2021 Archive

2021 Archive of Sysdig Secure (SaaS) released features.

December 17, 2021

Update on Log4j Vulnerability (CVE-2021-44228)

Sysdig confirms that all services that compose Sysdig’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to 2.16. We have not detected any successful attempts at exploitation of this attack vector during that time window.

December 15, 2021

Update on Log4j Vulnerability (CVE-2021-44228)

The sysdig agent does not include the Log4j library

Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.

Sysdig components include a log4j library in our standard distribution that was vulnerable. This library is included for compatibility reasons only, is not used for primary logging, and our security team has determined we are not vulnerable based on our application architecture and existing mitigating controls.

Sysdig can confirm that all services that compose Sysdig’s Cloud Platform running Apache’s vulnerable Log4j library have been patched to the latest version or adds additional mitigating controls suggested by vendors. We have not detected any successful attempts at exploitation of this attack vector during that time window.

Details regarding upgrades We:

  • explicitly set commonsLog4jVersion = 2.15.0
  • update all of log4j-to-slf4j, log4j-api, and log4j-core to version 2.15.0

December 15, 2021

Sysdig Secure for Azure

Sysdig is pleased to announce the general availability of the Sysdig Secure for cloud capabilities for Azure.

  • Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
  • Cloud Threat Detection: Identify threats in your Azure environment using Falco rules for Azure
  • Event Hub: Fully managed, real-time data ingestion service that’s simple, trusted, and scalable
  • Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Azure Container Registry and images executed on Azure Container Instance Group.

For details, see Deploy Sysdig Secure for cloud on Azure.

December 12, 2021

A Statement on Log4j vulnerability (CVE-2021-44228)

Security researchers recently disclosed the vulnerability CVE-2021-44228 in Apache’s log4j, which is a common Java-based library used for logging purposes

Sysdig is using an alternative framework for logging called Logback. The logback framework isn’t vulnerable to this issue.

Sysdig components include a log4j library in our standard distribution that appears to be vulnerable. It has been confirmed that this library is included for compatibility reasons only and is not used for primary logging. As a result this should not pose any risks.

Patches will be provided to upgrade the log4j libraries that are included for compatibility reasons.

If you have any questions or concerns, please reach out to your Sysdig contact.

December 1, 2021

Image Analyzer 0.1.15 Inline Scanner 2.4.8 Released

Release 0.1.15 of the Node Image Analyzer

Release 2.4.8 of the Sysdig Inline Scanner

  • Updated to the latest security fixes
  • Fixed support for COPY, USER, and other instructions when the image is built using buildkit

November 5, 2021

Improved Handling of Forwarded Benchmark Events

Forwarded benchmark events now include AWS tags as key-value pairs (rather than a flattened string), making them easier to consume.

November 2, 2021

Inline Scanner 2.4.7 Update


  • libseccomp >= 2.3.3 (on the Host/JenkinsWorker - where the docker command is executed)
  • docker version > v18.05.0-ce


Fixed support for COPY, USER, and other instructions when image is built.

October 27, 2021

Cloud Infrastructure Entitlements Management (CIEM) for AWS

Sysdig Secure has added Permissions and Entitlements Management functionality. You can find it under Posture menu tab.

By combining the CIEM capabilities announced today with Sysdig’s existing capabilities, Sysdig customers can proactively prevent cloud permissions risks, scan for vulnerabilities and misconfigurations, and detect and respond to attacks across container and cloud environments.

  • Gain visibility into all cloud identities and their privileges: get a comprehensive view into access permissions across all AWS users and services
  • Enforce least privilege: eliminate excessive permissions by applying least-privilege policies to users and services with automatically generated IAM policies. Sysdig proposes policies based on analyzing which entitlements are granted versus which are actually used.
  • Simplify audit of access controls to meet compliance requirements: use reports for regular access reviews to evaluate active and inactive user permissions and activity.

Additional Information:

October 26, 2021

New Secure Event Forwarder Integrations: Google Chronicle, Google Pub/Sub & Amazon SQS

An extended set of output data integrations has been added to Sysdig Secure’s Event Forwarder functionality, in particular:

  • Integration with Google Chronicle. NOTE: Only Runtime policy events are available as data to send at this moment.
  • Integration with Google Pub/Sub and Amazon SQS, which can be used as temporary storage that will adapt the EFO push behaviour into a data pull endpoint.

