
      "Negligible": 417

has been changed to:

    "vulnTotalBySeverity": {
      "critical": 2,
      "high": 65,
      "low": 24,
      "medium": 107,
      "negligible": 417

This change impacts the following JSON objects:

  • vulnTotalBySeverity
  • fixableVulnTotalBySeverity

July 26, 2023

Detect Fileless Attacks with New Rule

Sysdig Secure has added the ability to detect fileless attacks using a new Falco rule on the managed policy called Sysdig Threat Detection.


See this blog post for details on Sysdig’s solution to fileless malware detection.

July 25, 2023

Admission Controller v0.11.8 Released

Changed the title for scan events in Sysdig Secure to the format <policy> | <rule>, fixing a bug in the user interface (UI) when using filters from the title in the event feed.

July 24, 2023

OpenID Single Logout Support

Sysdig added support for OpenID Single Logout. Using Single Logout, a user can initiate a logout and terminate all sessions without having to log out from each one individually.

For more information, see Configure OpenID Single Logout.

Enhanced Sysdig Platform Audit

The Sysdig Platform Audit has been enhanced to include username and team name in the audit information in addition to user ID and team ID. The feature is Generally Available (GA).

For more information, see Sysdig Platform Audit.

July 19, 2023

Sysdig Secure Live Is Enabled for All Users

Sysdig Secure Live has been enabled for all users. For more information on this feature, see the following:

July 18, 2023

Policy Scope Deprecation: Kubernetes Workload Labels

Deprecation Notice: To improve agent performance and decrease load on the Kubernetes API, the Kubernetes workload metadata will no longer be a valid scope configuration, starting October 18, 2023.

Why: When a policy with one of these scopes is applied, every agent must request the metadata from the Kubernetes API for all clusters. We have found that most policies are created for namespaces, clusters, or other metadata local to the agent. Many of the policies that used this metadata in the scope were used to make an exception for all rules in that policy. Sysdig supports Falco exceptions that are more targeted to a process, container, image, and so on, in a specific rule, making for more targeted security rules that provide better performance and security coverage.

What: The following workload metadata will be deprecated from policy scoping:


Outcome: Existing policies with these scopes will continue to work but cannot be modified with the same labels. New policies cannot be created with these labels in the scope.

Recommendation: If you have used one of these scopes to apply a rule or set of rules, replace with scope for +

Example replacing

Old scope: 	= default AND 	= nginx

Supposing a container called nginx exists inside the deployment nginx, replace it with: 	= default AND 			= nginx

You can also get more specific by using images:	= default AND 			= nginx AND
container.image.repo 		=

July 14, 2023

Admission Controller v0.11.3 Released

Admission Controller v0.11.3 is released. This release removes the kubernetes workload name from legacy scan secure events, allowing those events to be aggregated in the Secure Events Overview dashboard.

July 04, 2023

Vulnerability Management APIs Added

The following new API endpoints have been released in Technical Preview to list and filter vulnerability scan results for Pipeline, Registry, and Runtime as well as to fetch detailed scan results in JSON format:

  • Get a list of pipeline scan results: GET /secure/vulnerability/v1beta1/pipeline-results
  • Get a list of registry scan results: GET /secure/vulnerability/v1beta1/registry-results
  • Get a list of runtime scan results: GET /secure/vulnerability/v1beta1/runtime-results
  • Get full scan results: GET /secure/vulnerability/v1beta1/results

These API endpoints are applicable only to the current Vulnerability scanning engine.

For more information on accessing the API, see Developer Tools.

June 23, 2023

Process Tree Visualization in Events Feed (Preview)

Released the technical preview of the Process Tree feature in the Sysdig Secure events feed. This feature visually unveils the context in which a process was launched. It displays process lineage for security practitioners in a familiar EDR format to help users easily understand the relationships and dependencies between processes to accelerate incident response.

This feature requires Sysdig agent v12.15 and must be manually enabled.

June 27, 2023

Investigate Rule Change Details

In addition to the Updated badge that is now appended to Threat Detection rules, you can now also use a comparison panel to review the precise changes that were made. This applies to changes made to managed rules set by the Sysdig Threat Detection team, as well as customizations made by users.

June 26, 2023

Improved AWS Cloud Account Onboarding

Sysdig has launched an improved onboarding experience for AWS Cloud Accounts, enabling users to specify their installation preferences regarding type, method, and desired features. Sysdig then guides you through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s agentless CDR now supports threat detection on AWS CloudTrail, eliminating the need for additional computational resources. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their AWS accounts and organizations effortlessly while benefiting from robust event processing.

June 20, 2023

Sysdig Secure Live - Preview

Secure Live is a powerful tool that assists in the response and investigation into security events, vulnerabilities, and misconfigurations in your infrastructure under one pane of glass, with a simple way to scope on the part of the infrastructure you are investigating.

How Does It Work?

Secure Live presents the last 24 hours of your infrastructure by scopes based on the hierarchy, such as cluster, namespace, and workloads. Selecting one of these scopes presents existing data from different parts of Sysdig Secure in a curated set of panels and tabs that are specific to that scope. As this feature evolves, more panels and “Live” views will be added, such as Posture Tab and Cloud Live.

What are the Benefits?

Sysdig Secure Live provides a number of benefits, including:

  • Increased visibility: Secure Live provides a unified view of your infrastructure, making it easier to identify and respond to security threats.
  • Improved efficiency: Secure Live can help you to automate many of the tasks involved in security operations, freeing up your team to focus on more strategic work.
  • Reduced risk: Secure Live can help you to reduce the risk of security breaches by providing you with the information you need to identify and address vulnerabilities before they are exploited.

What are the Limitations?

Sysdig Secure Live is still under development, so there are a few limitations to be aware of:

  • Limited data retention: Secure Live only stores data for the last 24 hours.
  • No customization: The scopes, panels, and tabs in Secure Live cannot be customized at this time.

What’s Next?

Sysdig is committed to continuously improving Sysdig Secure Live. In the future, we plan to add new features and functionality, such as:

  • Support for more cloud providers: Sysdig Secure Live currently supports AWS, Azure, and Google Cloud Platform (GCP). We plan to add support for more cloud providers in the future.
  • Integrations with other security tools: Sysdig Secure Live can be integrated with other datasources from Falco, such as Okta and Github. This will allow users to get a more comprehensive view of their overall cloud native security

To enable the feature, see Secure Live.

