Inventory

The Sysdig Secure Inventory provides visibility into resources across your cloud (GCP, Azure, and AWS) and Kubernetes environments, as well as your container images. Inventory’s Resource-360 drawer provides comprehensive vulnerability and compliance findings on your resources, along with their configuration details.

Overview

With this release of Inventory, you can:

  • View all deployed resources across your cloud environment(s)
  • View all code resources from IaC integrations
  • Protect all resources and mitigate blind spots
  • Know all current resources in your infrastructure that share properties.
  • Know which resources belong to a business unit.
  • Review posture violations for a resource and take action (remediate or handle risk).
  • View all container images from your runtime scans.
  • Find vulnerable packages in your environment and the resources they’re running.

Enablement Steps

If I want to see…I need to enable/configure…Required
Cloud resources (AWS, GCP, Azure)Connect a cloud account.
See Connect Cloud Accounts.
Yes
Kubernetes resources (Users, Roles, Groups, Hosts, Workloads…)Install the Sysdig agent with KSPM enabled, using --set global.kspm.deploy=true \.
See Install Kubernetes.
Yes
Container ImagesWhen installing the Sysdig agent for Kubernetes resources, above, also install the Runtime Image Scanner. This is included automatically when you install the agent using the Quick Start Wizard.
See Install Kubernetes.
Yes
Standalone Hosts (Linux, Docker)Install the Posture Host Analyzer (non-Kubernetes) as a container. See Install Posture Host AnalyzerNo
IaC CodeCheck the IaC Supportability Matrix.
- Set up a Git Integration.
- Add Git Sources.
See Git Integrations.
No
Vulnerable cloud hostsAgent-based or Agentless Vulnerability Host ScanningNo
Vulnerable packages running on Kubernetes WorkloadsRequires Risk Spotlight, which is auto-enabled from Sysdig agent v.12.15+.
See Risk Spotlight.
No

Usage

  1. Access: Log in to Sysdig Secure and click the Inventory top-level menu item.

    Inventory displays all resources from cloud accounts, Kubernetes data sources, and IaC Git resources connected to Sysdig, along with their findings (compliance, vulnerabilities, exposure).

    Data shown in the UI is refreshed every 24 hours when a compliance evaluation is run.

  2. Filter: Use the featured and unified filter to find targeted resources. See Filters and Queries.

  3. Use Resource Indicators: On a resource card, hover over the Posture Policies Passing gauge, the Runtime Vulnerabilities thermometer, and the Network Exposure icon to get high-level insights about your resource.

  4. View a Resource 360: Click a card to review the resource Posture, Vulnerabilities and Configuration details (below).

Use the Resource Posture Tab

Sysdig provides sample queries related specifically to posture. For every resource, we provide visibility into its posture status based on the zones and policies it belongs to.

  1. Click a resource card to open the resource’s 360 drawer and access the Posture tab.

    The number of failed policies is highlighted next to the tab name.

  2. Select a failed policy to see the relevant controls to be remediated. The controls are grouped by requirement within each policy.

    For more information, see Evaluate and Remediate from Inventory.

Use the Resource Vulnerabilities Tab

  1. Click the resource card of an image or workload to open the resource’s 360 drawer and access the Vulnerabilities tab. It contains the latest Runtime vulnerabilities scan result for that image or workload.

  2. View detected vulnerabilities and filter on those that have a Fix, an Exploit, or an Accepted Risk. Filtering on In Use is available for Workloads (see Risk Spotlight).
    NOTE:

    • Runtime image scans include the Image ID. If the image was also scanned in Pipeline or Registry, then you can view it in the Pipeline or Registry Vulnerabilities interface using the 3-dot menu.

    • Cloud Host scans are performed against runtime packages.

    • From Workloads, you can view the container image as a first-class citizen in Inventory or in the Runtime Vulnerabilities interface using the Image ID.

    • With Risk Spotlight enabled you can see which of your vulnerable packages are currently loaded in Runtime.

Use the Resource Configuration Tab

  1. Click a resource card to open the resource’s 360 drawer and access the Configuration tab. It contains additional metadata and configuration details including the timestamp when the resource was last scanned.