See also:

October 25, 2021

Sysdig Secure for GCP

Sysdig is pleased to announce the general availability of the Sysdig Secure for cloud capabilities for GCP.

  • Cloud Security Posture Management (CSPM): Based on CIS benchmarks tailored for your assets
  • Cloud Threat Detection: Identify threats in your GCP environment using Falco rules for GCP
  • Audit Logs: Google Security Command Center integration to forward threats identified by Falco rules.
  • Image Vulnerability Scanning: Automatic vulnerability scanning of images pushed to Google Container Registry, Google Artifact Registry and images executed on Google Cloud Run.
  • Chronicle Integration: Events forwarding to Google Chronicle.
  • Installation via GCP Marketplace: You can install Sysdig from the GCP marketplace and pay using the payment method and credit of your GCP account.

See full details: Sysdig Secure for Cloud and Deploy Sysdig Secure for cloud on GCP.

October 13, 2021

New Scanning Engine (Technology Preview)

Sysdig Secure is developing a new scanning engine that will deliver major improvements, additional capabilities, and scanning-centric workflows.

The first iteration is available to test and provides:

  • Much faster scan times: 4x to 10x faster initial image analysis
  • Extended vulnerability data, including CVSS scores, vectors containing the full exploitability data, availability of an associated public exploit, etc.
  • Inline scanner available as a stand-alone binary, no longer requires spawning a container
  • Better remediation advice, including ‘Which packages are the worst offenders in my image? Considering all the possible fix versions, which one should I apply?’
  • Improved, more intuitive user experience, with faster response times

Important: The new engine is still on “Preview” phase.

This means:

  • Not suitable for production. There is no forward compatibility guarantee for the data or configuration (yet)
  • Testing the new scanning preview will NOT affect any existing scanning workflows that leverage the current scanning backend. It is safe to enable the preview on any account.
  • Additional fundamental components are still in development; they will be released in an upcoming version.

To test the new engine, simply enable the flag under Settings >User Profile>Sysdig Labs.

See New Scanning Engine to download the Inline Scanner binary and begin.

September 17, 2021

Date Columns Added for Scheduled Scanning Reports

In Sysdig Secure, the Scheduled Reports for Scanning now display additional vulnerability metadata for both runtime and registry reports.


  • Disclosure date: Time when the vulnerability information was registered in the feed
  • Solution date: Time when the fix version for this vulnerability (if any) was registered in the feed

To avoid breaking compatibility with existing reports and external instrumentation, these fields will only be available for newly created reports; existing Scheduled reports (even if they are modified and saved again) will not contain these columns.

September 8, 2021

New and Updated Compliance Standards

Sysdig Secure has added three new compliance standards and updated another. See also: Compliance

Updates to PCI DSS v3.2.1 Compliance for Workload

We have implemented some changes to the PCI DSS v3.2.1 for workload compliance checks. The control coverage for PCI is now: 1.1.2, 1.1.3, 1.1.5, 1.1.6.b, 2.2, 2.2.a, 2.2.1, 2.2.2, 2.4, 2.6, 4.1, 6.1, 6.2, 6.4.2, 6.5.1, 6.5.6, 6.5.8, 7.2.3, 10.1, 10.2, 10.2.1, 10.2.5, 10.2.7, 10.5.5, 11.5.1

Checks added:

  • Check for Network Security enabled added to controls 1.1.2, 1.1.3 and 1.1.5

  • Check for Kubernetes audit enabled added to controls 4.1, 6.4.2 and 6.5.8

Rules added:

  • Rule Outbound or Inbound Traffic not to Authorized Server Process and Port added to control 2.2.1

  • Rule Attach to cluster-admin Role added to controls 7.2.3 and 10.5.5

  • Rules EphemeralContainers Created and Terminal shell in container added to controls 10.1 and 10.2.1

  • Rules ClusterRole With Pod Exec Created , ClusterRole With Wildcard Created and ClusterRole With Write Privileges Created added to control 10.2

  • Rule Launch Privileged Container added to control 10.2.5

  • Rules Container Drift Detected (chmod) and Container Drift Detected (open+create) added to control 11.5.1

Rules removed:

  • Rule All K8s Audit Events rule removed from controls 10.1, 10.2, 10.2.1, 10.2.7

New PCI DSS v3.2.1 Compliance for AWS

The PCI Quick Reference describes the full range of controls required to pass a PCI 3.2 audit. In this release, Sysdig Secure will add the following controls.