June 16, 2023

Jenkins Plugin v2.3.0 Released

  • Added support to apply image-based accepts for the following:
    • All the versions of an image
    • Images in a specific registry and repository
    • Images that contain wildcards for a customized subset of the environment
  • Updated the analyzer to inspect the vendor directory for packages
  • Shows Pipeline results in the Vulnerability Management Overview page

Unified Subscription Page

The Subscription page has been enhanced to provide a unified look and feel for both Sysdig Monitor and Sysdig Secure. This improvement is particularly useful to Sysdig Platform users as it now shows all the relevant subscription information, regardless of which product is currently selected. The feature is Generally Available.

For more information, see Subscription.

June 13, 2023

CLI Scanner v1.5.0 Released

Sysdig released the new version of cli-scanner. The CLI Scanner v1.5.0 introduces the following:

Accept Risk Feature Updated

Sysdig is pleased to announce the update of the Accept Risk feature for Vulnerability Management. This update enables users to extend risk acceptance in several customizable ways to allow for more controlled acceptance scope.

Previously, accepted risk scopes for a CVE, image, or host were either global or per individual asset.


Added support to apply image-based accepts for:

  • All versions of an image
  • Images in a specific registry and repo
  • Images that contain strings for customized subsets of the environment

June 12, 2023

Notification Formats Update 2

The notification format for the Slack and MS Teams notification channels was updated with the ability to choose either a brief or detailed version of the notification message. For newly created channels, the shortened version is the default. Users who currently have the detailed version can edit the channel and change their selection if desired.

June 7, 2023

Runtime Events Dashboards

The technical preview of the Runtime Events Dashboards is now available in Sysdig Secure. The dashboards provide a summary view as well as a trend view of all events in your infrastructure. They highlight security hotspots, and the filtering capabilities allow you to focus on a specific part of the infrastructure.

This release makes the following dashboards available:

  • Events Overview
  • Kubernetes Events
  • Cloud Events
  • Host and Container Events

Only teams that are scoped to the entire infrastructure will see the dashboards.

June 5, 2023

Posture: Standalone Install Available for Linux and Docker Hosts

While Helm is the recommended installation method for Kubernetes clusters, if you want to scan a host that is not running Kubernetes, we also offer a stand-alone analyzer for compliance violations on Linux hosts.

OOTB Policy Content Updates

We are happy to announce the update of the following out-of-the-box (OOTB) policies:

  • Center for Internet Security (CIS) Google Cloud Platform Foundation Benchmark v2.0.0 (latest)
  • CIS Microsoft Azure Benchmark v2.0.0 (latest)
  • ISO/IEC 27001:2022 (latest)
  • Lockheed Martin Cyber Kill Chain

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure Posture control library has been expanded to improve its Amazon Web Services (AWS) resources coverage. The control library now includes new controls for the following resource types:

  • Amazon Elastic Container Service (ECS)
    • ECS Cluster
    • ECS Service
    • ECS Fargate Service
    • ECS Fargate Task Definition
  • Amazon Elastic Kubernetes Service (EKS)
    • EKS Cluster
    • EKS Fargate Profile

Sysdig Secure Coverage Improvement for GCP

Sysdig Secure has been expanded to improve its Google Cloud Platform (GCP) resources coverage adding a total of 229 new resource types for the following services:

  • AI and Machine Learning
    • Cloud Tensor Processing Units (TPUs)
    • Dialogflow
    • Document AI
    • Speech-to-Text
    • Vertex AI
  • API Management
    • API Gateway
    • Cloud Healthcare API
  • Compute
    • Compute Engine
  • Containers
    • Artifact Registry
    • Container Engine
    • Container Registry
    • Google Kubernetes Engine (GKE)
  • Data Analytics
    • BigQuery
    • Cloud Composer
    • Cloud Data Fusion
    • Dataflow
    • Dataplex
    • Dataproc
    • Pub/Sub
  • Databases
    • Cloud SQL
    • Cloud Bigtable
    • Cloud Spanner
    • Database Migration Service
    • Datastream
    • Firestore
    • Memorystore
  • Hybrid and Multicloud
    • Anthos
  • Management Tools
    • Deployment Manager
    • Google Cloud Billing API
    • Service Management API
  • Media and Gaming
    • Game Servers
    • Transcoder API
  • Networking
    • Cloud Domains
    • Cloud Intrusion Detection System (IDS)
    • Google Cloud Virtual Network
    • Network Connectivity
    • Network Management
    • Network Services
    • Service Directory
  • Operations
    • Cloud Logging
  • Security and Identity
    • Assured Workloads
    • BeyondCorp Enterprise
    • Certificate Authority Service
    • Cloud Data Loss Prevention
    • Cloud Key Management Service (KMS)
    • Cloud Resource Manager
    • Secret Manager
  • Serverless Computing
    • App Engine
    • Cloud Functions
    • Cloud Run
    • Workflows
  • Storage
    • Filestore
  • Additional Google Products
    • Eventarc
    • Integration Connectors
    • Managed Service for Microsoft Active Directory (Managed Microsoft AD)
    • Organization Policy API

May 30, 2023

VM Registry Scanner 0.2.39 Supports .Net Packages and Centos OS

We are pleased to announce the release of our updated registry scanner 0.2.39 with chart 1.0.12 with the following features:

  • Allowing internal environment variable (ENV var) to allow pageSize setup on the Artifactory client (v0.2.39)
  • Registry scanning library bump, to add vulnerability management support for .Net packages and Centos OS (v0.2.38)

Be aware that by incorporating this new source, you may discover previously unidentified vulnerabilities in assets that have already been scanned.

CLI Scanner v1.4.0 Released

Sysdig released the new version of cli-scanner. The command-line interface (CLI) Scanner v1.4.0 introduces the following:

  • Pipeline results shown in the Vulnerability Management Overview page.
  • Beta support for the Scan result in JSON format through the --json-scan-result=path/to/scanresult.json flag.

May 23, 2023

Released the Vulnerability Management Landing Page. This page helps users to see trends, priorities, and top action items on the vulnerability risks in their environment.

Vulnerability Managers gain insight into vulnerability changes and trends (Risk Posture), the latest and most pervasive CVEs and which infrastructure segments are most vulnerable.

