2022 Archive

2022 Archive of Sysdig Secure (SaaS) released features.

December 21, 2022

Additional Feeds for Golang Added to Vulnerability Management

Sysdig has added feeds to detect a wider range of Golang-related vulnerabilities. By extracting the packages declared in Golang binaries, we are surfacing vulnerabilities in the libraries used to build those binaries. In particular:

This feature, once added, may detect new vulnerabilities in assets that were previously analyzed.

December 20, 2022

Vulnerability Host Scanning for Google COS Added

Google Container-Optimized OS (COS) support has been added to Host Scanning (preview feature).

Host Scanning is installed by default when deploying with the Helm chart sysdig-deploy version 1.5.0+.

  • Note that Google COS support requires HostScanner container version 0.3.1+.

The new directories added to the default set scanned include:

  • Generic binaries (such as docker/containerd and infra tooling):


  • Libraries (such as default python libs):


  • GoogleCOS tooling directories:


December 15, 2022

Sysdig Agent Health Dashboards Enhanced

We are happy to announce that the Sysdig Agents page under Data Sources has been updated to enhance visibility into the health of Sysdig Agents. Now you can:

  • Filter Agents by their health status, version, and environment, including Account ID, cluster, and node.
  • View your Total Connected Agent Count over time

December 13, 2022

Platform Audit UI

We are happy to announce that the Sysdig Platform Audit now has a UI within the Sysdig application, in addition to the existing API.

With the UI you can:

  • Filter audit data based on multiple criteria for easier searching
  • Filter within a specific date range
  • View full details of a given audit event

December 1, 2022

Vulnerability Management for Hosts (Preview)

Sysdig is deploying all-new host scanning capabilities for vulnerability management. The hosts that support your workloads and containers are a critical part of your infrastructure security. They can offer an even more attractive target for attackers than containerized software, due to the lateral movement possibilities they offer.

Sysdig’s host scanning and integrated vulnerability management features unify runtime workloads and their associated hosts under a single streamlined interface and user flow. The provide visibility over the full infrastructure security posture.

Host Scanning is installed by default when deploying with the Helm chart sysdig-deploy version 1.5.0+.

See Host Scanning for more about the supported Host OSes, CPU architectures, alternative installation methods, and how to use the feature.

November 30, 2022

JIRA Ticketing Integration

Sysdig is pleased to announce the release of the JIRA Ticketing feature. Users can now open JIRA tickets within the Secure UI and assign them to team members directly. The first iteration will allow customers to open tickets from Identity Recommendations on the Home page.

See how to set up this JIRA Ticketing Integration.

Vulnerability Management Accept Risk (Exceptions)

Sysdig’s Vulnerability Management policies already allow a user to configure thresholds to surface the most relevant data, for example, critical vulnerabilities with an available fix. Still, complex organizations also require the ability to introduce exceptions in the case of false positives, preconditions that don’t apply, and so on.

Accepting the Risk is now available as a Vulnerability Management feature in Sysdig Secure.

You can accept the risk of individual CVEs or entire hosts or container images, and can define specific contexts such as package types and expirations dates. The Sysdig UI highlights the risks that have been accepted and can filter for them.

This feature requires that you have deployed Sysdig with sysdig-deploy Helm chart version v1.5.0+, vuln-runtime-scanner version 1.4.0+ and sysdig-cli scanner v1.3.0+.

See Enablement Prerequisities to check your versions and upgrade if needed.

November 21, 2022

CSPM Compliance: Reporting & API Preview Released

Sysdig is pleased to announce the preview release of CSPM Compliance Reporting and API.

This feature allows you to:

  • Download CSV directly from the compliance results view
  • Download CSV directly from the results view of a specific control
  • Receive JSON of compliance results directly via API for:
    • Compliance Overview
    • Compliance Results
    • Control Resource Lists

For further reading, see Create and Download a Report and the CSPM API Documentation for developers

Sysdig Threat Detection policies now include the option to specify a Runbook link with each policy. If the policy triggers an event, the Runbook link will be displayed in the event details, as well as in the notification. This allows users to tie their security triage processes directly into Sysdig Secure.

See Manage Policies: Define the Basic Parameters and Secure Events: Detail Panel.

