Integrate with Backstage

Backstage offers necessary software resources, documentation, and tools to develop cloud-native applications. To help you collect real-time insights into active vulnerabilities, misconfigurations, and runtime behaviors of your Backstage development environment, Sysdig provides a plugin to integrate Sysdig Secure with Backstage. With this integration, you can manage, track, and protect your applications in a centralized hub.

By embedding Sysdig security insights directly within Backstage, you gain immediate visibility into security concerns, significantly accelerating the time to detect and respond to issues. This makes it easier to identify and address potential issues in your applications earlier in the devops cycle.



Change directory to the root of the Backstage application directory and install backstage-plugin-sysdig. Use of the following methods:


# From your Backstage root directory
yarn --cwd packages/app add @sysdig/backstage-plugin-sysdig


# From your Backstage root directory
git clone plugins/sysdig
yarn install


Sysdig plugin uses the following to perform various operations such as fetching vulnerability scan results from Sysdig backend.

  • APIs: The Sysdig plugin interacts with the Backstage through APIs that leverages annotations in the catalog-info.yaml files associated with the components.

  • Annotation: Annotations are a key concept in the Backstage catalog. They attach metadata to entities defined in the catalog-info.yaml files. The metadata could be links to the documentation, system dependencies, and integration points with tools such as Jenkins for CI/CD, or Sysdig for security insights.

Configure Route Reference for Sysdig

Routes implements cross-plugin communication within the Backstage application and define routing hierarchy to ensure smooth working of the plugin. For more information, see Backstage Frontend Routes.

In order for the Sysdig plugin to work, you must add route reference for Sysdig to the entitey routes in packages/app/src/components/catalog/EntityPage.tsx:

import { SysdigPage } from '@sysdig/backstage-plugin-sysdig';


const serviceEntityPage = (


	<EntityLayout.Route path="/sysdig" title="Sysdig">
		<SysdigPage />



Route references expose a path in Backstage’s routing system. They have opaque values that symbolizes route targets within an app, tied to specific paths during runtime. Routes indirectly connect various pages that lack inherent routing links, enabling navigation between them.

Configure Sysdig Connection

In order for the Backstage application to communicate with Sysdig, you need to define Sysdig connection setting in the Backstage application configuration file.

  1. Open your terminal, set the following environment variable:
    • SYSDIG_SECURE_ENDPOINT: Your Sysdig Secure endpoint.
    • SYSDIG_SECURE_TOKEN: The Sysdig Secure API token associated with your Sysdig Secure account.
  2. Add the Sysdig connection settings to the app-config.yaml file:
  		  changeOrigin: true
			  allowedMethods: ['GET']
					"Authorization": "Bearer ${SYSDIG_SECURE_TOKEN}"
					"Content-Type": "application/json"
					"Accept": "application/json"
				  "X-Sysdig-Product": "SDS"



Annotate Sysdig Services

A service is registered in the Backstage Catalog by using a catalog-info.yaml file. This file contains annotations that connect it to its source code repository and other integrations.

The following is an example of a catalog-info.yaml for an service called sock-shop-cart.

Runtime Scanning

To identify vulnerabilities at runtime and in-use vulnerable packages, you can use the following annotation:

    # VM Runtime <cluster-name> <namespace-name> <workload-name> <workload-type>

They connect to the Sysdig service and fetch the runtime scan results of the sock-shop-cart application.

Registry Scanning

To identify vulnerabilities vulnerable packages in your registry, you can use the annotation similar to the following:

 # VM Registry harbor registry-harbor-registry.registry.svc.cluster.local:5443

Example Annotation

Sysdig provides curated annotations to help you with insights into the potential risks associated with your current build. In addition to the previous examples, you can fetch pipeline results, compliance reports, and more.

Here is an example of the catalog-info.yaml for a service named sock-shop-carts:

kind: Component
  name: sock-shop-carts
    # VM Runtime sock-shop-cluster sock-shop sock-shop-carts deployment

    # VM Registry harbor registry-harbor-registry.registry.svc.cluster.local:5443

    # VM Pipeline
    # Posture sock-shop-carts "Deployment"
  description: |
    This is the Sock shop service that keeps track of socks pairs to be purchased.
  type: service
  lifecycle: experimental
  owner: team-c
  system: sock-shop
    - component:default/sock-shop-carts-db

Not all the annotations are necessary for the plugin to work; the functionality of various reports may vary based on the information provided. For instance, to access Registry scanning results, you must annotate the relevant services with registry data.

Once the service is added to the catalog, you can manage the sock-shop-cart from Backstage.

For the detailed workflow, see Sysdig Integration with Backstage.