Program Mangers gain clearer insight into the implications of these findings for policy.

Architects gain easy access to data regarding scan counts and adoption rates.

The Vulnerability Management team, as a whole, gains an easy place to start to prioritizing and managing vulnerabilities at a program level.

Additional Notes:

  • All widgets enable a workflow to take action or export data to the user’s native information security tool ecosystem.
  • Coming soon: addition of zones, native integration to ticketing, and more sophisticated prioritization through Image Genealogy.

May 16, 2023

Accepted Risks Management for Posture Added (Preview)

A dedicated Accepted Risk page has been added under the Policies UI in Sysdig Secure, with the following features:

  • A new Posture Tab with the list of accepted Posture/Compliance violations (in addition to the Vulnerabilities accepted risks tab)
  • The ability to search for risks that were accepted and to filter by various parameters
  • The ability to review a specific acceptance, revoke or edit it

This feature is in Technical Preview status.

May 15, 2023

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure Posture control library has been expanded to improve its AWS resources coverage. The control library now includes new controls for the following services:

  • Account
  • AWS CloudFormation
  • Amazon CloudFront
  • AWS CodeBuild
  • Amazon Elastic Compute Cloud (EC2) Auto Scaling
  • Amazon Elastic Container Service (ECS)
  • Amazon Elastic Load Balancer (ELB)
  • Amazon ElastiCache
  • Amazon Elasticsearch Service
  • AWS Identity and Access Management (IAM)
  • AWS Key Management Service (KMS)
  • AWS Lambda
  • Amazon OpenSearch Service
  • Amazon RDS
  • Amazon Redshift
  • AWS Secrets Manager
  • Amazon Simple Notification Service (SNS)

May 11, 2023

Inventory Now Supports Git Integrations

Infrasture as code (IaC) resources, supported by our Git-integrated scanner, are now available in Sysdig Secure’s Inventory. This allows you to:

  • Easily differentiate your code from your deployed resources with our updated resource cards.

  • Search and filter for IaC resources using attributes like Resource Origin, Source Type, Location, Git Integration and Repository.

  • Access a 360-view of each code resource, which includes:

    • resource metadata
    • configuration details
    • posture violations that can be remediated with automated workflows

Query the Secure API to get a list of multiple IaC resources or retrieve a single one.

May 8, 2023

OOTB Policy Content Updates

We are happy to announce the update of the following policies:

  • Center for Internet Security (CIS) Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (latest)
  • CIS Azure Kubernetes Service (AKS) Benchmark v1.3.0 (latest)
  • CIS Docker Benchmark v1.5.0 (latest)
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0 (latest)

Registry Scanner 0.2.32 Update Available


  • Added support for http protocol registries
  • Changed to honor maxRepositoriesPerRegistry on

In chart 1.0.5

May 3, 2023

Vulnerability Management Rules Improvement

Updated Sysdig Secure’s default set of rules for vulnerability management, Severe vulnerabilities with a Fix. The necessary condition “has a fix” was previously missing from one of these rules, which might have impacted the accuracy of identified policy violations. This issue has now been corrected.

Please note that as a result of this improvement, some vulnerabilities previously marked as policy violations may no longer be considered as such.

Groups Page added to CIEM

The newly added Groups page provides numerous ways to sort, filter, and rank the detected group information to quickly remediate identity risks associated with the group’s users and policies.

Least Permissive Policy Suggestions for a group takes into account all of the group’s attached user’s activity within the scope of all attached policies. Utilizing Sysdig’s Optimized Policy Suggestion can enable you to create one policy for the group that is Least Permissive.

Notification Formats Updated

The notification format for the Slack and Microsoft Teams notification channels were simplified for ease of use. The notifications now contain just the rule, policy name and context information about where the event took place. When available, a Runbook Link and Action Taken are displayed. Click the link to reach the event with full details in the Sysdig UI.

May 2, 2023

Threat Detection Policy and Rule Pages Show Update Badge

Badges are now displayed on the Runtime Policies and Rule Library pages to indicate that a rule has been added or updated in the past 7 days. This includes updates performed by Sysdig’s threat research team as well as customization added by users, for example, when specifying exception values.

April 25, 2023

Cloud Account Compute Resource Shown in Subscription

The Subscription page now includes Compute Resources information to allow tracking of Enterprise Cloud Security usage.

April 21, 2023

VM Runtime Scanner v1.4.10, Host Scanner v0.3.9, CLI Scanner v1.3.8

We are pleased to announce the release of three updated versions of our scanning tools:

  • VM Runtime Scanner v1.4.10
  • Host Scanner v0.3.9
  • CLI Scanner v1.3.8

Apart from the usual bug fixing and updates, the most significant improvement in this release is the expanded support for detecting and scanning .NET packages:

  • While we previously could parse packages.lock.json files, we have now added the capability to parse .deps.json files.
  • This enhancement will enable us to identify broader vulnerabilities within the .NET ecosystem.

Please be aware that by incorporating this new source, you may discover previously unidentified vulnerabilities in assets that have already been scanned.

April 19, 2023

Container Registry Scanning

The Image Registry Scanning functionality is now generally available as part of our Vulnerability Management suite.

This feature provides an added layer of security between the pipeline and runtime stages, allowing you to gain complete visibility into potential vulnerabilities before deploying to production.

Supported Vendors

  • AWS Elastic Container Registry (ECR) - Single Registry and Organizational
  • JFrog Artifactory - SaaS and On-Premises
  • Azure Container Registry (ACR) - Single Registry
  • IBM Container Registry (ICR)
  • - SaaS
  • Harbor

Once the container registry is instrumented and analyzed, you can generate registry reports to extract, forward, and post-process the vulnerability information.

Interested in trying it out live? Sysdig offers a hands-on training lab to launch directly from your web browser.

April 5, 2023

Cli-Scanner 1.3.7 Released


Fixed a parsing error that caused RedHat modules to be incorrectly matched when scanned.

See Running the CLI Scanner for details on downloading and running the cli-scanner.

March 23, 2023

Risk Scores Explanations Enhanced in CIEM

Understand a breakdown of your Cloud Infrastructure Entitlement Management (CIEM) Risk Scores with Overview explanations.