November 7, 2022

Usability Improvements for Secure Events

To help security investigators distinguish false positives from real issues, it can be helpful to review the associated network activity. We are adding a link to Sysdig’s Network Typology visualization directly into relevant event details, under the Respond button.

Similarly, where applicable, the Runtime Policy Tuning feature will show up under the Respond button. The user can go through the flow to add exceptions and reduce false positives.

Finally, we’ve added the ability to view the rule definition from the event details panel. You can see the event details and the rule definition side-by-side.

See Secure Events for details.

Rule Names Added to Event Notifications

The notifications for runtime events have been enhanced to include a rule name. For Email, Slack, and Microsoft Team, the rule name will be a link to the rule definition.

October 26, 2022

New Secure Event Forwarder Integration: Google Security Command Center

A new integration has been released for Sysdig Secure’s Event Forwarder functionality: Google Security Command Center (SCC)

October 24, 2022

New Home Page

Updated the Home page for all customers. The new Home page offers a clean, visually intuitive representation of the most important issues in your environment and a curated list of the top tasks required. The top half encompasses the Dashboards and includes:

  • Visual charts highlighting areas of concern within your environments that can be filtered
  • The ability to drill down into relevant product areas with a click
  • Full screen Dashboard capabilities

The bottom half encompasses the To Do Recommendations list and will:

  • Guide you to take the most impactful actions to reduce security risks in your environments
  • Offer tailored recommendations with aggregated and prioritized tasks

The Getting Started page is being deprecated with this release; see Home and Data Sources for more detail.

September 20, 2022

Disable a Rule within a Policy

Starting today, you can disable (and re-enable) individual rules within threat detection policies. This allows you to:

  • Use a subset of rules within a managed policy or managed ruleset without giving up the ability to receive new rule updates.
  • Temporarily disable a noisy rule until the cause is investigated or an appropriate exception is put in place.

September 19, 2022

Actionable Compliance - Control Library Preview Released

Sysdig is pleased to announce the preview release of CSPM Control Library in Actionable Compliance.

This is a technical preview release and the feature is open for all customers. It offers:

  • Visibility of all available controls
  • The ability to filter for specific controls by control attributes

Read more about the feature in Posture Controls.

August 29, 2022

Actionable Compliance - Custom Policies Preview Released

Sysdig is pleased to announce the preview release of CSPM Custom Policies in Actionable Compliance.

This is a technical preview release and the feature is open for all customers.

With this feature you can:

  • Clone an existing policy and edit its metadata
  • Create, edit and delete a custom policy
  • Create, edit and delete requirements in a custom policy
  • Link and unlink available controls to policy requirements

You can read more about the feature in Manage Posture Policies.

Coming soon in Actionable Compliance:

  • Control Library
  • Creating your own custom control in a custom policy

August 17, 2022

New Permission for Changing Team Roles

Team management has been improved with the addition of the new permission, Team Membership Roles. This permission will allow you to change the roles of team members separately while adding users to the teams.

For more information, see:

August 10, 2022

Machine Learning Policies

A new machine-learning-based detection capability is available in Sysdig Secure.

While we strongly believe in our Falco-based rule approach, and do not consider machine learning to be the best way to detect every threat, we understand that specific use cases such as Cryptominer detections require a different approach. This is the first detection capability available in our Machine Learning policies.

To read more about how to configure them and how they work, see Machine Learning and our press release.

August 4, 2022

Agent Overview Page Released in Data Sources (Preview)

An Agents overview page in the Data Sources | Integrations interface has been made available as a technical preview for all customers. This new page shows all of the Sysdig Agents that have reported to the Sysdig backend, and enables you to quickly determine:

  • Which agents are up-to-date, out of date, or approaching being out of date
  • Which managed clusters have been detected in your cloud environment, but have not yet been instrumented with the Sysdig agent

The feature will remain in technical preview, as we add additional functionality and refine the workflows within the page.

See also: Data Sources | Sysdig Agents

Actionable Compliance - CSPM Policies Preview Released

Sysdig is pleased to announce the preview release of CSPM Policies in Actionable Compliance. This is a technical preview release, and the feature is open for all customers.

With this feature you can:

  • See what is being evaluated by the Actionable Compliance feature in the context of compliance standards (CIS, NIST, and so on)
  • Review the policy structure and the controls connected to it
  • Enable/disable controls
  • Filter controls by enablement status, violation severity, name, and control type

The features are under development and will soon include the ability to create custom CSPM policies as well.

