Integrate with Visual Studio Code

You can use Sysdig Visual Studio Code extension to catch vulnerabilities and compliance policy violations early in development. This extension empowers shift-left testing and pre-runtime security.

With Sysdig VS Code extension, you can:

  • Scan Dockerfiles, Docker-compose, and Kubernetes manifests.
  • Uncover vulnerabilities within software packages.
  • Scan Infrastructure as Code (IaC) projects
  • Evaluate compliance with Sysdig’s Vulnerability Management (VM) policies.

Prerequisites

Limitations

While the Sysdig extension offers powerful scanning capabilities, there are some limitations to be aware of:

  • Non-concurrent scanning — Scans are performed sequentially, which might affect performance in large projects.
  • No Multiple YAML support — The extension currently does not support scanning multiple Kubernetes or Docker-compose YAML files in a single run.
  • ARG statements in Dockerfiles — Scanning does not currently resolve ARG statements (build arguments), which may limit the detection of vulnerabilities in certain scenarios. If you need ARGs to build, you can manually scan an image with the Image to Scan feature in Settings. See Configure Settings.
  • The Sysdig VS Code extension is not available for Windows.

Install the VS Code Plugin

To install Sysdig Scanner, the Sysdig VS Code plugin:

  1. Search for “Sysdig Scanner” in the VS Code Extension tab, or in the VS Code Marketplace.

  2. Select Install.

  3. Once installed, launch the Command Palette (⌘ +Shift+P on Mac and Ctrl+Shift+P on Linux).

  4. Search Sysdig and select Authenticate with Sysdig Secure API Token.

  5. Enter your Sysdig Secure endpoint.

    See Retrieve the Sysdig API Token.

  6. Enter your Sysdig Secure API Token.

    See Retrieve the Sysdig API Token.

  7. Close and relaunch VS Code.

The extension is now linked to your Sysdig Secure account.

Use Sysdig Scanner

You can use the Sysdig VS Code extension, also known as Sysdig Scanner as follows:

  • Open the Explorer tab in VS Code. In the bottom left, you will see Policy Evaluation and Vulnerabilities tabs.
  1. Select the Infos icons in the bottom left of your VSCode window to access the Problems tab.

    Problems are grouped into three severities: high, medium, and low.

  2. Click on an issue to view the corresponding file.

  • Use the Command Palette (⌘ +Shift+P on Mac and Ctrl+Shift+P on Linux) to run commands with Sysdig Scanner, such as:
    • Scan Workspace for Iac Files: Sysdig scans the entire workspace, including the Terraform and Kubernetes manifests, to list all misconfigurations associated with these files. This provides the necessary context needed by security teams to respond.
    • Scan Image for Vulnerabilities
    • Scan Kubernetes manifest for Vulnerabilities
    • Scan Dockerfile for Vulnerabilities
    • Scan Docker Compose manifest for Vulnerabilities
  • As you edit files, you will also see prompts from Sysdig Scanner. For example, when you specify an image in a yaml file, you will see an unobtrusive prompt asking if you would like to Scan Image.

Scan Dockerfiles

When you open a Dockerfile in VSCode, the Sysdig Scanner extension lets you:

  • Build and Scan: Build the entire Dockerfile and scan for vulnerabilities in the software packages used in the project through layered analysis.
  • Scan Base Image: Look for security gaps within the base image.

In both cases, a detailed report of all detected vulnerabilities is generated. These are categorized by severity. You can filter results by Exploitable and Fixable.

Configure Settings

Change the settings to customize the extension to your needs:

  1. Open VSCode.

  2. Select the Extensions tab.

  3. Click the settings icon beside Sysdig Scanner.

  4. Select Extension Settings.

    The Extension Settings page opens.

Here you can configure:

  • User/Workspace: Select between the User and Workspace tab to configure settings globally for your user account, or for a specific workspace. This is useful for applying custom policies to a specific project.
  • Cli Scanner Source: Specify a custom path to retrieve Sysdig CLI Scanner.
  • Add Policies: By default, the extension applies Sysdig Secure managed VM policies. Use this setting to add custom policies.
  • Detailed Reports: By default, the extension summarizes its findings in reports. Use this setting to generate more detailed reports.
  • Filter Packages With No Vulnerabilities: By default, Sysdig filters out packages with no vulnerabilities in the Vulnerabilities view. Use this setting to include these packages.
  • Image to Scan: Use the box to manually specify an image for Sysdig to scan.
  • Standalone Mode: Standalone mode allows Sysdig Scanner to work in a limited capacity with a local Vulnerabilities Database, but without policies. By default, the Sysdig Scanner uses standalone mode when offline. You can set Sysdig Scanner to use Standalone Mode Always, Never, or When Disconnected (the default).
  • Upload Results: Tick the box to upload scans to the Sysdig backend. This can be used to share scan results. The setting is off by default to reduce noise.