Within the Posture tab, you’ll find different Identity and Access resources with Risk Scores. Select an entity from the list in the table and a drawer appears providing a detailed breakdown of the entity’s risk score, including the specific attributes and permissions that have contributed to it.

Learn more about how risk scores are calculated.

Support for CIS Critical Security Controls v8

The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 (latest) has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update, which supports enterprises as they move to both fully cloud and hybrid environments.

This policy, with 1,316 controls classified into 18 requirement groups, is now available as part of Sysdig’s posture offering.

Support for OWASP Kubernetes Top Ten

The OWASP Kubernetes Top Ten is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks. This policy, containing 344 controls classified into 10 requirements, is now available in Secure.

More information about this policy can be found in OWASP Kubernetes Top 10.

Updated CIS Amazon Web Services Foundations Benchmark to v1.5.0 (latest)

Updated the existing CIS Amazon Web Services Foundations Benchmark policy to its latest version at the time (v1.5.0). This new version include a new resource type, Elastic File System (EFS), for greater coverage, as well as new controls for the Amazon EFS and Amazon Relational Database Service (RDS) services. The total number of controls in this new update has raised up to 79.

March 22, 2023

Git Scope for Zones

We have extended the flexibility of Zones for Posture to also support Git integrations and IaC (Infrastructure as Code) scanning.

With the introduction of Git scope for zones, users can include the new Git scope types as part of the zone definition and configure the policies that apply for that zone.

Note: Git sources have a new user-defined name field. Existing Git sources will automatically get a name like “Source 1”, “Source 2”, or the like.

For more information see the Zones and IaC Security documentation.

Helm Chart 1.5.80+ and Cli-Scanner 1.3.6 Released


  • RELEASE suffix in Java packages leading to false negatives resolved

    Specific Java packages containing a .RELEASE suffix were not correctly matched against their existing vulnerabilities, for example:

    was not correctly parsed and matched against the relevant vulnerabilities. This case is particularly common for spring-boot libraries.

    This fix will remove false negatives, thus uncovering real vulnerabilities that were present in those packages but not previously listed

This could lead to an increase in the number of vulnerabilities and policy violations.


  • Display full path for jar-in-jar libraries

    When a jar library is found inside another jar container, Sysdig will now display the absolute and relative path inside the jar, using the colon as separator:

    Before: /SpringHelloWorld-0.0.1.jar 
    After: /SpringHelloWorld-0.0.1.jar:BOOT-INF/lib/spring-core-5.3.16.jar

See Running the CLI Scanner for details on downloading and running the cli-scanner.

March 14, 2023

Legacy Inline Scanner v 2.4.21 Released


  • Updated anchore to 0.8.1-57 (March 2023)
  • Added support for OpenContainers Image (OCI) manifest list: parse and scan images built with attestation storage


Vulnerability fixes for the following high-severity CVEs:

  • CVE-2022-41723
  • CVE-2022-47629
  • CVE-2023-24329
  • CVE-2023-25577

March 9, 2023

Inventory Released as Tech Preview

Inventory has been made generally available as a new-top level menu item.

With this feature you can:

  • Search and filter for resources based on a growing list of attributes such as Labels, Zones, and Posture information (policy, requirement, control, accepted risk, control severity).

  • Access a 360-view of each resource, which includes its posture violations, metadata, and configuration details.

  • Review resources’ posture violations and remediate them by opening a Pull Request or manually applying a patch.

  • Query the Secure API to get a list of multiple resources or retrieve a single one.

    (For API doc links for additional regions, or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.)

Inventory is a SaaS-only feature of Sysdig Secure.

March 6, 2023

CLI Scanner 1.3.4 Released

Released version 1.3.4 version of the cli-scanner.

March 8, 2023

KSPM policy for CIS Kubernetes V1.24 Benchmark released

A new Posture policy has been released following the CIS Kubernetes V1.24 Benchmark. This policy provides prescriptive guidance for establishing a secure configuration posture for Kubernetes 1.24 and includes 13 new controls.

March 1, 2023

Improved Search of Posture Controls

Our 1,000 Posture Controls are now easier to find, by their Name, Description, Severity, Type and Target platform or distribution, anywhere you are looking for them:

  • Filter for controls in the Control library
  • Filter in the Policies library, including while editing your custom policy

We also added enhanced visibility of control targets by showing the supported platform and distributions on each control.

Support for OCP, IKS and MKE

We have added Posture support for new Kubernetes distributions:

  • Support for Red Hat OpenShift Container Platform 4 (OCP4):

    • CIS Red Hat OpenShift Container Platform Benchmark policy.
  • Support for IBM Cloud Kubernetes Service (IKS):

    • Sysdig IKS Benchmark policy.
  • Support for Mirantis Kubernetes Engine (MKE):

    • Sysdig MKE Benchmark policy.

February 28, 2023

New Page for Privacy Settings

A new Privacy Settings page has been added under Administration Settings.

February 27, 2023

New Filter and Grouping for Threat Detection Policies

This release enhances the Threat Detection policies by showing the policies in a grouped manner and adding the ability to filter policies by type.

Additionally, badges on the list now alert you when rules have been added or updated in managed policies.

February 17, 2023

Posture Now Supports Red Hat OpenShift Container Platform (OCP4)

Added support for the OpenShift platform. The CIS Red Hat OpenShift Container Platform Benchmark policy is now available, with 181 controls (145 of which are exclusive to OpenShift), using a new Cluster resource type which is of paramount importance in OCP4 due to the nature of the platform.

February 16, 2023

View Insights Grouped by User

The Insights vizualization now permits viewing events grouped by user, greatly improving the ability to spot outliers. You can also see all events from a particular user in reverse chronological order. See Group by User | Rule for details.

February 14, 2023

New Filter and Grouping for Rules Library

This release enhances the Threat Detection rules library by showing the rules in a grouped manner and adding the ability to view only custom rules.

February 2, 2023

VM Reports Now Include Risk Spotlight (In Use) and Accepted Risks

Added Risk Spotlight (In Use) and Accepted Risks to VM Reporting as both an additional metadata column and a configurable filter.

Every matching vulnerability will have these two new additional columns, as well as the matching true/false filters.

January 25, 2023

CLI Scanner 1.3.3 and Jenkins Plugin 2.2.7 Released

Sysdig has released version 1.3.3 version of the cli-scanner and 2.2.7 version of the Jenkins Plugin.