For AWS protection: 2.2, 2.2.2, 10.1, 10.2.1, 10.2.2, 10.2.5, 10.2.6, 10.2.7, 10.5.5, 11.4

New AWS Well Architected Framework Compliance

The AWS Well Architected Framework whitepaper defines best practices to build secure, high-performing, resilient, and efficient infrastructure for applications and workloads.

For workload protection, Sysdig Secure will check the following sections: OPS 4, OPS 5, OPS 6, OPS 7, OPS 8, SEC 1, SEC 5, SEC 6, SEC 7, REL 2, REL 4, REL 5, REL 6, REL 10, PERF 5, PERF 6, PERF 7

For AWS protection, Sysdig Secure will check the following sectionsOPS 6, SEC 1, SEC 2, SEC 3, SEC 8, SEC 9, REL 2, REL 9, REL 10

New AWS Foundational Security Best Practices v1 (FSBP) Compliance

AWS Foundational Security Best Practices v1 (FSBP) describes the full range of controls to detect when your deployed accounts and resources deviate from security best practices.

For AWS protection, Sysdig Secure will check the following sections: AutoScaling.1, CloudTrail.1, Config.1, EC2.6, CloudTrail.2, DMS.1, EC2.1, EC2.2, EC2.3, ES.1, IAM.1, IAM.2, IAM.4, IAM.5, IAM.6, IAM.7, Lambda.2, GuardDuty.1

New NIST 800-171 rev2 Compliance

The National Institute of Standards and Technology (NIST) Special Publication 800-171 rev2  describes the full range of controls required to pass a NIST 800-171 audit. It provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

For workload protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.20, 3.3.1, 3.3.2, 3.3.5, 3.3.8, 3.3.9, 3.4.3, 3.4.5, 3.4.6, 3.4.7, 3.4.9, 3.5.1, 3.5.2, 3.11.2, 3.12.1, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 3.13.6, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 3.14.7

For AWS protection, Sysdig Secure will check the following sections:3.1.1, 3.1.2, 3.1.3, 3.3.1, 3.3.2, 3.3.7, 3.5.7, 3.5.8, 3.14.6, 3.14.7

September 2, 2021

New Terraform Onboarding Options for Secure for cloud

Users can now onboard Sysdig Secure for cloud with their AWS accounts (single or organizational) using Terraform. See the feature description and the deployment/onboarding instructions.

August 12, 2021

Inline Scanner 2.4.6 Released

Version 2.4.6 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.


  • Added support for images with the (deprecated) manifest schema V1

July 30, 2021

Inline Scanner 2.4.5 released

Version 2.4.5 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.


  • Fixed an edge case in which using the --verbose flag with --format json caused a corrupted JSON output

July 28, 2021

Inline Scanner v2.4.4 Released

Version 2.4.4 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.


  • Bumped ClamAV version to latest (0.103.3).

  • Updated base image to get updated security fixes (July 2021)

  • Added retry mechanism when pulling images from registries

  • Added --write-json PATH option to permit storing json log to file

  • Fixed Malware scan fails when image has not read the permissions on files

  • Fixed failure in getting images for registries that do not support tag listing

July 27, 2021

Admission Controller with Kubernetes Audit (k8s_audit Falco rules)

Today we announce the general availability of the Kubernetes Audit functionality as part of the Sysdig Secure Admission Controller.


Kubernetes admission controllers provide operators the ability to validate and/or mutate incoming API requests. Admission controllers are a core functionality of Kubernetes, and many are enabled by default.

Sysdig Secure has long provided Kubernetes API security using k8s_audit Falco rules to create policies against Kubernetes audit logs. However, there have been some complications:

  • Diverse setup requirements:

    Many Kubernetes distros are opinionated in the way to collect and access logs, some using dynamic backends (deprecated in Kubernetes 1.19, but still available in OCP up to 4.3), while more vanilla approaches use webhooks, and cloud providers require a bridge to collect logs via their own logging streams.

