Run Sysdig CLI Scanner in IaC Mode

Running Sysdig Command Line Interface (CLI) Scanner in Infrastructure-as-Code (IaC) mode allows scanning IaC resources in a local directories or as part of continuous integration and continuous deployment (CI/CD) cycle and report risks and compliance posture.

Prerequisites

To include sysdig-cli-scanner in your IaC pipeline, run the sysdig-cli-scanner command.

  • Make sure the sysdig-cli-scanner binary is available as part of worker or runner where the pipeline is executing.

  • Define a secret containing the API Token and make it available in the pipeline using a SECURE_API_TOKEN environment variable.

  • Ensure that you have the Role-Based Access Control (RBAC) CLI execution permission for the CLI IaC Scanner.

Parameters

Basic usage of the sysdig-cli-scanner:

sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Mandatory Parameters

OptionDescription
--iacThe first parameter of sysdig-cli-scanner must be --iac to enable the IaC scanning functionality.
SECURE_API_TOKENProvide the API token as environment variable SECURE_API_TOKEN . You can retrieve this from Settings > User Profile in Sysdig Secure.
--apiurl=<endpoint>Sysdig Secure Endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI.

Usage

sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Replace <PathsToScan> with the path to the directory containing the source code to scan. It can be an absolute or a relative path.

If is omitted, the path defaults to current directory, ./ .

For example:

SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --iac -r -f H --apiurl <sysdig-api-url> /home/user/a-git-repository /home/user/another-git-repository

Additional Parameters

To display a list of all available command line parameters:

  -h, --help                    Show this help message

Example output:

Usage:
      sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>

Common Options:
  -a, --apiurl string                Secure API base URL
      --console-log                  Force logs to console, mutually exclusive with --logfile
  -o, --logfile string               File destination for logs, mutually exclusive with --console-log
  -l, --loglevel string              Log level [trace|debug|info|warn|err|fatal|panic|disabled] (default "info")
      --output-json string           Output path of the scan result report in json format
  -s, --skiptlsverify                Skip TLS certificate verification

Help Options:
  -h, --help                         Show this help message

IaC Scan Options:
      --list-unsupported-resources   Toggle output of detailed list of unsupported resources
  -r, --recursive                    Scan folders for manifests recursively
  -f, --severity-threshold string    The minimum severity that will fail a scan [low|l|medium|m|high|h|never|n] (default "h")
      --version                      Show the version and exit

Exit codes:
  0: Scan evaluation "pass"
  1: Scan evaluation "fail"
  2: Invalid parameters
  3: Internal error

CLI Scanner Exit Codes

Access the container exit codes with -h

The codes are:

  • 0 : Scan success. No findings or all findings are below the fail threshold

  • 1 :Scan failed. One or more findings are equal or above the fail threshold.

  • 2 : Incorrect parameters. Implies no API token is given.

  • 3 : Other execution errors.

Sample Result in Terminal

You can view scan results in the terminal window :

$ sysdig-cli-scanner --iac -r -f H --apiurl=https://us2.app.sysdig.com /home/user/a-git-repository /home/user/another-git-repository

Summary
β€”------
Detected 1 modules/manifests in 1 folders
2 resources scrapped
3 unsupported resources (use –list-unsupported-resources for details)

Findings:
 πŸ”΄ 13 High
 🟠 17 Medium
 🟑 18 Low

Errors
------
 - /.github/workflows/approve-test-run.yaml: Object 'Kind' is missing in '{"jobs":{"approve-test-run":{"if":"${{ github.event.issue.pull_request }}","permissions":{"pull-requests":"write"},"runs-on":"ubuntu-latest","steps":[{"name":"Slash Command Dispatch","uses":"peter-evans/slash-command-dispatch@v3","with":{"commands":"approve-test-run","issue-type":"pull-request","permission":"write","reaction-token":"${{ secrets.GITHUB_TOKEN }}","token":"${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}"}}]}},"name":"Approve Test Run","true":{"issue_comment":{"types":["created"]}}}'.
 ...
 - <Path> - <Details>


Details
β€”------
Container permitting root | 🟑 Low | 2 Occurrences
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
|                 RESOURCE                  |    KIND    |                   RESOURCE LOCATION                    |                SOURCE                |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | runAsNonRoot in container harbor-scanner-sysdig-secure | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge    | Deployment | runAsNonRoot in container stackdriver-webhook-bridge   | /charts/sysdig-stackdriver-bridge    |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+

Workload container default RunAsGroup root | 🟠 Medium | 2 Occurrences
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
|                 RESOURCE                  |    KIND    |                 RESOURCE LOCATION                  |                SOURCE                |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | `runAsGroup` in workload                           | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge    | Deployment | `runAsGroup` in workload                           | /charts/sysdig-stackdriver-bridge    |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+

Workload without ServiceAccount | πŸ”΄ High | 1 Occurrences
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
|                RESOURCE                |    KIND    |                 RESOURCE LOCATION                  |              SOURCE               |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
| release-name-sysdig-stackdriver-bridge | Deployment | `serviceAccountName` in workload                   | /charts/sysdig-stackdriver-bridge |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+

...

IaC Scan SUCCESS at 2024-01-04 13:19:37.702567 -0500 EST m=+0.100174543
OK: scan complete

Scan errors

Errors that are not critical are the errors that are collected during the scan and are present in our existing scan summary model, defined per resource. They shouldn’t fail the scan execution or alter the Exit Code. Therefore, Exit Code will remain 0 or 1 in the presence of non-critical errors.

The non-critical errors are displayed in the output and as part of the JSON.

Integrations

Jenkins

You can integrate the Sysdig CLI Scanner as a Jenkins step. Once imported from the URL, you can add it to your project.

  1. Create the Project or use an existing one:


  2. Chose Sysdig Secure Code Scan as the build step:


  3. Configure the operation:

    OptionDescription
    Sysdig Secure Engine URLThe Sysdig Secure endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI.
    SECURE_API_TOKENProvide your API token. You can retrieve this from Settings > User Profile in Sysdig Secure.
    PathThe path to the directory containing the source code to scan. It can be an absolute or a relative path.
  4. Configure the Advanced parameters:

    OptionDescription
    List Unsupported ResourcesToggle output of detailed list of unsupported resources.
    RecursiveScan folders for manifests recursively.
    Choose Severity ThresholdThe minimum severity that will fail a scan: Low | Medium | High | Never. The default is High.
    VersionThe CLI Scanner version to use. The default is latest.
  5. Run your Project:

​ Once you run the Project, the generated output will be identical to the output produced when running the CLI Scanner as a standalone application.