Scanner Update:

  • Bug fixes, some of which were impacting policy evaluations.

Plugin Update:

  • Updates to the scanner
  • Adjustments to the string representation of some policy rules in the report section
  • Several bug fixes, including one that caused the build to fail when it shouldn’t

Non-Containerized Install Available for Host Scanning

While Helm is the recommended installation method, if you want to scan a host without using containers at all, we also offer a standalone binary and an RPM package. To review methods, see Host Scanning.

Liveness and Readiness Probes Added to Helm Chart

Starting from sysdig-deploy Helm chart version 1.5.34, we have added livenessProbe and readinessProbe, which check for vulnerability runtime scanner component health, in agreement with the Kubernetes monitoring and scheduling practice.

Be aware, this requires having a vuln-runtime-scanner version of at least v1.4.4.

January 2023

Inventory Released as Controlled Availability

Sysdig Secure now offers an Inventory, so you can gain visibility into resources across your cloud (GCP, Azure, and AWS) and Kubernetes environments. With this feature you can:

  • Search and filter for resources based on their metadata
  • Get a high-level overview of resources’ compliance violations
  • Access a 360-view of each resource, starting with its configuration details and facilitated by the unification of Sysdig’s data
  • View and share resources’ configurations

January 19, 2023

CLI Scanner v1.3.2 Released

Released a new version of cli-scanner. CLI Scanner v1.3.2 introduces a new configuration parameter, --override-pullstring, that allows you to specify a custom image name to be displayed on the Sysdig Secure UI. For more information, see Install Vulnerability CLI Scanner.

Host Scanning Enhancements and General Availability

Vulnerability management for Hosts has received several upgrades and is now generally available.

Newly supported Host OSes

  • Alibaba Cloud Linux (also know as Aliyun Linux)
  • Google Container-Optimized OS (COS), build 89+

See all supported Host OSes.

Host Vulnerability Reporting

It is now possible to create scheduled vulnerability reports targeting the Hosts which are scanned with the Sysdig product.

From the Reports function in Sysdig Secure, select if you want to target the Runtime Workloads or Runtime Host.

Note that scope labels and report columns will follow the Host Scanning metadata, as in HostName or Cloud Provider Region.

January 17, 2023

CSPM Compliance GA Released

Sysdig is pleased to announce the general availability (GA) release of the new CSPM Compliance module. This feature helps you prioritise compliance results on your most important environments and applications.

New features:

  • A compliance page ordered by your zones.
  • CSPM Zones Management
    • A default Entire Infrastructure zone is created for each customer
    • Create your own zone:
      • Define scopes for the resources you want to evaluate
      • Apply a policy to your zone to add it to the compliance page
  • Over 40 new Risk and Compliance Policies included

To get to know our path from detection to remediation, risk acceptance, zones management, installation and migration guidelines, please review the documentation.

The new compliance module is not available for IBM Cloud and OnPrem users. They should continue taking advantage of Unified Compliance.

January 5, 2023

IaC Scanning now Supports Terraform AWS

Added support for Terraform resources from the AWS Provider. If you have implemented Git IaC Scanning, then pull-request checks will now scan AWS resources and report any violations of the CIS AWS Foundations Benchmark.

The list of supported resource and source types is now:

  • Kubernetes workloads in YAML manifests
  • Kubernetes workloads in Kustomize
  • Kubernetes workloads in Helm charts
  • Kubernetes workloads in Terraform
  • AWS cloud resources in Terraform

Other changes in the release include improved Kubernetes resources scanning in Terraform to support additional use cases.

For more information, see Git Integrations.

December 21, 2022

Additional Feeds for Golang Added to Vulnerability Management

Sysdig has added feeds to detect a wider range of Golang-related vulnerabilities. By extracting the packages declared in Golang binaries, we are surfacing vulnerabilities in the libraries used to build those binaries. In particular:

This feature, once added, may detect new vulnerabilities in assets that were previously analyzed.

December 20, 2022

Vulnerability Host Scanning for Google COS Added

Google Container-Optimized OS (COS) support has been added to Host Scanning (preview feature).

Host Scanning is installed by default when deploying with the Helm chart sysdig-deploy version 1.5.0+.

  • Note that Google COS support requires HostScanner container version 0.3.1+.

The new directories added to the default set scanned include:

  • Generic binaries (such as docker/containerd and infra tooling):


  • Libraries (such as default python libs):


  • GoogleCOS tooling directories:


December 15, 2022

Sysdig Agent Health Dashboards Enhanced

We are happy to announce that the Sysdig Agents page under Data Sources has been updated to enhance visibility into the health of Sysdig Agents. Now you can:

  • Filter Agents by their health status, version, and environment, including Account ID, cluster, and node.
  • View your Total Connected Agent Count over time

December 13, 2022

Platform Audit UI

We are happy to announce that the Sysdig Platform Audit now has a UI within the Sysdig application, in addition to the existing API.

With the UI you can:

  • Filter audit data based on multiple criteria for easier searching
  • Filter within a specific date range
  • View full details of a given audit event

December 1, 2022

Vulnerability Management for Hosts (Preview)

Sysdig is deploying all-new host scanning capabilities for vulnerability management. The hosts that support your workloads and containers are a critical part of your infrastructure security. They can offer an even more attractive target for attackers than containerized software, due to the lateral movement possibilities they offer.

Sysdig’s host scanning and integrated vulnerability management features unify runtime workloads and their associated hosts under a single streamlined interface and user flow. The provide visibility over the full infrastructure security posture.

Host Scanning is installed by default when deploying with the Helm chart sysdig-deploy version 1.5.0+.

See Host Scanning for more about the supported Host OSes, CPU architectures, alternative installation methods, and how to use the feature.

November 30, 2022

JIRA Ticketing Integration

Sysdig is pleased to announce the release of the JIRA Ticketing feature. Users can now open JIRA tickets within the Secure UI and assign them to team members directly. The first iteration will allow customers to open tickets from Identity Recommendations on the Home page.

See how to set up this JIRA Ticketing Integration.

Vulnerability Management Accept Risk (Exceptions)

Sysdig’s Vulnerability Management policies already allow a user to configure thresholds to surface the most relevant data, for example, critical vulnerabilities with an available fix. Still, complex organizations also require the ability to introduce exceptions in the case of false positives, preconditions that don’t apply, and so on.

