This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Integrations for Sysdig Secure

1: Data Sources

1.1: Cloud Accounts

1.2: Managed Kubernetes

1.3: Sysdig Agents

2: Risk Spotlight Integrations (Controlled Availability)

2.1: Integrate Effective Vulnerability Exposure with Snyk

3: IBM Cloud Pak for Multicloud Management

The Integrations menu option in Sysdig Secure provides quick-link access to both inbound data sources and outbound integrations such as notification channels and S3 captures.

Inbound

Data Sources: Cloud Accounts and Kubernetes Clusters

Log in to Sysdig Secure and choose Integrations > Cloud Accounts or Integrations > Kubernetes Cluster to review the status of your cloud accounts.

Outbound

S3 Capture Storage Use Integrations > Outbound | S3 Capture Storage as a quick link to that page in Settings.

Notification Channels Integrations > Outbound | Notification Channels gives a quick link to configure the notification channels in Sysdig Secure. (Sysdig Monitor notification channels must be configured separately and are access from the Monitor UI.)

Extensions and Levels of Support

“Integrations” for Sysdig Secure can include a wide range of tools and software designed to connect Secure functionality (e.g., image scanning, event handling, audit logging, and risk analysis) with other systems. Some such tools are installed with the backend. Others are not, because they exist to accommodate specific use cases, infrastructure details, or additional customizations.

These added tools are called “extensions” and It is up to the user to decide which extensions to install on top of the core backend functionality.

There are two different categories of extensions depending on the support level and backward- compatibility guarantees:

Preview features - These are pre-release features for which Sysdig is seeking early feedback from users. If you’re interested in trying these items, we will connect you directly with our product/engineering teams. Depending on the level of engagement with a preview Sysdig will decide to deprecate it or move it into an officially supported extension or feature.
Fully supported) Extension features - These extensions are installed outside the core Sysdig product and leverage Sysdig APIs, but they are fully supported at the same level as any other core product feature.

Features that are delivered with the core product are designated as “built-in” and always receive full support.

Sysdig delivers many other code examples and integrations as blog content, webinars, whitepapers, etc. Any code snippet or integration that is not explicitly listed in the tables above is not officially supported and is merely illustrative of a particular feature or capability.

Types of Secure Integrations

Image scanning functionality can be integrated into the CI/CD pipeline and with container registries. Kubernetes logs can be integrated from a variety of platforms and distributions. Events can be forwarded to various external processing systems.

Fully supported Extensions are marked with ^E. Preview features are marked with ^P.

CI/CD Pipeline	Container Registries	Audit Logging (Kubernetes)	Event Forwarding
Jenkins plugin^E	AWS ECR ^E	Google GKE^E	Splunk (built-in)
Azure Pipelines^P	Harbor Scanner Adaptor^P	Amazon EKS^E	Syslog (built-in)
AWS Codepipeline^P	Google GCR (built-in)	Azure AKS^P	IBM QRadar (built-in)
CircleCI^P	Azure ACR (built-in)	Native configurations^E	IBM MCM (built-in)
Github Actions^P	Artifactory (built-in)
Gitlab^P	Dockerhub (built-in)
Tekton Pipelines^P	Quay (built-in)

Additional Integration Tools

Developer Tools:

Admission Controller^Pfor image scanning:

IBM Cloud Pak for Multicloud Management ^E full integration guide

1 - Data Sources

Data sources, grouped under Integrations in Sysdig Secure, provide an overview of inbound, outbound, and third-party data integrations.

1.1 - Cloud Accounts

If you connect a cloud account using Sysdig Secure for cloud, you can review the details on this page and connect additional accounts as needed.

Review Data Sources

Access the Page

Log in to Sysdig Secure and select Integrations > Data Sources | Cloud Accounts from the navigation bar.
The Cloud Accounts overview is displayed.

Review Cloud Accounts

Use the Cloud Accounts overview to:

Confirm that the incoming data sources you expected are present
Get an overview of the status
Check whether managed clusters in the accounts were detected and whether an agent was installed with them.

The page lists:

Platform: AWS, GCP, Azure
Account ID: The AWS Account ID, GCP Project ID, or Azure Subscription ID
Alias: As defined when connected
Region(#): Each account may be deployed in multiple regions; click on a numbered entry to expand and view all the regions.
Date Added: Date the account was added to Sysdig Secure
Date Last Seen: Date of last observed activity on the account/region.
Clusters Connected (x/y): This displays the number of managed clusters detected in the account/region (y) and the number of clusters with at least one agent installed (x).
For example:
- 0/0 = no clusters contain an agent, no clusters detected
- 1/17 = 1 cluster contains an agent, 17 total clusters detected

Connect Account

To connect a cloud account, click Connect Account and select the appropriate cloud provider (AWS | GCP | Azure), then follow the installation pop-up wizard.

