2023 Archive

2023 Archive of Sysdig Secure (SaaS) released features.

December 21, 2023

Inventory General Availability (GA)

Sysdig is pleased to make our Inventory feature available by default to all Secure SaaS customers with the following capabilities:

  • Unified Data - leveraging our Cloud Attack Graph to combine posture, vulnerability, configuration, and network exposure findings as well as runtime insights on your resources

  • “Featured Filters” panel - to ease your search experience

  • Image as a Resource - container images are returned as a first-class citizen

  • Image and Workload Vulnerabilities - view and search on vulnerability data (CVE, Package, Exploit, Fix, In Use…)

  • Network Exposure on Vanilla K8s Workloads, AWS EC2s and S3 buckets, Azure VMs, and Blob Containers - display and query resources that are directly or ingress-exposed to the internet

  • New resource metadata is available:

    • Search for Containers and Image Pullstrings on K8s Workloads
    • Search by Namespace for IaC K8s Workloads
    • Search for cloud resources by ARN for AWS or Resource ID for GCP and Azure
  • Unique URL for each resource (in addition to applied search filters) which can be shared with your teammates/ colleagues.

See Inventory for details.

Host Scanner v0.7.2

Released Host Scanner v0.7.2. This update fixes an issue that can occur when scanning Podman v3 containers using Non-Kubernetes Container Scanning configuration.

December 20, 2023

Improved Jira Integration

Vulnerability Management (VM) has now been fully integrated with Jira. Click on any vulnerability in the the VM module to create a fully-fleshed out Jira ticket, which you can assign to a colleague from the comfort of the Sysdig UI. Sysdig will then remember which vulnerabilities have Jira tickets.

See Remediate with Jira for details.

Splunk Integration

Splunk has been integrated with Vulnerability, joining the ranks of Jenkins and ServiceNow. Fetch, triage and orchestrate Sysdig runtime vulnerabilities in Splunk with a Technical Add-On (TA). The Splunk TA enables the extraction of all Runtime scan results.

Download the Sysdig Vulnerabilities add-on from Splunkbase to get started, as described in Vulnerability Integrations |Splunk.

Non-Kubernetes Container Scanning

Scan Docker and Podman containers for vulnerabilities with Sysdig Secure.

For more information, see Non-Kubernetes Container Scanning.

December 18, 2023

Agentless Host Scanning (Technical Preview)

On AWS EC2 hosts, you can now perform agentless runtime vulnerability scanning. You can also view all discovered hosts, get real-time status updates, and troubleshoot issues with the Cloud Hosts page in Data Sources.

See AWS Agentless Installation for details.

Runtime Scanner v1.6.7 Released

Introduced an environment variable to override the containers-storage configuration to prevent cri-o crashes.

December 15, 2023

Risk Spotlight General Availability (GA)

The Vulnerability Management team is excited to announce the official release of Risk Spotlight (aka EVE or “In Use”). After several iterations of the agent, profiling service, and vulnerability management integration stages to address accuracy and computational requirements, the Risk Spotlight service is officially GA.

With Sysdig agent v12.15+ and runtime vulnerability management scanning, you can identify and prioritize packages that are both vulnerable and actively “In Use” in runtime workloads.

We also enable external integrations with partners that use this data, such as Snyk and Docker.

See Risk Spotlight (In Use) and Risk Spotlight Integrations for details.

December 13, 2023

Leverage Artificial Intelligence for AWS Console Login Anomaly Detection

With the AWS Machine Learning (ML) policy, you can detect anomalous AWS Console login events in connected AWS cloud accounts.

This policy allows you to understand why an event is considered anomalous compared to the expected behavior. In addition, you get visibility into the most influential contributing factors and the confidence level of the detection accuracy.

For details, see the AWS ML Policy documentation.

December 12, 2023

Inline Scanner v1.6.3 Released

Corrected the format of the publish date of a vulnerability in the JSON output.

Runtime Scanner v1.6.6 Released

  • Updated label processing logic

  • Added the published date of a vulnerability

December 4, 2023

Extend Posture to Use Auto-Remediation with AWS Cloud Resources

This feature allows you to automate the process of maintaining and improving the security and compliance posture of your AWS infrastructure, reducing the risk of security breaches and operational disruptions. This extends remediation to AWS Terraform resources.

First, create Terraform configuration files that define the desired state of your AWS resources. Sysdig provides automated remediation for fixing risks by opening a PR directly on the IaC code files for your acceptance.

For details, see Compliance - Evaluate and Remediate.

RBAC Permissions available in Posture for Accept Risk, Open PR

Administrators can now define which roles are permitted to accept risks, manage accepted risks, and open pull requests for posture/compliance findings, using granular permission items under

Sysdig Secure → Posture:

  • ComplianceRead: Access compliance results
  • Risk AcceptanceRead, Edit: View, manage, revoke, and edit Posture risk acceptance
  • Open PREdit: Set up a pull request for posture findings remediation

Existing Default Roles: Team Manager and Advanced User now have Edit permission for Posture Risk Acceptance and Open PR.

For details, see Detailed Role Permissions.

December 1, 2023

Inline Scanner v1.6.2 Released

  • Fixed a defect that could cause missing accept risk results with packages including a release and epoch in package version
  • Added the publish date of a vulnerability in the JSON output
  • Updated dependencies to address security vulnerabilities

November 22, 2023

Event Forwarding Directly from Sysdig Agent

With Sysdig agent v. 12.18+, it is possible to send Runtime Policy Events and Activity Audit events to SIEM platforms and logging tools directly from the agent. This enables event forwarding without exposing the data collection tool on the internet.

For details, see Agent Local Forwarding.

Report Policy Actions in Kubernetes Events

With Sysdig Agent v.12.18, Sysdig Secure now supports reporting threat detection policy actions in Kubernetes events.

