Configure Vulnerability Management for GCP

After you connect your Google Cloud Platform (GCP) environment to Sysdig, you can configure Vulnerability Management (VM) Host Scanning. This feature performs vulnerability host scanning using disk Snapshots to provide highly accurate views of vulnerability risk, access to public exploits, and risk management. Vulnerability Host Scanning relies on the following GCP features:
  • Snapshot: Shares disks with Sysdig.

Sysdig released a new onboarding experience for GCP in October 2024. If you onboarded your GCP organization and/or project before October, 2024, and would like to add more features, contact your Sysdig representative.

To configure Vulnerability Management, set up volume access.

Prerequisites

Volume Access Installation Steps

Use the following steps to set up volume access for Vulnerability Host Scanning for your GCP instances.

  1. Log in to Sysdig Secure, select Integrations > Cloud Accounts > GCP.
  2. Select a project that is part of the organization you would like to add features to or the individual account you onboarded. On the right panel, you will see a list of features.
  3. Click Setup beside a desired feature to open the wizard.
  4. Ensure you have the necessary permissions configured as described in the initial setup.
  5. Exclude or Include Resources from Vulnerability Scanning:
  1. Verify the details of your organization and the project where the features will be added.
  2. Generate and apply the Terraform code:
  3. Create a volume_access.tf file in the folder that contains your main.tf.
  4. Copy the snippet provided into the volume_access.tf file.
  5. Run the command: terraform init && terraform apply.

Exclude and Include Resources from Vulnerability Scanning

When you connect a GCP project with Vulnerability Host Scanning, by default all Compute Instances with root volumes in the project are included in the scan.

You can exclude specific Compute Instances from being scanned using labels.

Exclude Instances

To exclude certain Compute Instances from being scanned, you must assign specific labels to them in the GCP Console or using GCP APIs.

Set these labels before initiating the scanning process. If you add labels after onboarding, the exclusion will only take effect in subsequent scans.

Include Data Volumes in Scans

By default, only root volumes of Compute Instances are scanned.

To also include data volumes in scans, you need to use the following specific labels.

Tagging Semantics

You can use the following labels at Volume or Compute Instance level. Tagging can be added at any time, for example, if you want to exclude/include something that was or was not scanned.

Key: sysdig-secure-scan, sysdig-secure-data-volumes-scan.

Values: true, false

Usage Examples

  • “sysdig-secure-scan” : “false” on a Compute Instance excludes the instance and all its volumes from scanning
  • “sysdig-secure-scan” : “true” on a data-volume of a Compute Instance includes such volume for scanning
  • “sysdig-secure-data-volumes-scan” : “true” on a Compute Instance has the same effect as applying the “sysdig-secure-scan” : “true” tag to all its data-volumes.

The following tags are redundant; using them will have the same effect as not having them. This is either because Sysdig scans them by default or because the values have been overridden by a tag at a higher level (such as a Compute Instance).

  • “sysdig-secure-scan” : “true” on a Compute Instance
  • “sysdig-secure-scan” : “true” on the root volume of a Compute Instance
  • “sysdig-secure-scan” : “false” on any data-volumes of a Compute Instance
  • “sysdig-secure-scan” : “false” on the root volume of a Compute Instance has no effect. The root volume is always scanned as part of the Compute Instance scan.
  • “sysdig-secure-data-volumes-scan” : “false” on a Compute Instance
  • “sysdig-secure-data-volumes-scan” : “false” on any data-volumes of a Compute Instance.

Validate

You can verify your Vulnerability Management configuration by checking your connection status:

  1. Log in to Sysdig Secure and select Integrations > Cloud Accounts > GCP.
  2. Select your account. The Detail panel appears on the right.

You will see the feature as Connected. This might take up to 5 minutes after deploying the Terraform.

Complete the Sysdig Onboarding Wizard

When all the enablement steps in GCP consoles are complete, return to the Sysdig wizard and click Complete.

Validate

Log in to Sysdig Secure and check that each module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.