2021 Archive

2021 Archive of Sysdig On-Premises release notes.

Release 5.0.2 Hotfix December 2021

Upgrade Process

Supported Upgrades From: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0, 5.0.1

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

  • Fixed a version-comparison bug in RedHat rpm packages.
  • Enabled a retention manager for Secure-only on-prem installations to handle data retention.

Release 5.0.1 Hotfix November 2021

Upgrade Process

Supported Upgrades From: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0.0

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

  • Fixed missing field “Last Evaluation Date” in the scanning policy evaluation results and Scheduled Reports
  • Kubernetes environment / labels are no longer mandatory to generate a scanning Scheduled Report
  • Fixed CVSS filters in scanning Scheduled Reports
  • Fixed an issue in scanning Scheduled Reports when scanning Red Hat images that caused related Red-Hat advisories (RHSA) to not be displayed
  • Fixed priority sorting for ‘Unknown’ severity vulnerabilities that are now considered less severe than ‘Negligible’ in scanning Scheduled Reports

Release 4.0.5 Hotfix October 28, 2021

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

  • Fixed Scheduled Reports not displaying last evaluation date field
  • Fixed an issue in 4.0.x Scheduled Reports when scanning Red Hat images, causing vulnerabilities missing related Red-Hat advisory (RHSA) to not be displayed

Release 4.0.4 Hotfix September 29, 2021

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install instructions.

Defect Fixes

  • Fixed a timeout issue for policy advisor and scanning database init containers occuring in some environments
  • Fixed a certificate handling issue at network security component

Release 5.0 September 7, 2021

Known limitations

Upgrade Process

**Supported Upgrades From: **4.0.x

For the full supportability matrix, see the Release Notes on Github. There you will also find important Install and Upgrade instructions.

Sysdig Platform

Define S3 Bucket Path for Storing Captures

Sysdig Platform users can now define a custom path in the S3 bucket they are using for storing captures. This is useful to those who want to reuse a certain bucket used for other purposes or send captures from different installations to the same S3 bucket. For more information, see (On-Prem) Configure Custom S3 Endpoint.(On-Prem) Configure Custom S3 Endpoint

Webhook Channel Enhancements

Sysdig supports the following on a Webhook channel integration:

  • Insecure connections: You now have the ability to skip the TLS verification.

  • Custom headers: If your Webhook integrations require additional headers or data you can append to the alert format by using a custom header on the UI. This option is in addition to the existing API facility to add custom headers programmatically.

S3-Compatible Storage for Capture Files

Configuring S3-compatible storage, such as Minio or IBM Cloud Object Storage, for your Sysdig captures is now supported on Sysdig Monitor. The capability can be turned on by configuring the system appropriately, as given in (SaaS) Configure Custom S3 Storage Endpoint.

Microsoft Team Channel

You can now use Microsoft Team s as a notification channel in Sysdig Monitor. See Configure a Microsoft Teams Channel for more details.

Dark Mode

The dark appearance, known as Dark Mode, is available in Sysdig applications.

Sysdig can now automatically match your OS preferences. Available in Sysdig platform on-premises, or in SaaS in the US East and rolling out globally. For more information, see Configure Theme Preference.

Customized Session Expiration

Session expiration is the amount of time a user can remain idle before the session is automatically ended or expired. After the session expires, the user must log in to the Sysdig application again.

Sysdig now gives you the ability to make a shorter or longer idle session expiration for Sysdig applications. When a user browser is idle for a certain period of time, they will get automatically logged out. For more information, see Configure Customized Session Expiration.

Sysdig Monitor

Workload Label

Sysdig Monitor now supports two new labels, kubernetes.workload.name and kubernetes.workload.type which can be used for scoping Dashboards and configuring Gropings.

Earlier, each type of object (deployment, replicaset, statefulset, etc.) was unique, and in turn, you needed to use different types of Kubernetes Dashboards and a different Grouping resulting in n/a , where distinct types of Kubernetes objects are listed.

For more information, see Unified Workload Labels.

Silencing Alert Notifications

Sysdig Monitor allows you to silence alert notifications for a given scope for a predefined amount of time, and schedule silence in advance. When silenced, the alert will still be triggered and posted on the Events feed and in the graph overlays but will indicate it has been silenced. The types of notification channels you can use are Email, Slack, and Amazon SNS.