When the agent performs a stop, pause, or kill container action as defined in a rule, the agent will generate a Kubernetes event with the triggering action details and rule name. You can then see why actions were taken directly from the kubectl events, without having to explore the event feed in Sysdig Secure.

For details, see Report Policy Actions.

Legacy Inline Scanner v 2.4.26 Released


Vulnerability fixes for the following high-severity CVEs:

November 16, 2023

Runtime Scanner v1.6.4 Released

Updated dependencies to address security vulnerabilities.

November 13, 2023

Improved Home Page

Sysdig is pleased to announce a new and improved Home page! The Home page offers a clean, visual representation of the most important issues in your environment and a curated list of the top tasks required. The default tab Home encompasses the Dashboards and the other tab contains Recommendations.

For the Home page dashboards to display data, you must have completed basic onboarding and at least one data source must be connected. Otherwise, the page will provide prompts for completing those setup tasks.

What is displayed in Dashboards is dependent on what has been installed.

For details, see the Home page documentation.

Star Favorite Compliance Views

You can now select specific Policy + Zone combinations you want to see tracked on the Home page.

For details, see the Compliance documentation.

October 26, 2023

Custom Posture Controls Available

You can now tune your compliance results by customizing your posture controls.

To edit evaluation parameters on select Posture Controls, see configure evaluation parameters.

Runtime Scanner v1.6.3 Released

Updated several dependencies to address security vulnerabilities.

October 20, 2023

VM Registry Scanner v0.2.50 with Google Artifact Registry and Sonatype Nexus Repository Support

Sysdig is pleased to announce the release of the registry scanner v0.2.50 with chart v1.1.11. The new version offers the following:

For more information, see Install Registry Scanner.

Inline Scanner v1.6.1 Released

  • Added a link to the Red Hat Security Advisory in the JSON output of the scan result
  • Updated dependencies to address security vulnerabilities

Runtime Scanner v1.6.2 Released

  • Fixed a misbehavior that could lead to erroneous “in use” results for Python-related vulnerabilities
  • Updated to use vulnerability database v2 by default
  • Updated dependencies to address security vulnerabilities

October 17, 2023

Legacy Inline Scanner v 2.4.25 Released


Vulnerability fixes for the following CVEs:

October 10, 2023

Reporting for Image Pipeline Vulnerability Scanning

The Vulnerability Management (VM) team is pleased to announce the release of Reporting for Image Pipeline scanning.

The Vulnerability Management engine now provides reporting for all scanning functionality (Runtime, Registry, Host, and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.

This feature enables the easy collection and reporting on Pipeline scans over a given time period. With this addition, we have completed normalizing the data output functions across the Vulnerabilities scanning set.

For more details, see Reporting for Image Pipeline scanning.

Inline Scanner v1.6.0 Released

  • Updated dependencies to address security vulnerabilities
  • Updated to use vulnerability database v2 by default

September 28, 2023

Admission Controller v0.14.9 Released

Kubernetes audit events are now enriched with container metadata to give additional insight into your infrastructure. With this enhancement, all the pod events now display container.name, pod.name, and pod.namespace labels. You can view these labels on the Secure Event detail panel for events such as Create HostNetwork Pod and Attach/Exec Pod.

September 27, 2023

Customize Posture Controls Severity

All Posture Controls can now be configured to edit the control severity.

Administrators can control which roles are permitted to see and edit posture controls using a new permission item under Sysdig Secure > Policies > Posture Controls (Read, Edit).

Existing Default Roles: Team Manager and Advanced User now have Edit permission for Posture Controls.

For details, see Configure Severity.

September 26, 2023

Exception UI Improvements for Threat Detection Rules

Sysdig has introduced a new, user-friendly exception builder. The new exception UI, built into the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules.

For more information, see Manage Threat Detection Rules.

September 21, 2023

Cloud Logs

Sysdig has introduced a new product bundle intended for users who are interested in Cloud Detection and Response (CDR) for Cloud Logs but do not want to use Cloud Security Posture Management (CSPM). For more information, see Cloud Logs.

September 20, 2023

Agent Tags Support through Zone Scopes in Posture

Do you need to scope your Zones using the Agent Tags applied to your hosts and clusters?

You can now add Zone scopes: Kubernetes and Host with Agent Tags attributes. Add Agent Tags Key:Value pairs just as you add Labels.

For details, see Posture Host Analyzer installation.

September 14, 2023

Runtime Scanner v1.5.7 Released

Renamed the environment variable VULNERABILITY_DB_VERSION to USE_MAINDB_V2 for consistency with the rest of the client components.

September 7, 2023

Advanced Users Can Apply Tuning Suggestions (Preview)

To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply tuning suggestions from Insights and Event detail pages.

To enable:

  1. Log in to Sysdig Secure as Admin and go to Settings.
  2. Toggle Advanced User Tuner Enablement on.

This will become default behavior starting Oct 15th, 2023.

September 6, 2023

Sysdig Secure Support for Rancher Kubernetes Engine (RKE2)

We are happy to announce the support for Rancher Kubernetes Engine (RKE2) which, lacking an official Center for Internet Security (CIS) benchmark, is supported by the addition of a new in-house policy.

Sysdig Secure Coverage Improvement for AWS

The Sysdig Secure posture control library has been expanded to improve its Amazon Web Services (AWS) resource coverage. The control library now includes 26 new controls providing support for 17 new resource types (both deployed and from Terraform code) across the following AWS services:

  • Amazon DynamoDB
  • Amazon EC2
  • Amazon Elastic File System (EFS)
  • Amazon Kinesis
  • Amazon RDS
  • Amazon SageMaker
  • Amazon Simple Queue Service (SQS)
  • AWS Elastic Beanstalk
  • AWS Network Firewall
  • AWS Systems Manager (SSM)

See also: Compliance.