Accepting the Risk is now available as a Vulnerability Management feature in Sysdig Secure.

You can accept the risk of individual CVEs or entire hosts or container images, and can define specific contexts such as package types and expirations dates. The Sysdig UI highlights the risks that have been accepted and can filter for them.

This feature requires that you have deployed Sysdig with sysdig-deploy Helm chart version v1.5.0+, vuln-runtime-scanner version 1.4.0+ and sysdig-cli scanner v1.3.0+.

See Enablement Prerequisities to check your versions and upgrade if needed.

November 21, 2022

CSPM Compliance: Reporting & API Preview Released

Sysdig is pleased to announce the preview release of CSPM Compliance Reporting and API.

This feature allows you to:

  • Download CSV directly from the compliance results view
  • Download CSV directly from the results view of a specific control
  • Receive JSON of compliance results directly via API for:
    • Compliance Overview
    • Compliance Results
    • Control Resource Lists

For further reading, see Create and Download a Report and the CSPM API Documentation for developers

Sysdig Threat Detection policies now include the option to specify a Runbook link with each policy. If the policy triggers an event, the Runbook link will be displayed in the event details, as well as in the notification. This allows users to tie their security triage processes directly into Sysdig Secure.

See Manage Policies: Define the Basic Parameters and Secure Events: Detail Panel.

November 7, 2022

Usability Improvements for Secure Events

To help security investigators distinguish false positives from real issues, it can be helpful to review the associated network activity. We are adding a link to Sysdig’s Network Typology visualization directly into relevant event details, under the Respond button.

Similarly, where applicable, the Runtime Policy Tuning feature will show up under the Respond button. The user can go through the flow to add exceptions and reduce false positives.

Finally, we’ve added the ability to view the rule definition from the event details panel. You can see the event details and the rule definition side-by-side.

See Secure Events for details.

Rule Names Added to Event Notifications

The notifications for runtime events have been enhanced to include a rule name. For Email, Slack, and Microsoft Team, the rule name will be a link to the rule definition.

October 26, 2022

New Secure Event Forwarder Integration: Google Security Command Center

A new integration has been released for Sysdig Secure’s Event Forwarder functionality: Google Security Command Center (SCC)

October 24, 2022

New Home Page

Updated the Home page for all customers. The new Home page offers a clean, visually intuitive representation of the most important issues in your environment and a curated list of the top tasks required. The top half encompasses the Dashboards and includes:

  • Visual charts highlighting areas of concern within your environments that can be filtered
  • The ability to drill down into relevant product areas with a click
  • Full screen Dashboard capabilities

The bottom half encompasses the To Do Recommendations list and will:

  • Guide you to take the most impactful actions to reduce security risks in your environments
  • Offer tailored recommendations with aggregated and prioritized tasks

The Getting Started page is being deprecated with this release; see Home and Data Sources for more detail.

September 20, 2022

Disable a Rule within a Policy

Starting today, you can disable (and re-enable) individual rules within threat detection policies. This allows you to:

  • Use a subset of rules within a managed policy or managed ruleset without giving up the ability to receive new rule updates.
  • Temporarily disable a noisy rule until the cause is investigated or an appropriate exception is put in place.

September 19, 2022

Actionable Compliance - Control Library Preview Released

Sysdig is pleased to announce the preview release of CSPM Control Library in Actionable Compliance.

This is a technical preview release and the feature is open for all customers. It offers:

  • Visibility of all available controls
  • The ability to filter for specific controls by control attributes

Read more about the feature in Posture Controls.

August 29, 2022

Actionable Compliance - Custom Policies Preview Released

Sysdig is pleased to announce the preview release of CSPM Custom Policies in Actionable Compliance.

This is a technical preview release and the feature is open for all customers.

With this feature you can:

  • Clone an existing policy and edit its metadata
  • Create, edit and delete a custom policy
  • Create, edit and delete requirements in a custom policy
  • Link and unlink available controls to policy requirements

You can read more about the feature in Manage Posture Policies.

Coming soon in Actionable Compliance:

  • Control Library
  • Creating your own custom control in a custom policy

August 17, 2022

New Permission for Changing Team Roles

Team management has been improved with the addition of the new permission, Team Membership Roles. This permission will allow you to change the roles of team members separately while adding users to the teams.

For more information, see:

August 10, 2022

Machine Learning Policies

A new machine-learning-based detection capability is available in Sysdig Secure.

While we strongly believe in our Falco-based rule approach, and do not consider machine learning to be the best way to detect every threat, we understand that specific use cases such as Cryptominer detections require a different approach. This is the first detection capability available in our Machine Learning policies.

To read more about how to configure them and how they work, see Machine Learning and our press release.

August 4, 2022

Agent Overview Page Released in Data Sources (Preview)

An Agents overview page in the Data Sources | Integrations interface has been made available as a technical preview for all customers. This new page shows all of the Sysdig Agents that have reported to the Sysdig backend, and enables you to quickly determine:

  • Which agents are up-to-date, out of date, or approaching being out of date
  • Which managed clusters have been detected in your cloud environment, but have not yet been instrumented with the Sysdig agent

The feature will remain in technical preview, as we add additional functionality and refine the workflows within the page.

See also: Data Sources | Sysdig Agents

Actionable Compliance - CSPM Policies Preview Released

Sysdig is pleased to announce the preview release of CSPM Policies in Actionable Compliance. This is a technical preview release, and the feature is open for all customers.

With this feature you can:

  • See what is being evaluated by the Actionable Compliance feature in the context of compliance standards (CIS, NIST, and so on)
  • Review the policy structure and the controls connected to it
  • Enable/disable controls
  • Filter controls by enablement status, violation severity, name, and control type

The features are under development and will soon include the ability to create custom CSPM policies as well.

Read more in CSPM Policies (Preview).

July 28, 2022

Managed Threat Detection Policies

From today, you will see all existing policies labeled as Custom Policies and with a list of disabled Managed Policies. The existing custom policies work exactly as they have always worked, and do not require any action from you. However, to take advantage of the Sysdig Threat Research team, we recommending moving over to the new managed policies. To read more about the different types of managed policies, see Threat Detection Policies.