Read more in CSPM Policies (Preview).

July 28, 2022

Managed Threat Detection Policies

From today, you will see all existing policies labeled as Custom Policies and with a list of disabled Managed Policies. The existing custom policies work exactly as they have always worked, and do not require any action from you. However, to take advantage of the Sysdig Threat Research team, we recommending moving over to the new managed policies. To read more about the different types of managed policies, see Threat Detection Policies.

July 21, 2022

Actionable Compliance - Accept Risk Preview Released

Sysdig is pleased to announce the preview release of Risk Acceptance in Actionable Compliance. This is a technical preview release, and the feature is open for all customers.

This feature allows you to:

  • Improve compliance score by Accepting a risk on a failing resource in a control
  • Register an acceptance reason and expiration date
  • Edit and revoke acceptance
  • See a summary of accepted risks in Compliance
  • Filter by accepted resources in the mini-inventory of violation results

You can read more about the feature in Compliance.

June 23, 2022

New Secure Event Forwarder Integrations: Elasticsearch & Microsoft Sentinel

Two new integrations have been released for Sysdig Secure’s Event Forwarder functionality:

June 2, 2022

Actionable Compliance Preview Released

Released the first preview of Actionable Compliance, the next phase of the Sysdig Secure’s compliance offering and the first capability to support Kubernetes Security Posture Management (KSPM), and in the future also Cloud Security Posture Management (CSPM).

This is a technical preview release, and the feature is open for all customers.This feature includes:

  • Compliance views - a redesigned summary view for each built-in policy
  • Violation results - the first-ever mini-inventory to show violated resources with filtering capabilities
  • Actionable Remediation - automatically open a Pull Request to remediate a resource violation in its git stored source file (Infrastructure as Code)

Technical highlights:

  • Inventory based collection - a paradigm shift in how we collect CSPM data.
  • New agent collector - gathers all Kubernetes objects (workloads, subjects, roles, and so on) from the customer for future Inventory use
  • New node-analyzer container - collects the node’s Kubernetes, Linux and docker configurations
  • Eight new micro-services
  • OPA based policies - built-in policies (previously benchmarks) with OPA controls (previously rules) for Kubernetes, docker & Linux

You can read more about the feature in Compliance

May 23, 2022

Custom Roles

A custom role is an admin-defined role that allows Sysdig administrators to bundle a set of permissions and assign those permissions to individual users or teams. Custom roles allow for finer-grained definition beyond the standard out-of-the-box Sysdig Roles. Once defined, a custom role can be assigned to any user inside a particular team, and configured as the default role for new users in that team. For more information, see Custom Roles.

The addition of custom roles into the platform is transparent, meaning that standard roles and assignments that already exist will not experience any changes.

May 19, 2022

To facilitate a smooth transition from the Legacy Scanning Engine to the new Sysdig Secure Vulnerability Management, the Settings menu now provides options for displaying the UI for the new, legacy, or both scanning engines.

Safe and transparent: This is a non-intrusive change; regardless of how you have the New Vulnerabilities engine toggle set, the Sysdig Secure navigation menu will not be modified without explicit user intervention. And the toggles will alter only the user interface and not impact the function or running of the engine itself.

To enable/disable: See Which Scanning Engine to Use

If both are enabled: The two sets of features are clearly distinguished in the Navigation menu.

May 18, 2022

Policy Advisor Deprecation Notice

Sysdig Policy Advisor will be removed from all Sysdig accounts on June 17, 2022.

Policy Advisor was built during a time when PodSecurityPolicies (PSPs) were the only way to add Security Policies to a Kubernetes workload. PSPs have now been deprecated in Kubernetes 1.21, released more than a year ago.

May 17, 2022

Runtime Scanner 1.0.3 Released

Optimized requests performed on the Kubernetes API

See also: Vulnerabilities | Runtime

May 4, 2022

Sysdig Platform Audit

Sysdig Platform now supports the capability of tracking, logging and reporting on all changes in the system.

  • Track all activities on the API level
  • Retention period: 90 days
  • Simple API for retrieving audit information (no UI)
  • Events Forwarding support to be included in the near future (to be announced)
  • Enabled by default for all SaaS customers

See also: Sysdig Platform Audit

Sysdig Platform Login Banner

Sysdig Monitor and Secure now allow you to define a Login Message that will be presented to all users. Added to boost Sysdig compliance/enterprise readiness, requested originally by the IRS.