You will be notified 30 minutes before the start time and 30 minutes before the end time of a silence window. You will also be able to easily extend or end an active silence. To access the feature, navigate to Alerts > Silence on the Monitor UI.

For more information, see Silence Alert Notifications.

Sysdig Secure

Sysdig Secure for cloud

Sysdig Secure for cloud is available with Cloud Risk Insights for AWS, Cloud Security Posture Management based on Cloud Custodian for AWS and multi-cloud threat detection for AWS using Falco.

What’s Included in this release:

  • Insights: a powerful new visualization tool for threat detection, investigation, and risk prioritization, to help identify compliance anomalies and ongoing threats to your environment. With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

  • Threat Detection based on AWS CloudTrail:To detect threats, anomalies and suspicious activities with the flexible Falco engine. See also: Sept 29, 2020.

  • Cloud Security Posture Management with AWS Benchmarks: The AWS CIS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment.

    We’ve included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based.

  • Image Scanning for ECR and Fargate: one-click deployment– see also ECR April 13, 2020 and Fargate Sept. 28, 2020.

Falco Policy Tuner

Sysdig is now releasing a managed version of the standalone Falco Tuner.

Previously, you had to run the tuner in your local environment, print suggestions, and manually update a rule with those suggestions. The new feature runs in the background and automatically tunes noisy rules and false positives. To streamline the creation of these exceptions, we’ve created a new object within Falco called exceptions.

Note: To enable the tuner, Admin access rights to Sysdig Secure are required.

Feature Enhancement: Falco Exceptions

Previously, exceptions were created using and not conditions inside a Falco rule, e.g.

- rule: Write below binary dir
  condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities    

However, this process can be unwieldy and can result in unintended behavior. The new format, using exceptions, looks like this:

- rule: Write below binary dir
  condition: bin_dir and evt.dir = < and open_write
    - name: package_mgmt_procs
      fields: proc.name
      comps: in
      values: package_mgmt_binaries # list of known binaries

See the full documentation here.

Tunable Exclusions Available in Insights Details

We’ve added the ability to identify and add exceptions using the Policy Tuner in the Insights module. Now you can receive policy tuning recommendations directly within the Insights view, enhancing usability, ease, and refinement of results.

See also: Insights and Runtime Policy Tuning .

New Scan Results Page Layout

We have reorganized the visual layout of the Scan Results summaries to clearly distinguish policy evaluation from vulnerability matching and to better summarize the information.

Improvements include:

  • Vulnerabilities and Policies are now two different sections in the UI

  • Vulnerability match update time is displayed to further distinguish from the Policy Evaluation time

  • Policy breakdown is collapsed by default to reduce cognitive load

  • Re-evaluate policies button is now located in the impacted section only, as opposed to whole page

  • Apart from the vulnerability update time, the data remains unchanged from previous versions

See also: Review Scan Results.

New and Improved Host OS and Container Scanning Tools

We at Sysdig are working hard to improve your security posture and compliance experience. As part of this commitment we are implementing a new framework to generate host benchmark results, introducing host scanning, and making backend improvements to the image scanning mechanism.

Installation Steps

The new features require a new component to be installed called the Node Analyzer. We’ve provided an installation script to automate the installation or to upgrade an existing Node Image Analyzer daemonset, if applicable.

Once you’ve installed or updated the components, the UI will automatically show Host Scanning and new Benchmarks functionality can still be accessed.)

Host Scanning: New

In addition to Sysdig Secure’s rich array of tools for scanning container images, you can now scan the hosts as well.

  • Scan hosts for vulnerabilities, and detailed Software Bill of Materials (SBoM)

  • Support for OS (e.g. rpm) and non-OS (e.g. Java, Ruby, Python) packages

  • Compare and diff scan results

Host Benchmarks: Updated
  • More checks

  • Better results

  • Clustered aggregations - understand the posture of your environments, not just a single entity

Image Scanning: Updated
  • Automatically scan images if they have not been scanned

Kubernetes Network Security: New Configuration and Improved User Experience

Sysdig’s Kubernetes Network Policy tool has been updated to include additional fine-tuning configurations and an improved user experience.