OOTB Policy Content Updates

The following policies have gone through updates:

  • Sysdig Mirantis Kubernetes Engine (MKE) Benchmark v1.1.0
    In collaboration with Mirantis, we have updated some of the audits in order to provide more accurate results.

  • AWS Well Architected Framework
    The Well Architected Framework has been augmented with 26 new controls providing support for the recently added resource types, as well as for some of the already existing.

As a fundamental part of the support for Rancher Kubernetes Engine, Sysdig now provides the following new policy:

  • Sysdig Rancher Kubernetes Engine (RKE2) Benchmark v1.6.0
    The hardening guide provides prescriptive guidance for hardening a production installation of RKE2, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes benchmark. It is to be used by RKE2 operators, security teams, auditors, and decision makers.

Runtime Scanner v1.5.6 Released

Updated the dependencies to address security vulnerabilities.

August 30, 2023

Runtime Scanner v1.5.5 Released

Fixed a defect that could cause the runtime scanner to perform unnecessary scans.

Inline Scanner v1.5.2 Released

August 24, 2023

Agentless Threat Detection for GitHub (CA)

Your GitHub organizations can be now secured with Sysdig agentless cloud dection and response (CDR), which extends its capabilities adding the first Git provider to the list of supported sources. By installing the Sysdig app on GitHub, it will be possible to enable our Falco-powered threat detection capabilities. You will also find policies and rules provided and maintained constantly by our Threat Research Team, along with the possibility to create your own custom ones.

For installation instructions, see Git Integrations.

This feature is currently in controlled availability (CA).

Runtime Scanner v1.5.4 Released

  • Corrected a misbehavior that could cause wrong handling of symbolic links
  • Fixed a misbehavior that could cause false positives due to wrong handling of opaque directories

August 21, 2023

Agentless Threat Detection for Okta (Preview)

Sysdig agentless CDR extends its coverage by adding support for Okta, the first identity provider (IdP) in the list of supported sources. You can now connect Okta organizations to Sysdig and use the power of Falco rules to detect threats in your environment. Along with the customizability of Falco rules, Sysdig provides managed policies and rules that are constantly being updated.

August 10, 2023

Control Access to Zones and Posture Policies

Sysdig is introducing two new permission items under Sysdig Secure Policies:

  • Zones (Read, Edit)
  • Posture Policies (Read, Edit)

These permission items enable administrators to control who can edit access to Zones and Posture Policies, including APIs.

Existing roles are updated with the following permissions:

  • Default Roles; Team Manager, Advanced User:
    • Zones: Edit
    • Posture Policies: Edit
  • All Existing Custom Roles and Default Roles; Service Manager, Standard User, View Only:
    • Zones: Read
    • Posture Policies: Read

For more information, see Secure Team Roles.

August 7, 2023

Runtime Rule Tuner Updated

Simplified and improved the interface of the Runtime Rule Tuner:

  • Exception information is now presented in easy-to-understand name/value pairs.

  • Values can be freely edited.

  • Added explicit Apply buttons for each exception, making the choices conscious and avoiding security blindspots.

  • If you are using Terraform to manage exceptions, you can now view the suggested exception as Terraform snippet and copy/paste it in to your Terraform file.

  • Impacted policies and any already-applied exceptions are displayed to help you make more informed decisions.

See how to use the improved feature in the Events feed. You can also access it from Insights.

August 2, 2023

CLI Scanner v1.5.1 Released

Sysdig released the new version of cli-scanner with a breaking change in tech preview. The format of the JSON scan result has been changed in command line (CLI) Scanner v1.5.1.

When you run cli-scanner with the --json-scan-result parameter, the severities in JSON keys are not capitalized anymore. For example:

"vulnTotalBySeverity": {
      "Critical": 2,
      "High": 65,
      "Low": 24,
      "Medium": 107,
      "Negligible": 417

has been changed to:

    "vulnTotalBySeverity": {
      "critical": 2,
      "high": 65,
      "low": 24,
      "medium": 107,
      "negligible": 417

This change impacts the following JSON objects:

  • vulnTotalBySeverity
  • fixableVulnTotalBySeverity

Runtime Scanner v1.5.2 Released

  • Added an environment variable to configure the timeout for the initial scan operation
  • Added a flag to use vulnerability database v2
  • Updated dependencies to address security vulnerabilities

July 26, 2023

Detect Fileless Attacks with New Rule

Sysdig Secure has added the ability to detect fileless attacks using a new Falco rule on the managed policy called Sysdig Threat Detection.


See this blog post for details on Sysdig’s solution to fileless malware detection.

July 25, 2023

Admission Controller v0.11.8 Released

Changed the title for scan events in Sysdig Secure to the format <policy> | <rule>, fixing a bug in the user interface (UI) when using filters from the title in the event feed.

Inline Scaner v1.5.1 Released

  • Corrected the reporting of severities by the inline scanner to ensure they are consistently in lower case
  • Added a feature flag to activate the vulnerabilities database v2 in preview

Runtime Scanner v1.5.1 Released

Updated dependencies to address security vulnerabilities.

July 24, 2023

OpenID Single Logout Support

Sysdig added support for OpenID Single Logout. Using Single Logout, a user can initiate a logout and terminate all sessions without having to log out from each one individually.

For more information, see Configure OpenID Single Logout.

Enhanced Sysdig Platform Audit

The Sysdig Platform Audit has been enhanced to include username and team name in the audit information in addition to user ID and team ID. The feature is Generally Available (GA).

For more information, see Sysdig Platform Audit.\

July 20, 2023

Legacy Inline Scanner v 2.4.24 Released


Vulnerability fixes for the following CVEs:

July 19, 2023

Sysdig Secure Live Is Enabled for All Users

Sysdig Secure Live has been enabled for all users. For more information on this feature, see the following:

July 18, 2023

Policy Scope Deprecation: Kubernetes Workload Labels

Deprecation Notice: To improve agent performance and decrease load on the Kubernetes API, the Kubernetes workload metadata will no longer be a valid scope configuration, starting October 18, 2023.