  • Users are not allowed to access the system until they acknowledge the message
  • One login banner per customer
  • Only Admin users can enable or update the message
  • Single banner for both Monitor and Secure (for Platform customers)
  • Available on SaaS for all customers

See also: Configure Login Message

May 3, 2022

Insights Feature GA

This release marks the general availability (GA) of the Secure Insights feature. Some of the changes introduced include:

  • Better support for Azure events
  • Amazon Web Services (AWS) Identity Access Management (IAM) permission integration
  • Fixed bugs in policy tuner flow
  • Removed the limit for displaying events in a time range

May 2, 2022

DriftControl Policies: Detect and Prevent Drift in Container Runtime

Sysdig agent can now detect when a new executable was added to a container after the container started up. The agent collects when a file was downloaded and made executable. When using prevention mode, the agent can also deny the process from ever running. A policy can be used to define binaries that should be denied or excluded from being denied if they have been added after the container has started.

See also: Drift Policy

April 28, 2022

Component Security Fixes

The following Sysdig Secure components were updated with the latest security patches (April 2022):

April 20, 2022

New Vulnerability Management Engine

Sysdig is pleased to announce the new Vulnerability Management engine, a major upgrade to the vulnerability and image scanning functionality for the Sysdig Secure product.

Major Highlights

  • Scanning times have been drastically reduced. The average scan is now eight times faster.

  • Additional data is provided for vulnerabilities and remediation

    • CVSS scores and metrics: Network Attack Vector, Privileges required, etc.
    • Flagging of publicly available code Exploits
    • Suggested package fix version
  • Risk spotlight: Focus on the vulnerabilities that Sysdig detects in active packages at runtime.

    • This is a new filter that only shows CVEs with active packages, to save time browsing infrastructure and to help you focus on high-impact CVEs
  • New Vulnerability Reporting module

    • Up to 14 days retention of individual reports
    • Generate now allows scheduling directly from the UI
  • Flexible policies that can be attached to the different runtime and security contexts

How to Move to the New Scanning Engine

The new vulnerability management engine uses a different data storage, API, host components, and user interfaces than the legacy scanning.

  • Contact your Sysdig representative. They will guide you through the process of migrating your subscription and vulnerability management configuration to the new engine.

For further reading, see Vulnerability Management.

March 8, 2022

Scanning Component Updates

The following components have been upgraded to the listed versions with bug fixes and security updates:

  • node-image-analyzer:0.1.16
  • secure-inline-scan:2.4.9
  • host-analyzer:0.1.6

The latest Helm chart includes these versions for Node Image Analyzer and Host Analyzer. Follow the Quick Start documentation to upgrade the inline scanner.

March 3, 2022

New CIEM Features

User Risk Labels

Risk Labels are now surfaced to highlight insecure attributes of specific Users and Roles. They are listed within the Users & Roles page and within the User Details tab of a specific user.

Trend Charts in Overview

Time charts are now available within the Overview tab of Identity and Access. These help to visualize your permission trends over time for Users, Policies, and Resources.

CSV Report Export

All of the pages within Identity and Access can now be exported as a CSV file. Select the Download CSV button found at the top right corner of all pages.

Effective Permission Calculation

AWS supports different types of policies to limit permissions on different scopes. Sysdig has added support for calculating effective permissions based on permission boundaries and organization level service control policy (SCP). This gives additional context when viewing permissions based on identities. For example, an identity that has been given administrator level identity policy will be limited in overall permissions if there is a permission boundary policy attached to it.

CIEM Data in Insights

Within the Cloud Activity and User Activity views in Insights, there is now an Identity and Access tab. This will help investigative flows to understand the context from an IAM perspective.

March 1, 2022

New: Data Sources Instrumentation

On the Data Sources > Managed Kubernetes page: For unconnected clusters, Sysdig has added quick instrumentation instructions using the known details about the cluster, such as the cloud account, region, and cluster name.

February 28, 2022

New: Data Sources Features

Cluster Status

The Data Sources page now tracks all Managed Kubernetes Clusters, and whether they are connected or not connected. This can help determine if Sysdig Agent is no longer reporting to the Sysdig backend, for example, if it did not have enough resources to install. Each node will also report on the agent version installed at that time.

