Risk Spotlight Integrations (Controlled Availability)
Sysdig is developing a simplified way to integrate third-party tools with Effective Vulnerability Exposure (EVE), the technology behind Sysdig’s Risk Spotlight feature.
About Risk Spotlight
Risk Spotlight is based on Effective Vulnerability Exposure (EVE for short), a new technology developed by Sysdig that combines the observed runtime behaviour of a particular container image with vulnerabilities detected in its software packages. This combination is used to determine which packages are effectively loaded during the executing and thus, are a more direct security threat for your infrastructure.
Prioritizing the vulnerabilities which represent an actual risk to the organization is one of the most critical aspects of a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is actually very large.
There are many prioritization criteria that are commonly used and accepted to start filtering the list (Severity and CVSS scoring, Exploitability metrics, Runtime scope and other environment considerations, etc). EVE is a new criterion, completely supported by observed runtime behaviour, to add to the vulnerability management tool belt that can considerably reduce the working set of vulnerabilities that need to be addressed as a priority.
Technology Overview
The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behaviour of runtime workloads. Some of the information collected includes:
- Image runtime behavior profile: accessed files, processes in execution, system calls, etc. See Profiling for details.
- The ‘Bill Of Materials’ associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.
By correlating these two pieces of information, Sysdig can differentiate between packages merely installed in the image vs the ones that are loaded at execution time. This information is then propagated to vulnerabilities information.
Enabling the Feature
- Prerequisite: Risk spotlight requires the new Vulnerability Management engine enabled in Sysdig Secure SaaS.
- Precise enablement steps are provided on the Profiling feature page.
Supported Package Formats/Package Managers
- Debian (except Distroless) (deb)
- Alpine (apk)
- RHEL (rpm)
- Ubuntu (deb)
- Amazon Linux
- Java (Maven)
- Python (PyPi)
- NPM (JS)
- Golang (built with Go 1.13+)
Package Types Currently NOT Supported
- Composer (PHP)
- Cargo (Rust)
- Ruby Gems
- NuGet
Currently supported Kubernetes container runtimes:
- Docker daemon
- ContainerD
How to Integrate
At this time, Snyk is using an “in-cluster” integration model that will be deprecated and migrated to the new API-based integration. For now, the token mechanism does not apply to the Snyk integration process.
Generate a Token for the Integration
Select
Integrations > 3rd Party|Risk Spotlight Integration
. The Spotlight Integration page is displayed, with a list of existing tokens and their expiry dates.Click
+Add Token
.Fill in the attributes and click
Create Token
.- Name: Choose a name that indicates the integration with which the token is associated
- Expiration: Select an expiration date (
1/3/6 months
;1 year
)
Copy
the new token as it is displayed in the list.Store
the token in a safe place; it will not be visible or recoverable again.
To Renew a token at any time, click the Renew
button, reset the expiry, and confirm.
To Delete a token, click the X
beside the token name and confirm. This action will sever the integration between Sysdig and the 3rd-party tool.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.