    You can copy this or save it as a .txt file.

  2. For Kubernetes hosts and clusters, you can search within the resource configuration by Origin or Attribute.

Work with IaC Resources

If you have configured IaC scanning, you can view the resources supported by the Git-integrated scanner in the Inventory (YAML, Terraform, Helm charts, etc). For more information, see IaC Support. The 360-view of each code resource includes:

  • resource metadata
  • configuration details
  • posture violations that can be remediated with automated workflows.

Search for IaC Resources

IaC resources from Git repository scans are labeled code in the Inventory UI, to distinguish them from deployed resources in your cloud environments.

  1. Filter for Resource Origin = Code.

  2. Notice the resulting list includes a visual tag (< >) on the logo to distinguish code resources.

  3. Other options: Filter by Source Type, Location, Git Integration, or Repository.

View Vulnerable Resources

If you have installed the Runtime image scanner, you can view your container images in Inventory. The 360-view of each image resource includes:

  • Resource metadata
  • Runtime context of Package vulnerabilities
  • Vulnerability details (has fix, has exploit) that support your remediation workflows

Search for Container Images

Container images from Runtime scans are a new Resource Type in the Inventory UI.

  • Filter for Resource Type is Image

Other options: Filter by Platform, Image ID, Image Digest, Image Registry, Image Pullstrings or Image Tags

Search for Vulnerable Workloads

  • Quickly discover workloads running container images with vulnerable packages.
  • Filter for Resource Type in (Deployment, DaemonSet, CronJob, Job, etc) AND Vulnerability in CVE-2005-2541
  • Other options: Filter by Resource Type AND Package, Package Path, Vulnerability Severity

Search for Vulnerable Cloud Hosts

Inventory currently supports AWS (EC2 Instance) and GCP (Compute Instance) Hosts. Azure VMs are out of scope.

Find cloud hosts running images with vulnerable packages.

  • Filter for Resource Type in (EC2 Instance, Compute Instance) AND Vulnerability in CVE-2023-0464
  • Other options: Filter for Resource Type AND ARN, Resource ID

Filters and Queries

The Inventory UI includes sophisticated filtering options using both the Sysdig unified filter bar and a “Featured Filters” column on the left.

Unified Filter

As in other parts of the Sysdig Secure interface, the unified filter bar allows you to build sophisticated queries using:

  • Drop-down menu items and operators
  • Clickable resource elements on the Inventory page

The Featured Filters panel, populated by Sysdig, displays your environment’s most useful filter types. It lets you narrow down to your most prevalent and “at risk” resources and includes resource counting and risk indicators.

You can:

  • Open and close the panel from the top-left arrow symbol.

  • Click In/!In or Yes/No beside any featured filter item to include it in the query you are building in the unified filter.

  • View by Risk indicators associated with Vulnerabilities: Has Fix and Has Exploits

You can structure queries in the unified filter to solve common use cases as follows:

Find Resources by Name and/or Attributes

  • I want to search for all S3 buckets in the EU regions
    • Resource Type contains S3 AND Region startsWith eu
  • I want to search for all Workloads of type host with names starting with prod
    • Resource Type is host AND Name startsWith prod
  • I want to view the configuration of my GKE Worker nodes
    • Node Type is Worker AND Kubernetes Distribution is gke
  • I want to search for all clusters running on OpenShift V4
    • Resource Type is Cluster AND Kubernetes Distribution is ocp4
  • I want to search for all IaC resources
    • Resource Origin is Code

Find Resources Owned by Business Unit

  • I want to search for all resources belonging to my PCI zones
    • Zones startsWith PCI
  • I want to search for all resources labeled app:retail
    • Labels in app:retail
  • I want to search for all resources within the finance namespace
    • Namespace is finance
  • I want to search for all resources belonging to my docker clusters
    • Cluster contains docker

Find your Environment Blind Spots

  • I want to view all resources on which there are 0 policies applied
    • Posture Applied Policy not exists
  • I want to view all resources that belong to 0 zones
    • Zones not exists
  • I want to view all resources that are not labeled
    • Labels not exists