Additional Configuration Panel
  • Workload Labels: Depending on your workload labelling policy, some labels may not be relevant for generating a KNP policy. Use the additional config to include/exclude a particular set of labels per cluster/namespace to declutter your UI and the resulting policy.

  • Unresolved IP Configuration: Now it is possible to label raw IPs that are not mapping to your Kubernetes/OpenShift entities, i.e. external cloud provider services, so these labels will be automatically applied to the topology and ingress / egress tables.

  • Cluster CIDR configuration: If the CIDR configuration is not automatically detected by the agent, you can now directly configure internal subnets per cluster using the Sysdig interface.

Improved UX
  • Topology map: Additional information pop-up when hovering over a network connection or a network node, such as server process, source, destination, and more.

  • Unresolved IP filtering: In the ingress and egress tables, by type or using free text search.

Additionally, Network is now presented as a top-level item in the Sysdig Secure navigation.

Activity Audit Improved

The Activity Audit user interface was enhanced as follows:

  • Activity Audit entry point moved under the Investigate menu

  • Trace feature, used for kube exec, is now also available for parent commands

  • The filter selector is also available in-line, with no need to open the detail view

  • Lateral Tree view removed and replaced with the Scope menu above, in alignment with the Event panel

Alert Notification Channel for Microsoft Teams

Microsoft Teams is now available as an Alert Notification Channel in Sysdig Secure for Runtime Policies. See also: Manage Policies

Internal Scanning Date Improvements

Scanning policies have improved the reliability of the Max days since creation and Max days since fix rule gate parameters. The information is now included in the inline-scan JSON report and available in the Jenkins plugin.

Reporting Improved with Multi-Select Option

Added the option to select multiple policies and multiple package types as part of a scheduled scanning report.

Release 4.0.3 August 27, 2021

This release is a hot-fix only release.

Upgrade Process

Supported Upgrades from: 3.6.2, 4.0.0, 4.0.1, 4.0.2

For Install/Upgrade instructions and the full supportability matrix, see the Github documentation.

Installation Instructions

Full installation instructions for Kubernetes environments: here.

Defect Fixes

Inline Scanning Fix for Sysdig Secure

Fixed an issue when scanning long Java manifest files that caused the scan to fail.

LDAP Improvements for Sysdig Platform

Fixed an issue with the LDAP sync Job running out of shared memory. The LDAP sync will no longer stop if it encounters an intermittent issue or error, but will allow the sync to complete.

4.0.2 June 29, 2021

This release is a hot-fix only release for Sysdig Secure features.

Upgrade Process

Supported Upgrades From: 3.6.2, 4.0.0, 4.0.1.

For Install/Upgrade instructions and the full supportability matrix, see the Github documentation.


CSV Runtime Reports

  • The runtime labels that were described in a single CSV column (JSON encoded) will now be represented using one column per label.

  • If the same vulnerability, same package, same image is found in several runtime contexts, the CSV will separate each runtime context in a separate row, instead of building a JSON array with several objects nested.

See also: Scheduled Reports.

Defect Fixes

Fixed Incorrect Fingerprinting Causing False Positives in Scanning

Fixed incorrect version detection for Apache Struts 2 packages leading to false positives.

Fixed Metadata Retrieval Issue in Scanning

Fixed incorrect metadata retrieval for corner cases when imageIDs are associated with several digests.

Improved Memory Usage

Reduced Redis memory consumed by scanning by optimizing the usage of the scanning API cache.

Fixed Subscription Alert Entries

Fixed scanning alerts triggers for images discovered via the Node Image Analyzer or Inline Scan container.

Readable Filenames for Scanning Reports

The scheduled scanning reports now generate report files named after the report name i.e. my-daily-critical-vulns-2021-05-04.zip

Release 4.0.1 May 05, 2021

This release is a hotfix-only release for Sysdig Secure features.

Upgrade Process

Supported Upgrades From: 3.6.2

For Install/Upgrade instructions and the full supportability matrix, see the Github documentation.