  • Distros diverging from Falco:

    With OCP 4.4+, we had no clear way to collect and validate audit logs against our Falco rules.

The Solution?

Tap directly in the Kubernetes API request via Admission Controllers and use the existing k8s_audit rules our customers have relied on for so long. See the installation instructions.

July 2, 2021

Inline Scanner 2.4.3 Released


  • Updated base image to get updated security fixes (June 2021).


  • Fixed incorrect version detection for Apache Struts 2 packages which was leading to false positives.

July 1, 2021

Node Image Analyzer v0.1.13 Released

Version 0.1.13 of the Node Image Analyzer has been released.

This release comes with the following improvements:


  • Fixed a GKE- and ContainerID-specific bug where the node image analyzer couldn’t scan the image due to missing blobs

  • Implemented a few-second pause at startup to allow for Istio sidecars to complete the initialization before creating connections


  • We use the Universal Base Image (UBI) Sysdig-approved image as the base, in order to ensure the highest patch level approved by our security team.

June 23, 2021

Enhancements to Compliance Module

Terminology note: Compliance standards are scoped to different platforms depending on the specific security rules they include, Broadly, these are divided into:

  • Workload types: Including any Falco rules for kernel system calls, Falco rules for Kubernetes audit logs, host benchmarks, and security features that affect hosts, containers, and kubernetes clusters

  • AWS/cloud type: Falco rules for CloudTrail and Cloud Custodian rules on Amazon Web Services

See also: Compliance.

Extended Existing Compliance Standards to AWS

For the following existing compliance standards, we have added rules for AWS cloud provider:

  • NIST 800-53 rev4 for AWS

  • NIST 800-53 rev5 for AWS

  • ISO 27001:2013 for AWS

  • SOC2 for AWS

  • HIPAA for AWS

Added New Compliance Standards

We have also added the following new compliance standards to Sysdig Secure’s offerings:

  • GDPR for AWS 

  • GDPR for workload

  • NIST 800-190 for workload

Trimmed Excess Rules from Some Standards

Certain rules have been re-evaluated and were removed because they did not significantly contribute to the security posture:

  • Logged in without Using MFA (merged with Console Login Without MFA)

  • Interpreted procs outbound network activity

  • Launch Suspicious Network Tool in Container

  • All K8s Audit Events

June 14, 2021

CIS RedHat OpenShift Container Platform v4 Benchmark

Support for CIS RedHat OpenShift Container Platform v4 Benchmark has been added to Sysdig Secure.

As part of this release Sysdig is allowing you to scan and validate compliance with 112 controls included in the CIS Bencmark requirements.

See also: Benchmarks

June 9, 2021

Sysdig Secure UX Improvements: “Investigate” Navigation & Activity Audit

Sysdig navigation just got a facelift. To help our Sysdig Secure users navigate easily, we:

  • Added the new menu item Network (previously found under the Policies menu), and

  • Grouped Activity Audit + Captures into Investigation to better describe the use-case it helps users resolve.

Activity Audit

The Activity Audit module also got several interface and user experience improvements:

  • Runtime scope moved to the top to align with other Secure interfaces and allow more space for activity data

  • Activity types (network, file, kubectl, command) can now be filtered directly from the graph using the legend

  • Attributes of the displayed elements can be filtered directly from the list, without displaying the side detail panel

June 4, 2021

Kubernetes Network Security: New Configuration and Improved User Experience

Sysdig’s Kubernetes Network Policy tool has been updated to include additional fine-tuning configurations and an improved user experience.

Additional Configuration Panel

  • Workload Labels: Depending on your workload labelling policy, some labels may not be relevant for generating a KNP policy. Use the additional config to include/exclude a particular set of labels per cluster/namespace to declutter your UI and the resulting policy.

  • Unresolved IP Configuration: Now it is possible to label raw IPs that are not mapping to your Kubernetes/OpenShift entities, i.e. external cloud provider services, so these labels will be automatically applied to the topology and ingress / egress tables.

  • Cluster CIDR configuration: If the CIDR configuration is not automatically detected by the agent, you can now directly configure internal subnets per cluster using the Sysdig interface.

Improved UX

  • Topology map: Additional information pop-up when hovering over a network connection or a network node, such as server process, source, destination, and more.