Why: When a policy with one of these scopes is applied, every agent must request the metadata from the Kubernetes API for all clusters. We have found that most policies are created for namespaces, clusters, or other metadata local to the agent. Many of the policies that used this metadata in the scope were used to make an exception for all rules in that policy. Sysdig supports Falco exceptions that are more targeted to a process, container, image, and so on, in a specific rule, making for more targeted security rules that provide better performance and security coverage.

What: The following workload metadata will be deprecated from policy scoping:

  • kubernetes.daemonset.name
  • kubernetes.deployment.name
  • kubernetes.statefulset.name
  • kubernetes.replicaset.name
  • kubernetes.cronjob.name
  • kubernetes.cron.name*

Outcome: Existing policies with these scopes will continue to work but cannot be modified with the same labels. New policies cannot be created with these labels in the scope.

Recommendation: If you have used one of these scopes to apply a rule or set of rules, replace with scope for kubernetes.namespace.name + container.name

Example replacing kubernetes.deployment.name

Old scope:

kubernetes.namespace.name 	= default AND
kubernetes.deployment.name 	= nginx

Supposing a container called nginx exists inside the deployment nginx, replace it with:

kubernetes.namespace.name 	= default AND
container.name 			= nginx

You can also get more specific by using images:

kubernetes.namespace.name	= default AND
container.name 			= nginx AND
container.image.repo 		= quay.io/nginx

July 14, 2023

Admission Controller v0.11.3 Released

Admission Controller v0.11.3 is released. This release removes the kubernetes workload name from legacy scan secure events, allowing those events to be aggregated in the Secure Events Overview dashboard.

General Availability of Runtime Events Dashboards

Sysdig is pleased to announce the General Availability (GA) of Runtime Events dashboards. These dashboards respect team scopes and remove the Tech Preview limitation in which teams had to be scoped to “entire infrastructure” to be able to see the dashboards.

July 04, 2023

Vulnerability Management APIs Added

The following new API endpoints have been released in Technical Preview to list and filter vulnerability scan results for Pipeline, Registry, and Runtime as well as to fetch detailed scan results in JSON format:

  • Get a list of pipeline scan results: GET /secure/vulnerability/v1beta1/pipeline-results
  • Get a list of registry scan results: GET /secure/vulnerability/v1beta1/registry-results
  • Get a list of runtime scan results: GET /secure/vulnerability/v1beta1/runtime-results
  • Get full scan results: GET /secure/vulnerability/v1beta1/results

These API endpoints are applicable only to the current Vulnerability scanning engine.

For more information on accessing the API, see Developer Tools.

June 23, 2023

Process Tree Visualization in Events Feed (Preview)

Sysdig has eleased the technical preview of the Process Tree feature in the Sysdig Secure events feed. This feature visually unveils the context in which a process was launched. It displays process lineage for security practitioners in a familiar EDR format to help users easily understand the relationships and dependencies between processes to accelerate incident response.

This feature requires Sysdig agent v12.15 and must be manually enabled.

For more information, see Process Tree.

June 27, 2023

Investigate Rule Change Details

In addition to the Updated badge that is now appended to Threat Detection rules, you can now also use a comparison panel to review the precise changes that were made. This applies to changes made to managed rules set by the Sysdig Threat Detection team, as well as customizations made by users.

For details, see View Recent Changes to a Rule.

June 26, 2023

Improved AWS Cloud Account Onboarding

Sysdig has launched an improved onboarding experience for AWS Cloud Accounts, enabling users to specify their installation preferences regarding type, method, and desired features. Sysdig then guides you through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s agentless CDR now supports threat detection on AWS CloudTrail, eliminating the need for additional computational resources. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their AWS accounts and organizations effortlessly while benefiting from robust event processing.

For details, see the AWS Onboarding documentation.

June 20, 2023

Sysdig Secure Live - Preview

Secure Live is a powerful tool that assists in the response and investigation into security events, vulnerabilities, and misconfigurations in your infrastructure under one pane of glass, with a simple way to scope on the part of the infrastructure you are investigating.

How Does It Work?

Secure Live presents the last 24 hours of your infrastructure by scopes based on the hierarchy, such as cluster, namespace, and workloads. Selecting one of these scopes presents existing data from different parts of Sysdig Secure in a curated set of panels and tabs that are specific to that scope. As this feature evolves, more panels and “Live” views will be added, such as Posture Tab and Cloud Live.

What are the Benefits?

Sysdig Secure Live provides a number of benefits, including:

  • Increased visibility: Secure Live provides a unified view of your infrastructure, making it easier to identify and respond to security threats.
  • Improved efficiency: Secure Live can help you to automate many of the tasks involved in security operations, freeing up your team to focus on more strategic work.
  • Reduced risk: Secure Live can help you to reduce the risk of security breaches by providing you with the information you need to identify and address vulnerabilities before they are exploited.

What are the Limitations?

Sysdig Secure Live is still under development, so there are a few limitations to be aware of:

  • Limited data retention: Secure Live only stores data for the last 24 hours.
  • No customization: The scopes, panels, and tabs in Secure Live cannot be customized at this time.

What’s Next?

Sysdig is committed to continuously improving Sysdig Secure Live. In the future, we plan to add new features and functionality, such as:

  • Support for more cloud providers: Sysdig Secure Live currently supports AWS, Azure, and Google Cloud Platform (GCP). We plan to add support for more cloud providers in the future.
  • Integrations with other security tools: Sysdig Secure Live can be integrated with other datasources from Falco, such as Okta and Github. This will allow users to get a more comprehensive view of their overall cloud native security

To enable the feature, see Secure Live.