Improved RHEL Vulnerability Matching

The RedHat OVAL source feed interpretation and the matching algorithm have been improved to handle special RedHat packages versioning rules. This should effectively translate into fewer false positives and more accurate fix versions for RH-based packages.

Defect Fixes

Security Fix

A SQL injection vulnerability discovered in 4.0.0 has been fixed in 4.0.1.

Scan Results

The vulnerability list on the UI shows a different number of vulnerabilities as compared to the summary PDF report for the same image. This issue has been fixed as part of Improved RHEL Vulnerability Matching.

Secure Audit Reporting Errors

Secure Audit Reporting displayed intermittent errors for custom agent versions. Fixed the agent version parsing to correctly assess feature support.

Release 4.0.0 April 06, 2021

Upgrade Process

Supported Upgrades From: 3.6.2

For Install/Upgrade instructions and the full supportability matrix, see the Github documentation.

Migrating MySQL to PostgreSQL

For consolidation and to meet higher performance requirements, upgrading to v4.0.0 from v3.x.x involves migrating MySQL to the PostgreSQL database. The migration process is seamless and no user intervention is expected. For more information, see Migration Documentation on Github.

InstallationAdditional Docs
KubernetesREADMEReview the Upgrade and other files within the version-specific GitHub folder for additional information.
ReplicatedNot supported on 4.0.0


Deprecating “Scan Image” Reaction in Alerts

When setting up runtime alerts in previous versions, there was an option to trigger “scan image” when an unscanned image was detected. This has been deprecated in the UI in favor of the Node Image Analyzer, which is bundled by default with the Sysdig agent as an additional container per node.

See also: Manage Scanning Alerts.

Defect Fixes

Large SAML Metadata

An issue was detected in an earlier version where large SAML metadata could not be saved due to limits in the database field size. This issue is now fixed and Sysdig now supports large SAML metadata.

Single Sign-On for Monitor and Secure

When a user logs in to Sysdig products successively, a confusing error message related to SAML was displayed if:

  • If both Secure and Monitor have been configured with SSO.

  • The Create User on login feature has been turned on for both products.

This issue is fixed with this release.

When a user created in one product logs in to another, and if the Create user on login feature is turned on, no error message is thrown. The user is added to the appropriate team in the product and can log in to the other.

Sysdig Platform

Monitor UI Displays On-Prem License Information

The on-prem license information is now displayed on the Monitor UI. Additionally, users will be warned of imminent license expiration on the UI.

Changes to Auditing Sysdig Platform Activities

Due to the changes in the underlying database (PostgreSQL instead of MySQL), the existing Sysdig auditing data will be dropped when performing the upgrade from 3.x to 4.0 on-premise version. The audit data is not migrated due to the potentially large size of the table, which could prolong the upgrade process. The data remains available in the MySQL database. If you require the data, do the following:

  1. Before upgrading, dump the audit_events table from MySQL.

  2. When the upgrade is completed, import the data back to the new database if you desire.

    Contact your Sysdig contact for details on how to perform this operation.

Sysdig Monitor

Improved Alerts

The Alert interface has been improved to allow faster browsing and easier management. For more information, see Alerts.

Explore Workflow Enhancements

The Explore interface has been improved to allow faster troubleshooting.

You are now launched directly into the drill-down view when you navigate to Explore. You will still be able to group and navigate your infrastructure by using the hierarchical scope tree.

The new Grouping editor helps you create and manage your infrastructure groupings.

For more information, see Explore.

Visualizing Missing Data on Dashboards

Dashboards now show null or missing data values as gaps instead of zero. Optionally, missing data can be displayed as a dotted or solid line in both Form-based and PromQL panels. StatsD metrics will continue to show null values as zero unless overridden by the settings. For more information, see Display Missing Data.

Host Overview

To complement Sysdig Kubernetes Overviews, Hosts Overview has been released. Host Overview provides a unified view of the performance and health of physical hosts in your infrastructure.

Sysdig Secure

Serverless Agent Preview Feature

The 1.0.x serverless agent is supported as a preview feature with Sysdig Platform 4.0. Note that there is no guarantee of forward or backwards compatibility with this preview release.