July 21, 2022

Actionable Compliance - Accept Risk Preview Released

Sysdig is pleased to announce the preview release of Risk Acceptance in Actionable Compliance. This is a technical preview release, and the feature is open for all customers.

This feature allows you to:

  • Improve compliance score by Accepting a risk on a failing resource in a control
  • Register an acceptance reason and expiration date
  • Edit and revoke acceptance
  • See a summary of accepted risks in Compliance
  • Filter by accepted resources in the mini-inventory of violation results

You can read more about the feature in Compliance.

June 23, 2022

New Secure Event Forwarder Integrations: Elasticsearch & Microsoft Sentinel

Two new integrations have been released for Sysdig Secure’s Event Forwarder functionality:

June 2, 2022

Actionable Compliance Preview Released

Released the first preview of Actionable Compliance, the next phase of the Sysdig Secure’s compliance offering and the first capability to support Kubernetes Security Posture Management (KSPM), and in the future also Cloud Security Posture Management (CSPM).

This is a technical preview release, and the feature is open for all customers.This feature includes:

  • Compliance views - a redesigned summary view for each built-in policy
  • Violation results - the first-ever mini-inventory to show violated resources with filtering capabilities
  • Actionable Remediation - automatically open a Pull Request to remediate a resource violation in its git stored source file (Infrastructure as Code)

Technical highlights:

  • Inventory based collection - a paradigm shift in how we collect CSPM data.
  • New agent collector - gathers all Kubernetes objects (workloads, subjects, roles, and so on) from the customer for future Inventory use
  • New node-analyzer container - collects the node’s Kubernetes, Linux and docker configurations
  • Eight new micro-services
  • OPA based policies - built-in policies (previously benchmarks) with OPA controls (previously rules) for Kubernetes, docker & Linux

You can read more about the feature in Compliance

May 23, 2022

Custom Roles

A custom role is an admin-defined role that allows Sysdig administrators to bundle a set of permissions and assign those permissions to individual users or teams. Custom roles allow for finer-grained definition beyond the standard out-of-the-box Sysdig Roles. Once defined, a custom role can be assigned to any user inside a particular team, and configured as the default role for new users in that team. For more information, see Custom Roles.

The addition of custom roles into the platform is transparent, meaning that standard roles and assignments that already exist will not experience any changes.

May 19, 2022

To facilitate a smooth transition from the Legacy Scanning Engine to the new Sysdig Secure Vulnerability Management, the Settings menu now provides options for displaying the UI for the new, legacy, or both scanning engines.

Safe and transparent: This is a non-intrusive change; regardless of how you have the New Vulnerabilities engine toggle set, the Sysdig Secure navigation menu will not be modified without explicit user intervention. And the toggles will alter only the user interface and not impact the function or running of the engine itself.

To enable/disable: See Which Scanning Engine to Use

If both are enabled: The two sets of features are clearly distinguished in the Navigation menu.

May 18, 2022

Policy Advisor Deprecation Notice

Sysdig Policy Advisor will be removed from all Sysdig accounts on June 17, 2022.

Policy Advisor was built during a time when PodSecurityPolicies (PSPs) were the only way to add Security Policies to a Kubernetes workload. PSPs have now been deprecated in Kubernetes 1.21, released more than a year ago.

May 17, 2022

Runtime Scanner 1.0.3 Released

Optimized requests performed on the Kubernetes API

See also: Vulnerabilities | Runtime

May 4, 2022

Sysdig Platform Audit

Sysdig Platform now supports the capability of tracking, logging and reporting on all changes in the system.

  • Track all activities on the API level
  • Retention period: 90 days
  • Simple API for retrieving audit information (no UI)
  • Events Forwarding support to be included in the near future (to be announced)
  • Enabled by default for all SaaS customers

See also: Sysdig Platform Audit

Sysdig Platform Login Banner

Sysdig Monitor and Secure now allow you to define a Login Message that will be presented to all users. Added to boost Sysdig compliance/enterprise readiness, requested originally by the IRS.

  • Users are not allowed to access the system until they acknowledge the message
  • One login banner per customer
  • Only Admin users can enable or update the message
  • Single banner for both Monitor and Secure (for Platform customers)
  • Available on SaaS for all customers

See also: Configure Login Message

May 3, 2022

Insights Feature GA

This release marks the general availability (GA) of the Secure Insights feature. Some of the changes introduced include:

  • Better support for Azure events
  • Amazon Web Services (AWS) Identity Access Management (IAM) permission integration
  • Fixed bugs in policy tuner flow
  • Removed the limit for displaying events in a time range

May 2, 2022

DriftControl Policies: Detect and Prevent Drift in Container Runtime

Sysdig agent can now detect when a new executable was added to a container after the container started up. The agent collects when a file was downloaded and made executable. When using prevention mode, the agent can also deny the process from ever running. A policy can be used to define binaries that should be denied or excluded from being denied if they have been added after the container has started.

See also: Drift Policy

April 28, 2022

Component Security Fixes

The following Sysdig Secure components were updated with the latest security patches (April 2022):

April 20, 2022

New Vulnerability Management Engine

Sysdig is pleased to announce the new Vulnerability Management engine, a major upgrade to the vulnerability and image scanning functionality for the Sysdig Secure product.

Major Highlights

  • Scanning times have been drastically reduced. The average scan is now eight times faster.

  • Additional data is provided for vulnerabilities and remediation

    • CVSS scores and metrics: Network Attack Vector, Privileges required, etc.
    • Flagging of publicly available code Exploits
    • Suggested package fix version
  • Risk spotlight: Focus on the vulnerabilities that Sysdig detects in active packages at runtime.

    • This is a new filter that only shows CVEs with active packages, to save time browsing infrastructure and to help you focus on high-impact CVEs
  • New Vulnerability Reporting module

    • Up to 14 days retention of individual reports
    • Generate now allows scheduling directly from the UI
  • Flexible policies that can be attached to the different runtime and security contexts

How to Move to the New Scanning Engine

The new vulnerability management engine uses a different data storage, API, host components, and user interfaces than the legacy scanning.

  • Contact your Sysdig representative. They will guide you through the process of migrating your subscription and vulnerability management configuration to the new engine.

For further reading, see Vulnerability Management.