  • Unresolved IP filtering: In the ingress and egress tables, by type or using free text search.

Additionally, Network is now presented as a top-level item in the Sysdig Secure navigation.

May 27, 2021

Falco Policy Tuner - Beta

Sysdig is now releasing a managed version of the standalone Falco Tuner.

Previously, you had to run the tuner in your local environment, print suggestions, and manually update a rule with those suggestions. The new feature runs in the background and automatically tunes noisy rules and false positives. To streamline the creation of these exceptions, we’ve created a new object within Falco called exceptions.

Note: To enable the tuner, Admin access rights to Sysdig Secure are required.

Feature Enhancement: Falco Exceptions

Previously, exceptions were created using and not conditions inside a Falco rule, e.g.

- rule: Write below binary dir
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities    

However, this process can be unwieldy and can result in unintended behavior. The new format, using exceptions, looks like this:

- rule: Write below binary dir
  condition: bin_dir and evt.dir = < and open_write
    - name: package_mgmt_procs
      fields: proc.name
      comps: in
      values: package_mgmt_binaries # list of known binaries

See the full documentation here.

May 19, 2021

Regulatory Compliance for ISO27001:2013 and HIPAA Now Available

Two new compliance standards have been added to Sysdig Secure’s compliance feature:

See also:Compliance for information about the specific controls Sysdig covers for each security standard.

Inline Scanner v2.4.1 Released

Version 2.4.1 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.


  • Updated ClamAV version to 0.103.2 to avoid end-of-life problems present in the former version, such as failure in updating the antivirus database

Additional type Descriptor Forwarding Activity Audit through Event Forwarder

The JSON payload when sending Activity Audit elements through the Event Forwarder will now contain an additional field name: type. This describes the type of the entry, respectively: command, connection, fileaccess, or kubernetes.

See also: Event Forwarding.

May 18, 2021

New and Improved Host OS and Container Scanning Tools

We at Sysdig are working hard to improve your security posture and compliance experience. As part of this commitment we are implementing a new framework to generate host benchmark results, introducing host scanning, and making backend improvements to the image scanning mechanism.

Installation Steps

The new features require a new component to be installed called the Node Analyzer. We’ve provided an installation script to automate the installation or to upgrade an existing Node Image Analyzer daemonset, if applicable.

Once you’ve installed or updated the components, the UI will automatically show Host Scanning and new Benchmarks functionality (Legacy Benchmarks can still be accessed.)

Host Scanning: New

In addition to Sysdig Secure’s rich array of tools for scanning container images, you can now scan the hosts as well.

  • Scan hosts for vulnerabilities, and detailed Software Bill of Materials (SBoM)

  • Support for OS (e.g. rpm) and non-OS (e.g. Java, Ruby, Python) packages

  • Compare and diff scan results

Host Benchmarks: Updated

  • More checks

  • Better results

  • Clustered aggregations - understand the posture of your environments, not just a single entity

Image Scanning: Updated

  • Automatically scan images if they have not been scanned

April 29, 2021

New Scan Results Page Layout

We have reorganized the visual layout of the Scan Results summaries to clearly distinguish policy evaluation from vulnerability matching and to better summarize the information.

Improvements include:

  • Vulnerabilities and Policies are now two different sections in the UI

  • Vulnerability match update time is displayed to further distinguish from the Policy Evaluation time

  • Policy breakdown is collapsed by default to reduce cognitive load

  • Re-evaluate policies button is now located in the impacted section only, as opposed to whole page

  • Apart from the vulnerability update time, the data remains unchanged from previous versions

See also: Review Scan Results.

April 26, 2021

Inline Scanner v2.4.0 Released

Version 2.4.0 of the inline scanner container has been released. See also: Integrate with CI/CD Tools.


  • Updated base image to get updated security fixes.


  • Added HTTP_PROXY and HTTPS_PROXY environment variables support for malware scanning mode. This is required if you want to retrieve the malware database inline behind a proxy.

  • Added support for.dockercfgrepository auth method, accessible via the--registry-auth-dockercfgCLI flag.


  • Now using HTTP1.1 by default to bypass a cURL bug.

  • Provided fix for an error when using the docker-daemon storage type with a docker UID different than 1000.

