Integrate Effective Vulnerability Exposure with Snyk

Effective Vulnerability Exposure

Effective Vulnerability Exposure (EVE for short) is a new technology developed by Sysdig that combines the observed runtime behaviour of a particular container image with vulnerabilities detected in its software packages. This combination is used to determine which packages are effectively loaded during the executing and thus, are a more direct security threat for your infrastructure.

Prioritizing the vulnerabilities which represent an actual risk to the organization is one of the most critical aspects of a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is actually very large.

There are many prioritization criteria that are commonly used and accepted to start filtering the list (Severity and CVSS scoring, Exploitability metrics, Runtime scope and other environment considerations, etc). EVE is a new criterion, completely supported by observed runtime behaviour, to add to the vulnerability management tool belt that can considerably reduce the working set of vulnerabilities that need to be addressed as a priority.

Technology Overview

The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behaviour of runtime workloads. Some of the information collected includes:

  • Image runtime behavior profile: accessed files, processes in execution, system calls, etc. See Image Profiles for details.
  • The ‘Bill Of Materials’ associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.

By correlating these two pieces of information, Sysdig can differentiate between packages merely installed in the image vs the ones that are loaded at execution time. This information is then propagated to vulnerabilities information.

Supported Package Formats/Package Managers

  • Debian (deb)
  • Alpine (apk)
  • RHEL (rpm)
  • Ubuntu (deb)
  • Java (Maven)
  • Golang
  • NPM (JS)
  • Python (Pypi)

Currently supported Kubernetes container runtimes:

  • Docker daemon
  • ContainerD

Integration with Snyk Overview

Snyk.io vulnerability management workflow can consume runtime EVE information to filter and prioritize detected vulnerabilities, following a similar approach to the one described above.

To integrate Sysdig EVE information with Snyk vulnerability management workflows:

  • Have an account and working license to use both products: Snyk, Sysdig Secure
  • Instrument the target runtime nodes using both products: Snyk, Sysdig Secure
  • Have your Sysdig commercial contact explicitly enable Sysdig EVE for your Sysdig account. In particular, your account needs the feature flags for:
    • Image Profiling
    • Scanning v2 EVE
    • Scanning v2 EVE integration

Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components already installed on your infrastructure.

Installation Instructions

Snyk Installed, Sysdig Not Installed

  1. Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor. You will need it to copy the secret in the last step.

  2. Install the Sysdig agent bundle using the official helm chart.

    Add sysdiglab charts to helm:

    helm repo add sysdig https://charts.sysdig.com
    

    Update list of charts from all registered charts repositories:

    helm repo update
    

    Create sysdig-agent namespace:

    kubectl create ns sysdig-agent
    

    Install the Sysdig agent bundle providing the mandatory parameters, enabling the eve and eveConnector flags, and adjusting any other configuration key to your preference.

    helm install --namespace sysdig-agent sysdig-agent \
         --set clusterName="sysdig-eve" \
         --set sysdig.accessKey="<access-key>" \
         --set sysdig.settings.collector=collector-static.sysdigcloud.com \
         --set sysdig.settings.collector_port=6443 \
         --set nodeAnalyzer.apiEndpoint="secure.sysdig.com" \
         --set nodeAnalyzer.runtimeScanner.deploy=true \
         --set nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
         --set nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
         sysdig/sysdig
    
  3. Make sure the Sysdig agent images, RuntimeScanner, EveConnector pods are running and healthy:

    kubectl -n sysdig-agent get po
    
    NAME                                             READY   STATUS    RESTARTS   AGE
    sysdig-agent-8rmkt                               1/1     Running   0          24s
    sysdig-agent-eveconnector-api-74767bbf54-lw97g   1/1     Running   0          23s
    sysdig-agent-hprw7                               1/1     Running   0          24s
    sysdig-agent-jrx2q                               1/1     Running   0          24s
    sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
    sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
    sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s
    

    Parameters:

    • clusterName: Set a cluster name to identify this cluster globally, “sysdig-eve” in the example above
    • sysdig.accessKey: Sysdig agent key
    • sysdig.settings.collector: Configure the collector address according to your region
      • US-east-1: collector.sysdigcloud.com
      • US-west-1: ingest-us2.app.sysdig.com
      • EU: ingest-eu1.app.sysdig.com
    • nodeAnalyzer.apiEndpoint: Configure the API endpoint according to your region
      • US-east-1: secure.sysdig.com
      • US-west-1: us2.app.sysdig.com
      • EU: eu1.app.sysdig.com
    • nodeAnalyzer.runtimeScanner.deploy and nodeAnalyzer.runtimeScanner.eveConnector.deploy
      • Both set to true as in the example above
  4. Copy the Sysdig Secret into the Snyk namespace.

    Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.

Sysdig Installed without EVE, Snyk Not Installed

If you already installed the Sysdig helm chart without enabling EVE and the EVE Connector, you will need to:

  1. Install Snyk instrumentation following its documentation.

  2. Re-install (and upgrade) the Sysdig agent helm chart:

    Create a sysdig-values.yaml file with the content:

    nodeAnalyzer:
      runtimeScanner:
        deploy: true
        image:
          repository: sysdig/vuln-runtime-scanner
          tag: 0.1.0
          digest:
          pullPolicy: IfNotPresent
        resources:
          requests:
            cpu: 150m
            memory: 512Mi
            ephemeral-storage: "2Gi"
          limits:
            cpu: 1000m
            memory: 1536Mi
            ephemeral-storage: "4Gi"
        settings:
          eveEnabled: false
        eveConnector:
          deploy: true
          image:
            repository: sysdig/eveclient-api
            tag: 1.0.0
            digest:
            pullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 1000m
              memory: 512Mi
          settings:
            replicas: 1
    

    Helm upgrade using the command

helm upgrade --namespace sysdig-agent sysdig-agent \
    --reuse-values \
     -f sysdig-values.yaml \
     sysdig/sysdig

No Sysdig, No Snyk

  1. Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
  2. Install Snyk instrumentation following its documentation.
  3. Copy the Sysdig Secret into the Snyk namespace.

Copy the Sysdig Secret

Once both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:

Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:

kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -

Check Integration in Snyk UI

Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI:



Last modified May 20, 2022