Instrumentation Instructions

Sysdig now adds quick instrumentation instruction to a Managed Kubernetes Cluster using the known details about the cluster, such as the cloud account, region, and cluster name.

February 10, 2022

Improved Usability with New Navigation

Sysdig’s new navigation improves the usability of the left-hand navigation for faster and easier navigation.

For a demonstration of the new feature, see the video walk-through.

Improved Menu Handling

  • Hoverable Sub-Menu: With each module that has additional menu options, hover over the respective module to quickly navigate.

  • Collapsible Main Menu: Save space with the collapsible left-hand navigation.

New Menu Option: Integrations

A dedicated Integrations menu option provides an easy way to access both inbound and outbound integrations.

  • Access the Cloud Accounts page to quickly understand which applications and services are running, and where the Sysdig agent is installed.
  • Access Managed Kubernetes to get a catalog for all the managed Kubernetes clusters in your environment. The status connected/unconnected is based on whether the agent is installed or not.
  • 3rd Party: Manage your Git Integrations

Outbound: Manage your Event Forwarding, Notification Channels, and S3 Capture Storage

3rd Party: Manage your Git Integrations

Revamped User Menu

Now all the settings options are collected and available in one large menu.

February 2, 2022

Enhanced Unified Filter for Event Feed

A new unified filtering experience of the Event Feed is now available for Secure SaaS accounts.

Easily toggle from the original to the enhanced version, where you will find:

  • Unified scopes, free text and any other filterable/searchable attributes on a single bar
    • Autocomplete on keys and values
    • Autocomplete/suggest operands
    • One-click quick filtering directly from the list of displayed elements
  • Saved filters in various formats– no more retyping common filter expressions
    • Favorite filters, stored per user and feature
    • Default filters, per user and feature
    • Recent filters, per user and feature

See also: Secure Events

January 26, 2022

Unified Compliance Reporting

Released a rework of our Compliance and Benchmarking capabilities. This change brings a number of improvements:

  • Compliance and Benchmark tasks are now scheduled, managed, and generate reports in an updated and unified interface, with simpler pathways to remediation and easier-to-navigate reports.
  • The logic used to check individual controls now checks for events signalling control failures, as well as ensuring the correct Runtime rules are configured to detect these events. This leads to a more comprehensive audit that captures activity as well as configuration.
  • New compliance standards and platforms added:
    • For workload, AWS, GCP, and Azure:
      • NIST 800-82 Rev2
    • For workload and AWS:
      • Fedramp (workload and AWS only)
      • HITRUST CSF 9.4.2 (workload and AWS only)
    • For GCP and Azure
      • GDPR
      • HIPAA
      • ISO 27001:2003
      • NIST 800-53 Rev4
      • NIST 800-53 Rev5
      • NIST 800-171
      • NIST 800-190
      • PCI / DSS v3.2.1
      • SOC 2


  • Agent version 12.0.4 or higher

    If necessary, install or upgrade your agent to the appropriate version.

  • Node analyzer installed

If you are upgrading from an earlier version of Sysdig Secure, your existing compliance and benchmark records will be migrated to the new version and retained on the same schedule as before.

See also: Compliance

New Feature: Review Applied Kubernetes Network Policies

Sysdig Secure has added the ability to view the Kubernetes Network Policies (KNPs) that have been applied directly from the Network Security Policy UI.

You can:

  • Review the relevant policies applied to the pod-to-pod communication for the current view

  • Click View Policy to see the raw yaml output of the network policy applied to that workload.

See also: Netsec Policy Generation

January 2, 2022

Welcome Infrastructure-as-Code!

Infrastructure-as-Code (IaC) is an important part of today’s cloud-native infrastructure. We at Sysdig know that the earlier you identify possible posture issues, the better off you are.

The new feature allows you to integrate Kubernetes IaC checks into your Git pipeline. With just a few clicks, the standard compliance checks will be integrated into the Pull Request (PR) flow and alert developers to policy violations before they merge.

Supportability & Requirements

The new capability will use either an application or a webhook in your respective git provider.

  • Github - Github Application
  • Gitlab - Webhook
  • Azure DevOps - Webhook
  • Bitbucket - Webhook

For each provider you can define the repos and folders to protect, as well as branches on which to perform the evaluation.

See also: Git IaC Scanning