Sysdig Serverless Agent 1.0.0 for Fargate ECS

The “container-as-a-service” serverless environment calls for new agent models, and Sysdig provides them. Whereas in ECS, users still manage the underlying instances, with AWS Fargate the host is never visible and users simply run their workloads. And while this model is convenient, it can introduce risk as many people leave the containers unattended, without monitoring security events within that can exfiltrate secrets, compromise business data, impact performance, and increase their AWS costs. In addition, it is not possible to install a standard agent in an environment where you do not have access to a host.

For these reasons, Sysdig has introduced a new “serverless agent” model that can be deployed in these container-based cloud environments. The first implementation is for Fargate (ECS).

Sysdig will be rolling out security features on the serverless agent over time. In v1.0.0, users will see:

  • Runtime Policies and Rules

  • Secure Events

To obtain secure event information and the associated Falco policies and rules in the Sysdig Secure UI from a Fargate environment, users install the serverless agent using a CloudFormation Template. Then log in to Sysdig Secure and review the events in the UI.

See also: AWS Fargate Serverless Agents and Serverless Agent Release Notes (for future updates).

Kubernetes-Native Network Security with Sysdig Secure (Beta)

A new feature has been added to Sysdig Secure for authoring and refining Kubernetes network policies (KNPs) that:

  • Automatically extracts the connection information, by observing the cluster networks and microservices communications

  • Offers a visual flow to fine-tune the Kubernetes network policies, incorporating the user’s adjustments

  • Automatically generates the KNP YAML to be applied, without requiring previous Kubernetes policy knowledge from the user.

As soon as the feature is enabled, the Sysdig agent starts collecting and processing application communications, which are then enriched using Kubernetes metadata and presented in two different ways:

  • Topology maps: a visual representation of the network flow between the Kubernetes entities (Services, Deployments, StatefulSets, DaemonSets, Jobs)

  • Ingress / Egress tables: for additional detail on each inbound/outbound communication and policy tuning.

Once the user has finished editing the desired policy, Sysdig will automatically compute the associated KNP YAML:

  • Enforcement is delegated to the Kubernetes control plane, favoring policy-as-code and avoiding direct tampering with cluster communications

  • Allow-only approach ensures that any communication which is not explicitly allowed by the policy will be forbidden


Sysdig agent version 10.7+

Supported Orchestrator Distributions and CNI Plugins:

  • Vanilla Kubernetes (kops, kube-admin) using Calico

  • OpenShift 4.x using OVS

  • Google GKE using Calico

  • Amazon EKS using Calico

  • Rancher Kubernetes using Calico

Please contact us to enable this feature for your Sysdig Secure accounts.

See also: Network Security Policy Tool.

Network Micro-Segmentation: Support for CronJobs, Weave, & Cilium CNIs

The Sysdig Network Security Policy Tool has been upgraded to add support for CronJob pod Owners.

With the addition of CronJob support, communication is aggregated to the CronJob (scheduler) level, rather than the Job. Therefore, when administrators review the activity in the Network Security Policy menu, they will see the higher-level CronJobs listed, and not an excess number of individual Job entries.

This update also adds support for Weave and Cilium CNIs on top of Calico support.

New Product: Rapid Response

Rapid Response is an Endpoint Detection and Response (EDR) solution built for cloud-native workloads, which gives security engineers the ability to respond to incidents directly via a remote shell. The shell uses the underlying host tooling already installed, such as kubectl, Docker commands, cloud CLIs, etc. Users can also mount their own scripts to use any familiar tooling.

Rapid Response requires a component installed on the host machine. This component provides end-to-end encrypted communication using a passphrase only your team knows. The Rapid Response feature is disabled by default and can only be accessed to teams that have the feature enabled. Admins can see all user activity, including access to audit logs, and can initiate a rapid response session. Advanced users can view only their own user activity, including their audit logs, and can initiate a rapid response session.

See also: Rapid Response: Installation and Rapid Response

Image Scanning Reports v3 [BETA]

The Image Scanning Reports feature has been thoroughly updated and has moved from a synchronous model to an asynchronous mode, in which you schedule the reports you need and then receive them through your normal notification channels (email, Slack, webhook.). The new version also includes:

  • A preview function to check report structure in the UI

  • A more advanced query builder

  • Extended set of data columns (i.e. CVSS base score and vector) and extended set of available filters (i.e. package type)

Reporting v3 supports two different types or reports:

  • Vulnerability report: Containing vulnerability, package and image data

    I.e. Vulnerabilities in my runtime with Severity ≥ High, a Fix available and not included in a vuln exception list.