Find Resources by Posture Details

  • I want to view all resources on which policy X is applied
    • Posture Applied Policy is (p1)
    • Posture Applied Policy in (p1, p2, p3)
  • I want to view all resources on which CIS Kubernetes V1.23 Benchmark policy is applied
    • Posture Applied Policy in CIS Kubernetes V1.23 Benchmark
  • I want to view all resources that fail ISO/IEC 27001 policy
    • Posture Failed Policy in ISO/IEC 2700
  • I want to view all resources that are failing at least one policy
    • Posture Failed Policy exists
  • I want to view all resources that are failing at least one control
    • Posture Failed Control exists
  • I want to view all resources for which a risk has been accepted on a control
    • Posture Accepted Risk yes

Find Vulnerable Resources

  • I want to view all Quay.io images that have the same Image ID.
    • Resource Type is Image AND Platform is Quay.io AND Image ID is sha256:4fc533e8180ac3805582d3b2a9f8008d54d346211894d6131d92a82d17ee5458
  • I want to view all images that have Log4j packages and Apache Log4j Vulnerability.
    • Resource Type is Image AND Package contains log4j AND Vulnerability in CVE-2021-44832
  • I want to view all images with critical vulnerabilities that have an exploit and a fix.
    • Resource Type is Image AND Vulnerability Severity in Critical AND Has Exploit Yes AND Has Fix Yes
  • I want to view all workloads that have OpenSSL packages and OpenSSL Vulnerability.
    • Resource Type is Deployment AND Package contains openssl AND Vulnerability in CVE-2023-0464
  • I want to view all workloads with critical vulnerabilities that have an exploit and a fix.
    • Resource Type is DaemonSet AND Vulnerability Severity in Critical AND Has Exploit Yes AND Has Fix Yes
  • I want to view all workloads with In Use packages that belong to my HR team.
    • Resource Type is StatefulSet AND In Use Yes AND Resource Labels in team:hr

Find IaC Resources

  • I want to find the code for the deployment of my mobile application’s frontend.
    • Resource Origin is Code AND Resource Type is Deployment AND Location contains mobile-app AND Name contains mobile-frontend
  • I want to see all Terraform code managed by the Marketing team
    • Source Type is Terraform AND Labels in OwnedBy:team-marketing AND Repository is my-git-repo
  • I want to know which IaC of my EC2 Instances are failing a control
    • Resource Origin is Code AND Resource Type is EC2 Instance AND Posture Failed Control exists
  • I want to see all IaC repos not being evaluated by policies
    • Git Integration is my-iac-repos AND Posture Applied Policy not exists

View a Resource’s Applied Configuration

  • I want to view the bucket policy for bucket 123
    • Resource Type contains bucket AND Name contains 123 + click on resource card to scroll through configuration details
  • I want to view the default runAsUser applied configuration for workload abc
    • Name is abc + click on resource card to scroll through configuration details

Evaluate and Remediate from Inventory

You can now evaluate and remediate posture violations for your deployed and code (IaC) resources from the Inventory interface.

The steps are the same as in the Compliance module, with the following modifications:

  • For IaC resources, there is no manual remediation nor “Accept Risk” function.

For certain controls, you can open a pull request to remediate a code resource.

Use the Inventory API

Query the Secure API to get a list of multiple inventory resources or retrieve a single one.

  • For details, see the Inventory entries in the API documentation.

  • For API doc links for additional regions or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.

NOTE: At this time, only resource metadata and posture data are in scope. Vulnerabilities, package, and exposure data are currently not available.

Inventory Data Dictionary

You can construct searches/filters by attribute name in the Inventory unified filter.