June 16, 2023

Jenkins Plugin v2.3.0 Released

  • Added support to apply image-based accepts for the following:
    • All the versions of an image
    • Images in a specific registry and repository
    • Images that contain wildcards for a customized subset of the environment
  • Updated the analyzer to inspect the vendor directory for packages.
  • Shows Pipeline results in the Vulnerability Management Overview page.

Unified Subscription Page

The Subscription page has been enhanced to provide a unified look and feel for both Sysdig Monitor and Sysdig Secure. This improvement is particularly useful to Sysdig Platform users as it now shows all the relevant subscription information, regardless of which product is currently selected. The feature is Generally Available.

For more information, see Subscription.

June 13, 2023

CLI Scanner v1.5.0 Released

Sysdig released the new version of cli-scanner. The CLI Scanner v1.5.0 introduces the following:

Accept Risk Feature Updated

Sysdig is pleased to announce the update of the Accept Risk feature for Vulnerability Management. This update enables users to extend risk acceptance in several customizable ways to allow for more controlled acceptance scope.

Previously, accepted risk scopes for a CVE, image, or host were either global or per individual asset.


Added support to apply image-based accepts for:

  • All versions of an image
  • Images in a specific registry and repo
  • Images that contain strings for customized subsets of the environment

For details, see Accept Risk.

June 12, 2023

Notification Formats Update 2

The notification format for the Slack and MS Teams notification channels was updated with the ability to choose either a brief or detailed version of the notification message. For newly created channels, the shortened version is the default. Users who currently have the detailed version can edit the channel and change their selection if desired.

For details, see Notification Channels

June 7, 2023

Runtime Events Dashboards

The technical preview of the Runtime Events Dashboards is now available in Sysdig Secure. The dashboards provide a summary view as well as a trend view of all events in your infrastructure. They highlight security hotspots, and the filtering capabilities allow you to focus on a specific part of the infrastructure.

This release makes the following dashboards available:

  • Events Overview
  • Kubernetes Events
  • Cloud Events
  • Host and Container Events

Only teams that are scoped to the entire infrastructure will see the dashboards.

For details, see Runtime Events Dashboards.

June 5, 2023

Posture: Standalone Install Available for Linux and Docker Hosts

While Helm is the recommended installation method for Kubernetes clusters, if you want to scan a host that is not running Kubernetes, we also offer a stand-alone analyzer for compliance violations on Linux hosts.

OOTB Policy Content Updates

We are happy to announce the update of the following out-of-the-box (OOTB) policies:

  • Center for Internet Security (CIS) Google Cloud Platform Foundation Benchmark v2.0.0 (latest)
  • CIS Microsoft Azure Benchmark v2.0.0 (latest)
  • ISO/IEC 27001:2022 (latest)
  • Lockheed Martin Cyber Kill Chain

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure Posture control library has been expanded to improve its Amazon Web Services (AWS) resources coverage. The control library now includes new controls for the following resource types:

  • Amazon Elastic Container Service (ECS)
    • ECS Cluster
    • ECS Service
    • ECS Fargate Service
    • ECS Fargate Task Definition
  • Amazon Elastic Kubernetes Service (EKS)
    • EKS Cluster
    • EKS Fargate Profile

See also: Compliance.

Sysdig Secure Coverage Improvement for GCP

Sysdig Secure has been expanded to improve its Google Cloud Platform (GCP) resources coverage adding a total of 229 new resource types for the following services:

  • AI and Machine Learning
    • Cloud Tensor Processing Units (TPUs)
    • Dialogflow
    • Document AI
    • Speech-to-Text
    • Vertex AI
  • API Management
    • API Gateway
    • Cloud Healthcare API
  • Compute
    • Compute Engine
  • Containers
    • Artifact Registry
    • Container Engine
    • Container Registry
    • Google Kubernetes Engine (GKE)
  • Data Analytics
    • BigQuery
    • Cloud Composer
    • Cloud Data Fusion
    • Dataflow
    • Dataplex
    • Dataproc
    • Pub/Sub
  • Databases
    • Cloud SQL
    • Cloud Bigtable
    • Cloud Spanner
    • Database Migration Service
    • Datastream
    • Firestore
    • Memorystore
  • Hybrid and Multicloud
    • Anthos
  • Management Tools
    • Deployment Manager
    • Google Cloud Billing API
    • Service Management API
  • Media and Gaming
    • Game Servers
    • Transcoder API
  • Networking
    • Cloud Domains
    • Cloud Intrusion Detection System (IDS)
    • Google Cloud Virtual Network
    • Network Connectivity
    • Network Management
    • Network Services
    • Service Directory
  • Operations
    • Cloud Logging
  • Security and Identity
    • Assured Workloads
    • BeyondCorp Enterprise
    • Certificate Authority Service
    • Cloud Data Loss Prevention
    • Cloud Key Management Service (KMS)
    • Cloud Resource Manager
    • Secret Manager
  • Serverless Computing
    • App Engine
    • Cloud Functions
    • Cloud Run
    • Workflows
  • Storage
    • Filestore
  • Additional Google Products
    • Eventarc
    • Integration Connectors
    • Managed Service for Microsoft Active Directory (Managed Microsoft AD)
    • Organization Policy API

May 30, 2023

VM Registry Scanner 0.2.39 Supports .Net Packages and Centos OS

We are pleased to announce the release of our updated registry scanner 0.2.39 with chart 1.0.12 with the following features:

  • Allowing internal environment variable (ENV var) to allow pageSize setup on the Artifactory client (v0.2.39)
  • Registry scanning library bump, to add vulnerability management support for .Net packages and Centos OS (v0.2.38)

Be aware that by incorporating this new source, you may discover previously unidentified vulnerabilities in assets that have already been scanned.