1.2 - Managed Kubernetes

Review Managed Kubernetes

From the Managed Kubernetes tab you can review cluster details of detected cloud accounts and instrument a cluster if needed.

Filtering Actions

You can:

Search by keyword
Filter by platform or account number
Sort by Status, Cluster Name, Account ID, or Region

For un-instrumented clusters detected on an account, the modal under More helps speed the instrumentation process.

Click Instructions to Instrument. The instrumentation popup is displayed, with your access key and cluster-specific data prefilled.
Follow the two-step procedure to generate the kubeconfig and install the agent.
OR
Click Copy Script to Instrument to get both parts in a single script you can deploy.

1.3 - Sysdig Agents

This page shows all of the Sysdig Agents that have reported into the Sysdig backend, and enables the user to quickly determine:

Which agents are up-to-date, out of date, or approaching being out of date
Which managed clusters have been detected in your cloud environment, but have not yet been instrumented with the Sysdig agent

The feature is in Technology Preview status; additional functionality and refined the workflows will continue to be added.

Review Environment

Select Integrations > Data Sources | Sysdig Agents.

The resulting page shows all detected nodes in your environment and the status of the agents installed on them, or not. The view shows nodes detected from previously installed agents on hosts and from connected cloud accounts.

You can:

See at a Glance: Quickly identify where agents are installed: by node, cluster name, and/or cloud account ID
Know the Status: Check agent connection status and age
Search or Filter: Narrow the view by searching or filtering on node name, cluster name, Account ID, agent version, or agent Status
Agent Count: View your total connected agent count over time
Install or Troubleshoot: Link to quick steps for adding an agent or troubleshooting disconnected nodes

Understand Agent Status

Status	Description	Notes
Never Connected	Cloud Accounts only. Detects nodes in a managed cluster in a cloud account connected to Sysdig, where an agent has not been deployed	Hover over the status to link to the Helm-based agent install instructions.
Up to date	Your agent version is up to date.
Out of date	Deprecated agent version. Agents support is provided for the last three minor version releases.	Hover over the status for information on upgrading the agent.
Almost out of date	On the next agent release, this agent will be deprecated. Agents support is provided for the last three minor version releases.	Hover over the status for information on upgrading the agent.
Disconnected	A Sysdig agent on a registered Kubernetes node lost connection to Sysdig.	Hover over the status for information on how to troubleshoot an agent installation

Options to Add Agent

Integrations > Data Sources | Sysdig Agents and select Add Agent.
Select whether to connect to a Kubernetes cluster, Linux, or Docker, and follow the installation pop-up instructions.
See also: Agent Installation.

2 - Risk Spotlight Integrations (Controlled Availability)

Sysdig is developing a simplified way to integrate third-party tools with Effective Vulnerability Exposure (EVE), the technology behind Sysdig’s Risk Spotlight feature.

About Risk Spotlight

Risk Spotlight is based on Effective Vulnerability Exposure (EVE for short), a new technology developed by Sysdig that combines the observed runtime behaviour of a particular container image with vulnerabilities detected in its software packages. This combination is used to determine which packages are effectively loaded during the executing and thus, are a more direct security threat for your infrastructure.

Prioritizing the vulnerabilities which represent an actual risk to the organization is one of the most critical aspects of a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is actually very large.

There are many prioritization criteria that are commonly used and accepted to start filtering the list (Severity and CVSS scoring, Exploitability metrics, Runtime scope and other environment considerations, etc). EVE is a new criterion, completely supported by observed runtime behaviour, to add to the vulnerability management tool belt that can considerably reduce the working set of vulnerabilities that need to be addressed as a priority.

Technology Overview

The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behaviour of runtime workloads. Some of the information collected includes:

Image runtime behavior profile: accessed files, processes in execution, system calls, etc. See Profiling for details.
The ‘Bill Of Materials’ associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.

By correlating these two pieces of information, Sysdig can differentiate between packages merely installed in the image vs the ones that are loaded at execution time. This information is then propagated to vulnerabilities information.

Enabling the Feature

Prerequisite: Risk spotlight requires the new Vulnerability Management engine enabled in Sysdig Secure SaaS.
Precise enablement steps are provided on the Profiling feature page.