March 30, 2021

Sysdig Secure for cloud

Sysdig Secure for cloud is available with Cloud Risk Insights for AWS, Cloud Security Posture Management based on Cloud Custodian for AWS and multi-cloud threat detection for AWS using Falco.

What’s Included in this release:

  • Insights: a powerful new visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

  • Threat Detection based on AWS CloudTrail:To detect threats, anomalies and suspicious activities with the flexible Falco engine. See also: Sept 29, 2020.

  • Cloud Security Posture Management with AWS Benchmarks: The AWS CIS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

    We’ve included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based.

  • Image Scanning for ECR and Fargate: one-click deployment – see also ECR April 13, 2020 and Fargate Sept. 28, 2020.

Free-Forever Cloud Security Tier

Sysdig is launching a new Free-forever cloud security tier for one single account.


  • Easy onboarding in minutes

  • Manage cloud posture with a daily run of CIS Benchmarks

  • Detect threats with out-of-the-box CloudTrail detection rules based on Falco

  • Scan containers (ECR/Fargate scanning) automatically and within your cloud environment for upto 250 images a month

March 24, 2021

Image Scanning Reports v3 [BETA]

The Image Scanning Reports feature has been thoroughly updated and has moved from a synchronous model to an asynchronous mode, in which you schedule the reports you need and then receive them through your normal notification channels (email, Slack, webhook.). The new version also includes:

  • A preview function to check report structure in the UI

  • A more advanced query builder

  • Extended set of data columns (i.e. CVSS base score and vector) and extended set of available filters (i.e. package type)

Reporting v3 supports two different types or reports:

  • Vulnerability report: Containing vulnerability, package and image data

    I.e. Vulnerabilities in my runtime with Severity ≥ High, a Fix available and not included in a vuln exception list.

  • Policy report: Containing scanning policies and evaluated images data

    I.e. Images in my internal registry failing the “NIST” scanning policy.

You need to enable this feature from the Sysdig Labs setting on the User Profile page.

See Scheduled Reports for more detail.

March 22, 2021

Feature Enhancement: Falco Policy Types

Sysdig Secure has introduced Policy Types– a separation of policies into logical groups, based on the sources used in the policy engine. When creating a policy, you choose a type and then only the relevant scopes and container actions will be presented. 

We have also introduced a new policy type to support threat detection with AWS CloudTrail rules.

For full details, see Manage Policies.

March 17, 2021

Scan Results: UX Enhancements & Added Functionality

Scan Results List

Summarized views based on image count, image fail / pass distribution and image origin distribution.

  • Registry filter dropdown, multi-select

  • Visible image counters: Images shown in the page vs total number of images available after applying filters

  • Visual charts: Pass/fail and origin distribution (also respecting filters)

Vulnerability List:

New table design to offer additional visual feedback and reduce data redundancy, plus additional vulnerability data.

New functionality:

  • Individual vulnerabilities can now be clicked to display additional information in a side panel:

    • The vulnerability feed source that was used for the matching

    • A description of the vulnerability

March 15, 2021

Sysdig Serverless Agent 1.0.0 for Fargate ECS

The “container-as-a-service” serverless environment calls for new agent models, and Sysdig provides them. Whereas in ECS, users still manage the underlying instances, with AWS Fargate the host is never visible and users simply run their workloads. And while this model is convenient, it can introduce risk as many people leave the containers unattended, without monitoring security events within that can exfiltrate secrets, compromise business data, impact performance, and increase their AWS costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.

For these reasons, Sysdig has introduced a new “serverless agent” model that can be deployed in these container-based cloud environments. The first implementation is for Fargate (ECS).

Sysdig will be rolling out security features on the serverless agent over time. In v1.0.0, users will see:

  • Runtime Policies and Rules

  • Secure Events

To obtain secure event information and the associated Falco policies and rules in the Sysdig Secure UI from a Fargate environment, users install the serverless agent using a CloudFormation Template. Then log in to Sysdig Secure and review the events in the UI.

See also: AWS Fargate Serverless Agents and Serverless Agent Release Notes (for future updates).

March 12, 2021

Deprecation Notice: Legacy Commands Audit & Legacy Policy events

  • The “Commands Audit” feature was deprecated in favor of Activity Audit in November 2019. This feature will be completely removed from the SaaS product April 2021.