March 8, 2022

Scanning Component Updates

The following components have been upgraded to the listed versions with bug fixes and security updates:

  • node-image-analyzer:0.1.16
  • secure-inline-scan:2.4.9
  • host-analyzer:0.1.6

The latest Helm chart includes these versions for Node Image Analyzer and Host Analyzer. Follow the Quick Start documentation to upgrade the inline scanner.

March 3, 2022

New CIEM Features

User Risk Labels

Risk Labels are now surfaced to highlight insecure attributes of specific Users and Roles. They are listed within the Users & Roles page and within the User Details tab of a specific user.

Trend Charts in Overview

Time charts are now available within the Overview tab of Identity and Access. These help to visualize your permission trends over time for Users, Policies, and Resources.

CSV Report Export

All of the pages within Identity and Access can now be exported as a CSV file. Select the Download CSV button found at the top right corner of all pages.

Effective Permission Calculation

AWS supports different types of policies to limit permissions on different scopes. Sysdig has added support for calculating effective permissions based on permission boundaries and organization level service control policy (SCP). This gives additional context when viewing permissions based on identities. For example, an identity that has been given administrator level identity policy will be limited in overall permissions if there is a permission boundary policy attached to it.

CIEM Data in Insights

Within the Cloud Activity and User Activity views in Insights, there is now an Identity and Access tab. This will help investigative flows to understand the context from an IAM perspective.

March 1, 2022

New: Data Sources Instrumentation

On the Data Sources > Managed Kubernetes page: For unconnected clusters, Sysdig has added quick instrumentation instructions using the known details about the cluster, such as the cloud account, region, and cluster name.

February 28, 2022

New: Data Sources Features

Cluster Status

The Data Sources page now tracks all Managed Kubernetes Clusters, and whether they are connected or not connected. This can help determine if Sysdig Agent is no longer reporting to the Sysdig backend, for example, if it did not have enough resources to install. Each node will also report on the agent version installed at that time.

Instrumentation Instructions

Sysdig now adds quick instrumentation instruction to a Managed Kubernetes Cluster using the known details about the cluster, such as the cloud account, region, and cluster name.

February 10, 2022

Improved Usability with New Navigation

Sysdig’s new navigation improves the usability of the left-hand navigation for faster and easier navigation.

For a demonstration of the new feature, see the video walk-through.

Improved Menu Handling

  • Hoverable Sub-Menu: With each module that has additional menu options, hover over the respective module to quickly navigate.

  • Collapsible Main Menu: Save space with the collapsible left-hand navigation.

New Menu Option: Integrations

A dedicated Integrations menu option provides an easy way to access both inbound and outbound integrations.

  • Access the Cloud Accounts page to quickly understand which applications and services are running, and where the Sysdig agent is installed.
  • Access Managed Kubernetes to get a catalog for all the managed Kubernetes clusters in your environment. The status connected/unconnected is based on whether the agent is installed or not.
  • 3rd Party: Manage your Git Integrations

Outbound: Manage your Event Forwarding, Notification Channels, and S3 Capture Storage

3rd Party: Manage your Git Integrations

Revamped User Menu

Now all the settings options are collected and available in one large menu.

February 2, 2022

Enhanced Unified Filter for Event Feed

A new unified filtering experience of the Event Feed is now available for Secure SaaS accounts.

Easily toggle from the original to the enhanced version, where you will find:

  • Unified scopes, free text and any other filterable/searchable attributes on a single bar
    • Autocomplete on keys and values
    • Autocomplete/suggest operands
    • One-click quick filtering directly from the list of displayed elements
  • Saved filters in various formats– no more retyping common filter expressions
    • Favorite filters, stored per user and feature
    • Default filters, per user and feature
    • Recent filters, per user and feature

See also: Secure Events

January 26, 2022

Unified Compliance Reporting

Released a rework of our Compliance and Benchmarking capabilities. This change brings a number of improvements:

  • Compliance and Benchmark tasks are now scheduled, managed, and generate reports in an updated and unified interface, with simpler pathways to remediation and easier-to-navigate reports.
  • The logic used to check individual controls now checks for events signalling control failures, as well as ensuring the correct Runtime rules are configured to detect these events. This leads to a more comprehensive audit that captures activity as well as configuration.
  • New compliance standards and platforms added:
    • For workload, AWS, GCP, and Azure:
      • NIST 800-82 Rev2
    • For workload and AWS:
      • Fedramp (workload and AWS only)
      • HITRUST CSF 9.4.2 (workload and AWS only)
    • For GCP and Azure
      • GDPR
      • HIPAA
      • ISO 27001:2003
      • NIST 800-53 Rev4
      • NIST 800-53 Rev5
      • NIST 800-171
      • NIST 800-190
      • PCI / DSS v3.2.1
      • SOC 2


  • Agent version 12.0.4 or higher

    If necessary, install or upgrade your agent to the appropriate version.

  • Node analyzer installed

If you are upgrading from an earlier version of Sysdig Secure, your existing compliance and benchmark records will be migrated to the new version and retained on the same schedule as before.

See also: Compliance

New Feature: Review Applied Kubernetes Network Policies

Sysdig Secure has added the ability to view the Kubernetes Network Policies (KNPs) that have been applied directly from the Network Security Policy UI.

You can:

  • Review the relevant policies applied to the pod-to-pod communication for the current view

  • Click View Policy to see the raw yaml output of the network policy applied to that workload.

See also: Netsec Policy Generation

January 2, 2022

Welcome Infrastructure-as-Code!

Infrastructure-as-Code (IaC) is an important part of today’s cloud-native infrastructure. We at Sysdig know that the earlier you identify possible posture issues, the better off you are.

The new feature allows you to integrate Kubernetes IaC checks into your Git pipeline. With just a few clicks, the standard compliance checks will be integrated into the Pull Request (PR) flow and alert developers to policy violations before they merge.

Supportability & Requirements

The new capability will use either an application or a webhook in your respective git provider.

  • Github - Github Application
  • Gitlab - Webhook
  • Azure DevOps - Webhook
  • Bitbucket - Webhook

For each provider you can define the repos and folders to protect, as well as branches on which to perform the evaluation.

See also: Git IaC Scanning

Topics in This Section
2021 Archive

2021 Archive of Sysdig Secure (SaaS) released features.

2020 Archive

2020 Archive of Sysdig Secure (SaaS) release notes.

2019 Archive

2019 Archive of Sysdig Secure (SaaS) release notes.