Supported Package Formats/Package Managers

Debian (except Distroless) (deb)
Alpine (apk)
RHEL (rpm)
Ubuntu (deb)
Amazon Linux
Java (Maven)
Python (PyPi)
NPM (JS)
Golang (built with Go 1.13+)

Package Types Currently NOT Supported

Composer (PHP)
Cargo (Rust)
Ruby Gems
NuGet

Currently supported Kubernetes container runtimes:

Docker daemon
ContainerD

How to Integrate

At this time, Snyk is using an “in-cluster” integration model that will be deprecated and migrated to the new API-based integration. For now, the token mechanism does not apply to the Snyk integration process.

Generate a Token for the Integration

Select Integrations > 3rd Party|Risk Spotlight Integration. The Spotlight Integration page is displayed, with a list of existing tokens and their expiry dates.
Click +Add Token.
Fill in the attributes and click Create Token.
- Name: Choose a name that indicates the integration with which the token is associated
- Expiration: Select an expiration date (1/3/6 months; 1 year)
Copy the new token as it is displayed in the list.
Store the token in a safe place; it will not be visible or recoverable again.

To Renew a token at any time, click the Renew button, reset the expiry, and confirm.

To Delete a token, click the X beside the token name and confirm. This action will sever the integration between Sysdig and the 3rd-party tool.

2.1 - Integrate Effective Vulnerability Exposure with Snyk

Integration with Snyk Overview

Snyk.io vulnerability management workflow can consume runtime EVE information to filter and prioritize detected vulnerabilities, following a similar approach to the one described in Risk Spotlight Integrations.

To integrate Sysdig EVE information with Snyk vulnerability management workflows:

Have an account and working license to use both products: Snyk, Sysdig Secure
Instrument the target runtime nodes using both products: Snyk, Sysdig Secure
Have your Sysdig commercial contact explicitly enable Sysdig EVE for your Sysdig account. In particular, your account needs the feature flags for:
- Image Profiling
- Scanning v2 EVE
- Scanning v2 EVE integration

Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components already installed on your infrastructure.

Installation Instructions

Snyk Installed, Sysdig Not Installed

Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor. You will need it to copy the secret in the last step.

Use the sysdig-deploy helm chart to install the Sysdig agent bundle. Provide the mandatory parameters and enable the eve and eveConnector parameters.

Example:

 helm install --namespace sysdig-agent sysdig-agent \
 ....other parameters...
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

Make sure the Sysdig agent images, RuntimeScanner, and EveConnector pods are running and healthy:

kubectl -n sysdig-agent get po

NAME                                             READY   STATUS    RESTARTS   AGE
sysdig-agent-8rmkt                               1/1     Running   0          24s
sysdig-agent-eveconnector-api-74767bbf54-lw97g   1/1     Running   0          23s
sysdig-agent-hprw7                               1/1     Running   0          24s
sysdig-agent-jrx2q                               1/1     Running   0          24s
sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s

Copy the Sysdig Secret into the Snyk namespace.
Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.

Sysdig Installed without EVE, Snyk Not Installed

If you already installed the Sysdig agent using the helm chart without enabling eve and the eveConnector parameters, do the following:

Install Snyk instrumentation following its documentation.

Upgrade the sysdig-deploy helm chart with the required eve settings:

helm upgrade sysdig-agent \
  --namespace sysdig-agent \
  --reuse-values \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

No Sysdig, No Snyk

Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
Install Snyk instrumentation following its documentation.
Copy the Sysdig Secret into the Snyk namespace.

Copy the Sysdig Secret

Once both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:

Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:

kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -

Check Integration in Snyk UI

Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI:

3 - IBM Cloud Pak for Multicloud Management

IBM Cloud Pak for Multicloud Management centralizes visibility, governance, and automation for containerized workloads across clusters and clouds into a single dashboard. One of the key capabilities of the product is the centralization of security findings to help cloud team administrators understand, prioritize, manage and resolve security issues that are related to their cloud applications and workloads.

The integration of Sysdig Secure with IBM Cloud Pak for Multicloud Management extends the depth of security intelligence available with:

Container image vulnerability management and configuration validation
Runtime security with prevention, threat detection, and mitigation
Incident response and forensics
Compliance and audit

Sysdig Secure increases IBM Cloud Pak for Multicloud Management compliance capabilities to help meet regulatory requirements like NIST, PCI, GDPR, or HIPAA. By deploying the products together, users can extend container security to prevent vulnerabilities, stop threats, accelerate incident response, and enable forensics.

The integration involves several components, each of which is installed and configured separately.

Users of IBM Cloud Pak for Multicloud Management can follow the Installation Integration Guide to install and configure:

The Sysdig agent
Event forwarding integration
Single sign-on (SSO) integration via OpenID Connect
Navigation menu shortcut integration

For More Information

Download the Integration Guide
Review the blog entry about Sysdig Secure and IBM Cloud Pak for Multicloud Management Integration