    Sysdig agent version 0.93+, released in November 2019, is required by the Activity Audit feature.

  • The “Policy Events” feature was deprecated in favor of the new Events feed in June 2020. This feature will be completely removed from the SaaS product April 2021.

    Sysdig agent version 10.3.0+ is recommended.

UI Improvement on Rules Library and Rule Details

Usability improvements that display the policies in which a rule is used, from both the Rules Library list and the Rule Detail view. See Manage Rules for details.

March 2, 2021

Regulatory Compliance for SOC 2, NIST 800-53 rev4 and rev5

Three new compliance standards have been added to Sysdig compliance feature: SOC 2, NIST 800-53 rev4 and NIST 800-53 rev5.

The compliance validator now also includes new checks for the following features: Admission Controller, Network Security Policies and Node Analyzer.

See the Compliance documentation for usage details and the controls implemented.

February 23, 2021

Windows Scanning Released

A beta version of the Windows Scanning Inspector has been released. This is a new feature from Sysdig for scanning Windows containers.

This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.

See also: Windows Container Image Scanning [BETA].


  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs
  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

UI-Based Admission Controller Released

Kubernetes’ admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.

Sysdig’s Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.

See also: Admission Controller.

Main Features

  • Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist

  • Only allow images that pass the scanning evaluation criteria

  • Only allow images that have been evaluated recently

  • Only allow images that have been scanned before creation is requested to Kubernetes

  • Registry and repository whitelist

  • Scan unscanned requested images immediately (optional)

February 20, 2021

Network Micro-Segmentation: Support for CronJobs, Weave, & Cilium CNIs

The Sysdig Network Security Policy Tool has been upgraded to add support for CronJob pod Owners.

With the addition of CronJob support, communication is aggregated to the CronJob (scheduler) level, rather than the Job. Therefore, when administrators review the activity in the Network Security Policy menu, they will see the higher-level CronJobs listed, and not an excess number of individual Job entries.

This update also adds support for Weave and Cilium CNIs on top of Calico support.

Malware Detection during Inline Image Analysis

As part of the inline scanner version 2.3.1 release, malware scanning was added as a configurable detection that can be performed during inline analysis.

The default behavior if this feature is enabled and malware is found is to consider the scanning failed, report malware details, and abort analysis:

See Perform Inline Malware Scanning for recommended parameters and output options.

February 16, 2021

Registry Credentials: Support for Multiple Credentials

Sysdig Secure now supports assigning multiple credentials to the same registry depending on the relative internal registry path that is used to pull the image.

A wildcard can be added to the end of the path, indicating that any image located under the partial path inside the registry (/rg-2-1er in the example) will use the registry credentials configured here. This additional flexibility is useful, for example, for IBM registries which can have a different set of permissions depending on the namespace.

See also: Manage Registry Credentials.

February 10, 2021

Inline Scanner v2.3 Released

Version 2.3 of the Inline Scanner has been released.


  • Avoid prefixing the image names with localbuild when not strictly necessary


  • Improved version detection for specific software packages: logback, SpringFramework and Tomcat Java

  • Allow setting of openssl security level via OPENSSL_SECLEVEL env var to support old certificates

  • More robust image ID identifier, avoiding unnecessary image re-scans along the container lifecycle

  • Added malware detection feature

February 4, 2021

Enhanced Activity Audit Filters

We have improved the noise-reduction filter for the Activity Audit feature in Sysdig Secure. The feed will now automatically filter out duplicate entries with a high number of occurrences. No information is lost, as the filtered noise is only duplications of entries in the feed.

A sudden reduction in the number of Activity Audit entries per time slot is expected as a result of this filter.

January 28, 2021

Node Image Analyzer v0.1.9 Released

Version 0.1.9 of the Node Image Analyzer has been released.

This release comes with the following improvements:


  • Fixed an issue that prevented some images from being processed on GKE clusters using Docker and Containerd

  • Fixed an issue that prevented some images that don’t have full tags from being processed on OpenShift

  • Improved version detection for Logback, SpringFramework and Tomcat Java packages

  • Fixed an issue that resulted in the image analyzer crashing without a proper error message when an incorrect Docker socket path was provided