CLI Scanner v1.4.0 Released

Sysdig released the new version of cli-scanner. The command-line interface (CLI) Scanner v1.4.0 introduces the following:

  • Pipeline results shown in the Vulnerability Management Overview page.
  • Beta support for the Scan result in JSON format through the --json-scan-result=path/to/scanresult.json flag.

May 23, 2023

Sysdig has released the Vulnerability Management Landing Page. This page helps users to see trends, priorities, and top action items on the vulnerability risks in their environment.

Vulnerability Managers gain insight into vulnerability changes and trends (Risk Posture), the latest and most pervasive CVEs and which infrastructure segments are most vulnerable.

Program Mangers gain clearer insight into the implications of these findings for policy.

Architects gain easy access to data regarding scan counts and adoption rates.

The Vulnerability Management team, as a whole, gains an easy place to start to prioritizing and managing vulnerabilities at a program level.

Additional Notes:

  • All widgets enable a workflow to take action or export data to the user’s native information security tool ecosystem.
  • Coming soon: addition of zones, native integration to ticketing, and more sophisticated prioritization through Image Genealogy.

For details, see Vulnerability Management Overview.

May 18, 2023

Legacy Inline Scanner v 2.4.23 Released


  • Updated anchore to 0.8.1-59 (May 2023)


Vulnerability fixes for the following CVEs:

May 16, 2023

Accepted Risks Management for Posture Added (Preview)

A dedicated Accepted Risk page has been added under the Policies UI in Sysdig Secure, with the following features:

  • A new Posture Tab with the list of accepted Posture/Compliance violations (in addition to the Vulnerabilities accepted risks tab)
  • The ability to search for risks that were accepted and to filter by various parameters
  • The ability to review a specific acceptance, revoke or edit it

This feature is in Technical Preview status.

For details, see the Risk page.

May 15, 2023

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure Posture control library has been expanded to improve its AWS resources coverage. The control library now includes new controls for the following services:

  • Account
  • AWS CloudFormation
  • Amazon CloudFront
  • AWS CodeBuild
  • Amazon Elastic Compute Cloud (EC2) Auto Scaling
  • Amazon Elastic Container Service (ECS)
  • Amazon Elastic Load Balancer (ELB)
  • Amazon ElastiCache
  • Amazon Elasticsearch Service
  • AWS Identity and Access Management (IAM)
  • AWS Key Management Service (KMS)
  • AWS Lambda
  • Amazon OpenSearch Service
  • Amazon RDS
  • Amazon Redshift
  • AWS Secrets Manager
  • Amazon Simple Notification Service (SNS)

See also: Compliance.

May 11, 2023

Inventory Now Supports Git Integrations

Infrasture as code (IaC) resources, supported by our Git-integrated scanner, are now available in Sysdig Secure’s Inventory. This allows you to:

  • Easily differentiate your code from your deployed resources with our updated resource cards.

  • Search and filter for IaC resources using attributes like Resource Origin, Source Type, Location, Git Integration and Repository.

  • Access a 360-view of each code resource, which includes:

    • resource metadata
    • configuration details
    • posture violations that can be remediated with automated workflows

Query the Secure API to get a list of multiple IaC resources or retrieve a single one.

May 8, 2023

OOTB Policy Content Updates

We are happy to announce the update of the following policies:

  • Center for Internet Security (CIS) Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0 (latest)
  • CIS Azure Kubernetes Service (AKS) Benchmark v1.3.0 (latest)
  • CIS Docker Benchmark v1.5.0 (latest)
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0 (latest)

Registry Scanner 0.2.32 Update Available


  • Added support for http protocol registries
  • Changed to honor maxRepositoriesPerRegistry on aws.org

In chart 1.0.5

May 3, 2023

Vulnerability Management Rules Improvement

Updated Sysdig Secure’s default set of rules for vulnerability management, Severe vulnerabilities with a Fix. The necessary condition “has a fix” was previously missing from one of these rules, which might have impacted the accuracy of identified policy violations. This issue has now been corrected.

Please note that as a result of this improvement, some vulnerabilities previously marked as policy violations may no longer be considered as such.

Groups Page added to CIEM

The newly added Groups page provides numerous ways to sort, filter, and rank the detected group information to quickly remediate identity risks associated with the group’s users and policies.

Least Permissive Policy Suggestions for a group takes into account all of the group’s attached user’s activity within the scope of all attached policies. Utilizing Sysdig’s Optimized Policy Suggestion can enable you to create one policy for the group that is Least Permissive.

For details, see Groups.

Notification Formats Updated

The notification format for the Slack and Microsoft Teams notification channels has been simplified for ease of use. The notifications now contain just the rule, policy name and context information about where the event took place. When available, a Runbook Link and Action Taken are displayed. Click the link to reach the event with full details in the Sysdig UI.

For details, see Notification Channels.

May 2, 2023

Threat Detection Policy and Rule Pages Show Update Badge

Badges are now displayed on the Runtime Policies and Rule Library pages to indicate that a rule has been added or updated in the past 7 days. This includes updates performed by Sysdig’s threat research team as well as customization added by users, for example, when specifying exception values.

See also: Threat Detection Policies and Manage Rules.

April 28, 2023

Legacy Inline Scanner v 2.4.22 Released


  • Updated anchore to 0.8.1-58 (April 2023)


Vulnerability fixes for the following CVEs:

April 25, 2023

Cloud Account Compute Resource Shown in Subscription

The Subscription page now includes Compute Resources information to allow tracking of Enterprise Cloud Security usage.

See also: Subscriptions.