  • Policy report: Containing scanning policies and evaluated images data

    I.e. Images in my internal registry failing the “NIST” scanning policy.

You need to enable this feature from the Sysdig Labs setting on the User Profile page.

See Scheduled Reports for more detail.

UI-Based Admission Controller Released

Kubernetes’ admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.

Sysdig’s Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.

See also: Admission Controller.

Main Features
  • Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist

  • Only allow images that pass the scanning evaluation criteria

  • Only allow images that have been evaluated recently

  • Only allow images that have been scanned before creation is requested to Kubernetes

  • Registry and repository whitelist

  • Scan unscanned requested images immediately (optional)

CIS AWS Cloud Benchmark Released

A new cloud compliance standard has been added to the Sysdig compliance feature -  CIS AWS Benchmark. This assessment is based on an  open-source engine - Cloud Custodian - and is an initial release of Sysdig Cloud Security Posture Management (CSPM) engine. This first Sysdig cloud compliance standard will be followed by additional security compliance and regulatory standards for GCP, IBM Cloud and Azure.

The CIS AWS Benchmarks assessment evaluates your AWS services  against the benchmark requirements and  returns the results and remediation activities you need to fix misconfigurations in your cloud environment. We’ve also included several UI improvements to provide additional details such as:  control descriptions, affected resources, failing assets, and guided remediation steps, both manual and CLI-based when available.

New Runtime Policy Events JSON Format

The JSON format for the runtime policy events has been upgraded to include full scope information, rule labels, and a single-line representation for the event field’s keys and values.

To preserve backwards compatibility with existing integrations, the former JSON format is still available (and used by default on migration).

From the Event Forwarder page, under “Data to Send,” the old JSON format is labeled “Policy Events (Legacy)” and the new one as “Runtime Policy Events.”

See also: Event Forwarding.

Scan Results List Updated

The UI for the list of scanned images has been updated to include several functionality and design improvements:

  • Status column (Passed or Failed) is now filterable

  • Image Origin (Inline Scanner, Node image analyzer, etc.) is now visible, filterable, and has multi-select option

  • Image registry is now visible on the table

  • Ability to sort by date-added (default) or image name

  • Flexible free-text search: filter by registry/repo:tag, repo:tag, repo, etc.

See also: Review Scan Results.

Improved UI for New Users

We have added introductory splash screens throughout the product to help you get started when using a feature for the first time.

UI Improvement on Rules Library and Rule Details

Usability improvement so you can see in which policies a rule is used, from both the Rules Library list and the Rule Detail view. See Manage Rules for details.

Deprecation Notice: Legacy Commands Audit & Legacy Policy events

  • The “Commands Audit” feature was deprecated in favor of Activity Audit in November 2019. This feature will be completely removed from the On-prem distribution in version 4.1.

    Sysdig agent version 9.5.0+, released in January 2020, is required by the Activity Audit feature.

  • The “Policy Events” feature was deprecated in favor of the new Events feed in June 2020. This feature will be completely removed from the On-prem distribution in version 4.1.

    Sysdig agent version 10.3.0+ is recommended.

Windows Scanning Released

A beta version of the Windows Scanning Inspector has been released. This is a new feature from Sysdig for scanning Windows containers.

This is a standalone scanning engine. There is no centralized UI, management, or historical data. These features are planned for a future release.

See also: Windows Container Image Scanning [BETA].

  • Identify Windows container image vulnerabilities from:

    • Windows OS CVEs
  • Windows or Linux hosts

  • Reports in JSON and PDF

  • Policy support

    • Severity

    • Fix available

    • Days since fixed

Malware Detection during Inline Image Analysis

As part of the inline scanner version 2.3.1 release, malware scanning was added as a configurable detection that can be performed during inline analysis.

The default behavior if this feature is enabled and malware is found is to consider the scanning failed, report malware details, and abort analysis:

See Perform Inline Malware Scanning for recommended parameters and output options.