April 21, 2023

VM Runtime Scanner v1.4.10, Host Scanner v0.3.9, CLI Scanner v1.3.8

We are pleased to announce the release of three updated versions of our scanning tools:

  • VM Runtime Scanner v1.4.10
  • Host Scanner v0.3.9
  • CLI Scanner v1.3.8

Apart from the usual bug fixing and updates, the most significant improvement in this release is the expanded support for detecting and scanning .NET packages:

  • While we previously could parse packages.lock.json files, we have now added the capability to parse .deps.json files.
  • This enhancement will enable us to identify broader vulnerabilities within the .NET ecosystem.

Please be aware that by incorporating this new source, you may discover previously unidentified vulnerabilities in assets that have already been scanned.

April 19, 2023

Container Registry Scanning

The Image Registry Scanning functionality is now generally available as part of our Vulnerability Management suite.

This feature provides an added layer of security between the pipeline and runtime stages, allowing you to gain complete visibility into potential vulnerabilities before deploying to production.

Supported Vendors

  • AWS Elastic Container Registry (ECR) - Single Registry and Organizational
  • JFrog Artifactory - SaaS and On-Premises
  • Azure Container Registry (ACR) - Single Registry
  • IBM Container Registry (ICR)
  • Quay.io - SaaS
  • Harbor

Once the container registry is instrumented and analyzed, you can generate registry reports to extract, forward, and post-process the vulnerability information.

For more information, see Registry Scanning and Reports.

Interested in trying it out live? Sysdig offers a hands-on training lab to launch directly from your web browser.

April 5, 2023

Cli-Scanner 1.3.7 Released


Fixed a parsing error that caused RedHat modules to be incorrectly matched when scanned.

See Running the CLI Scanner for details on downloading and running the cli-scanner.

March 23, 2023

Risk Scores Explanations Enhanced in CIEM

Understand a breakdown of your Cloud Infrastructure Entitlement Management (CIEM) Risk Scores with Overview explanations.

Within the Posture tab, you’ll find different Identity and Access resources with Risk Scores. Select an entity from the list in the table and a drawer appears providing a detailed breakdown of the entity’s risk score, including the specific attributes and permissions that have contributed to it.

Learn more about how risk scores are calculated.

Support for CIS Critical Security Controls v8

The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 (latest) has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update, which supports enterprises as they move to both fully cloud and hybrid environments.

This policy, with 1,316 controls classified into 18 requirement groups, is now available as part of Sysdig’s posture offering.

Support for OWASP Kubernetes Top Ten

The OWASP Kubernetes Top Ten is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks. This policy, containing 344 controls classified into 10 requirements, is now available in Secure.

More information about this policy can be found in OWASP Kubernetes Top 10.

Updated CIS Amazon Web Services Foundations Benchmark to v1.5.0 (latest)

Updated the existing CIS Amazon Web Services Foundations Benchmark policy to its latest version at the time (v1.5.0). This new version include a new resource type, Elastic File System (EFS), for greater coverage, as well as new controls for the Amazon EFS and Amazon Relational Database Service (RDS) services. The total number of controls in this new update has raised up to 79.

March 22, 2023

Git Scope for Zones

We have extended the flexibility of Zones for Posture to also support Git integrations and IaC (Infrastructure as Code) scanning.

With the introduction of Git scope for zones, users can include the new Git scope types as part of the zone definition and configure the policies that apply for that zone.

Note: Git sources have a new user-defined name field. Existing Git sources will automatically get a name like “Source 1”, “Source 2”, or the like.

For more information see the Zones and IaC Security documentation.

Helm Chart 1.5.80+ and Cli-Scanner 1.3.6 Released


  • RELEASE suffix in Java packages leading to false negatives resolved

    Specific Java packages containing a .RELEASE suffix were not correctly matched against their existing vulnerabilities, for example:


    was not correctly parsed and matched against the relevant vulnerabilities. This case is particularly common for spring-boot libraries.

    This fix will remove false negatives, thus uncovering real vulnerabilities that were present in those packages but not previously listed

This could lead to an increase in the number of vulnerabilities and policy violations.


  • Display full path for jar-in-jar libraries

    When a jar library is found inside another jar container, Sysdig will now display the absolute and relative path inside the jar, using the colon as separator:

    Before: /SpringHelloWorld-0.0.1.jar 
    After: /SpringHelloWorld-0.0.1.jar:BOOT-INF/lib/spring-core-5.3.16.jar

See Running the CLI Scanner for details on downloading and running the cli-scanner.

March 14, 2023

Legacy Inline Scanner v 2.4.21 Released


  • Updated anchore to 0.8.1-57 (March 2023)
  • Added support for OpenContainers Image (OCI) manifest list: parse and scan images built with attestation storage


Vulnerability fixes for the following high-severity CVEs:

March 9, 2023

Inventory Released as Tech Preview

Inventory has been made generally available as a new-top level menu item.

With this feature you can:

  • Search and filter for resources based on a growing list of attributes such as Labels, Zones, and Posture information (policy, requirement, control, accepted risk, control severity).

  • Access a 360-view of each resource, which includes its posture violations, metadata, and configuration details.

  • Review resources’ posture violations and remediate them by opening a Pull Request or manually applying a patch.

  • Query the Secure API to get a list of multiple resources or retrieve a single one.

    (For API doc links for additional regions, or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.)

Inventory is a SaaS-only feature of Sysdig Secure.

For details, see Inventory.

March 6, 2023

CLI Scanner 1.3.4 Released

Released version 1.3.4 version of the cli-scanner.

March 8, 2023

KSPM policy for CIS Kubernetes V1.24 Benchmark released

A new Posture policy has been released following the CIS Kubernetes V1.24 Benchmark. This policy provides prescriptive guidance for establishing a secure configuration posture for Kubernetes 1.24 and includes 13 new controls.

March 1, 2023

Improved Search of Posture Controls

Our 1,000 Posture Controls are now easier to find, by their Name, Description, Severity, Type and Target platform or distribution, anywhere you are looking for them:

  • Filter for controls in the Control library
  • Filter in the Policies library, including while editing your custom policy

We also added enhanced visibility of control targets by showing the supported platform and distributions on each control.

For more information, see Posture Controls.

Support for OCP, IKS and MKE

We have added Posture support for new Kubernetes distributions:

  • Support for Red Hat OpenShift Container Platform 4 (OCP4):

    • CIS Red Hat OpenShift Container Platform Benchmark policy.
  • Support for IBM Cloud Kubernetes Service (IKS):

    • Sysdig IKS Benchmark policy.
  • Support for Mirantis Kubernetes Engine (MKE):

    • Sysdig MKE Benchmark policy.

February 28, 2023

New Page for Privacy Settings

A new Privacy Settings page has been added under Administration Settings.

February 27, 2023

New Filter and Grouping for Threat Detection Policies

This release enhances the Threat Detection policies by showing the policies in a grouped manner and adding the ability to filter policies by type.

Additionally, badges on the list now alert you when rules have been added or updated in managed policies.

February 17, 2023

Posture Now Supports Red Hat OpenShift Container Platform (OCP4)

Added support for the OpenShift platform. The CIS Red Hat OpenShift Container Platform Benchmark policy is now available, with 181 controls (145 of which are exclusive to OpenShift), using a new Cluster resource type which is of paramount importance in OCP4 due to the nature of the platform.

February 16, 2023

View Insights Grouped by User

The Insights vizualization now permits viewing events grouped by user, greatly improving the ability to spot outliers. You can also see all events from a particular user in reverse chronological order. See Group by User | Rule for details.

February 14, 2023

New Filter and Grouping for Rules Library

This release enhances the Threat Detection rules library by showing the rules in a grouped manner and adding the ability to view only custom rules.

February 2, 2023

VM Reports Now Include Risk Spotlight (In Use) and Accepted Risks

Added Risk Spotlight (In Use) and Accepted Risks to VM Reporting as both an additional metadata column and a configurable filter.

Every matching vulnerability will have these two new additional columns, as well as the matching true/false filters.

January 25, 2023

CLI Scanner 1.3.3 and Jenkins Plugin 2.2.7 Released

Sysdig has released version 1.3.3 version of the cli-scanner and 2.2.7 version of the Jenkins Plugin.

Scanner Update:

  • Bug fixes, some of which were impacting policy evaluations.

Plugin Update:

  • Updates to the scanner
  • Adjustments to the string representation of some policy rules in the report section
  • Several bug fixes, including one that caused the build to fail when it shouldn’t

Non-Containerized Install Available for Host Scanning

While Helm is the recommended installation method, if you want to scan a host without using containers at all, we also offer a standalone binary and an RPM package. To review methods, see Host Scanning.

Liveness and Readiness Probes Added to Helm Chart

Starting from sysdig-deploy Helm chart version 1.5.34, we have added livenessProbe and readinessProbe, which check for vulnerability runtime scanner component health, in agreement with the Kubernetes monitoring and scheduling practice.

Be aware, this requires having a vuln-runtime-scanner version of at least v1.4.4.

January 2023

Inventory Released as Controlled Availability

Sysdig Secure now offers an Inventory, so you can gain visibility into resources across your cloud (GCP, Azure, and AWS) and Kubernetes environments. With this feature you can:

  • Search and filter for resources based on their metadata
  • Get a high-level overview of resources’ compliance violations
  • Access a 360-view of each resource, starting with its configuration details and facilitated by the unification of Sysdig’s data
  • View and share resources’ configurations

January 19, 2023

CLI Scanner v1.3.2 Released

Released a new version of cli-scanner. CLI Scanner v1.3.2 introduces a new configuration parameter, --override-pullstring, that allows you to specify a custom image name to be displayed on the Sysdig Secure UI. For more information, see Install Vulnerability CLI Scanner.

Host Scanning Enhancements and General Availability

Vulnerability management for Hosts has received several upgrades and is now generally available.

Newly supported Host OSes

  • Alibaba Cloud Linux (also know as Aliyun Linux)
  • Google Container-Optimized OS (COS), build 89+

See all supported Host OSes.

Host Vulnerability Reporting

It is now possible to create scheduled vulnerability reports targeting the Hosts which are scanned with the Sysdig product.

From the Reports function in Sysdig Secure, select if you want to target the Runtime Workloads or Runtime Host.

Note that scope labels and report columns will follow the Host Scanning metadata, as in HostName or Cloud Provider Region.

January 17, 2023

CSPM Compliance GA Released

Sysdig is pleased to announce the general availability (GA) release of the new CSPM Compliance module. This feature helps you prioritise compliance results on your most important environments and applications.

New features:

  • A compliance page ordered by your zones.
  • CSPM Zones Management
    • A default Entire Infrastructure zone is created for each customer
    • Create your own zone:
      • Define scopes for the resources you want to evaluate
      • Apply a policy to your zone to add it to the compliance page
  • Over 40 new Risk and Compliance Policies included

To get to know our path from detection to remediation, risk acceptance, zones management, installation and migration guidelines, please review the documentation.

The new compliance module is not available for IBM Cloud and OnPrem users. They should continue taking advantage of Unified Compliance.

January 5, 2023

IaC Scanning now Supports Terraform AWS

Added support for Terraform resources from the AWS Provider. If you have implemented Git IaC Scanning, then pull-request checks will now scan AWS resources and report any violations of the CIS AWS Foundations Benchmark.

The list of supported resource and source types is now:

  • Kubernetes workloads in YAML manifests
  • Kubernetes workloads in Kustomize
  • Kubernetes workloads in Helm charts
  • Kubernetes workloads in Terraform
  • AWS cloud resources in Terraform

Other changes in the release include improved Kubernetes resources scanning in Terraform to support additional use cases.

For more information, see Git Integrations.