Filter Operators
is (=)
is not (!=)
in (in)
not in (!in)
yes (Y)
no (N)
startsWith (^)
contains (%) (wildcards not supported)
exists/not exists
Attribute NameAttribute Definition
AccountThe container for your AWS resources. You create and manage your AWS resources in an AWS account.
ArchitectureThe CPU architecture for which your container image is built
ARNThe unique identifier of your AWS cloud resource
Attribute*The attributes defined within the configuration of your Kubernetes host or cluster
* Only filtered from within a Kubernetes host or cluster resource configuration.
Base OSBase operating system of your container image
CategoryClassification or grouping of your resources and services based on their functionalities, characteristics, and use cases.
ClusterName of your Kubernetes cluster
ContainersThe container name(s) of your workload(s)
CreatedDate your container image was created
CVSSThe CVSS score (0.0 - 10.0) of the CVE
External DNSThe DNS name of your Kubernetes host’s node that will resolve into an address with external address characteristics
Git IntegrationName of the Git integration. See IaC Scanning/Git Integrations
Git RepositoryName of the repository, example: IaC_Demo
Has ExploitIf the vulnerability has a known exploit
Has FixIf the vulnerability has a known fix
Host Image IDThe unique identifier associated with a custom or public image used to create and launch your virtual machine instances. Examples:
AWS: ImageID (ex: ami-0123456789abcdef0)
GCP: sourceImage or sourceDisk (ex: projects/canonical-cloud/global/images/family/ubuntu-2004-lts)
Host OSOperating System of your Kubernetes host
Image DigestHash value computed from the content of your container image to verify its integrity (ex: sha256:0278c0…)
Image IDUnique identifier assigned to your container image (ex: sha256:062ab3…)
Image OSThe operating system environment encapsulated within your container image
Image PullstringsThe path where your container image was pulled from in the registry
Image RegistryStorage system where your container is hosted and managed
Image TagsLabels or identifiers associated with your container images (ex: latest, v1.4)
In UseIf the package is running
Kubernetes DistributionGKE, EKS, AKS, Rancher, Vanilla, OpenShift v4, IKS, MKE
LocationPath to the file or module directory in the repository (IaC resources):
- Kubernetes manifest: path to the YAML file
- Helm charts: Helm chart folder
- Kustomize: path to the manifests folder (folder containing the base kustomization.yaml file)
- Terraform: path to the .tf module folder
NamespaceKubernetes cluster namespace
Node TypeMaster or Worker node of your Kubernetes host
OrganizationRoot node of your managed cloud resources hierarchy
Origin*The origin of your Kubernetes host’s or your cluster’s configuration (Docker, Linux, Kubernetes, etc.)
* Only filtered from within a Kubernetes host’s resource configuration..
OS ImageName and version of your host’s Operating System
PackageThe name of a package
Package PathThe file system location or directory path where your software package is stored or installed
Package TypeThe format or structure used to package and distribute your software (ex: Java, OS)
PlatformAWS, Azure, GCP, Kubernetes, or Linux
Posture Accepted RiskWhether or not a risk has been accepted for a resource’s control
Posture Applied PolicyName(s) of the policies applied to the resource
Posture Failed Control SeverityHigh, medium, or low
Posture Failed ControlName(s) of the failed control(s) applied to the resource
Posture Failed PolicyName(s) of the failed policy(ies) applied to the resource
Posture Failed RequirementName(s) of the failed requirement(s) applied to the resource
Posture Passed PolicyName of the passed policy applied to the resource
ProjectThe container for your Google Cloud resources. You create and manage your GCP resources in a GCP project
ExposedIf the resource is publicly or ingress exposed
RegionRegion of the world where your managed cloud resource is deployed (such as us-east, eu-west, asia-northeast)
Resource IDThe unique identifier of your Google or Azure cloud resource
Resource LabelsLabels are key/value pairs, such as team:research, that you have applied to your resource from Kubernetes or Managed Cloud platforms (AWS, GCP, Azure). For Kubernetes, the Labels field includes all the labels for the resource, including nested labels. For example, a search on a label that exists on a container will return the workload that contains the container.
Resource NameName of your resource
Resource Origin- Code: IaC resources from Git integrations
- Deployed: Runtime resources
Resource TypeFor Kubernetes, can be a Workload, Service Account, Role, Cluster Role, Host, User, Cluster, or Group.
For managed clouds, it can be a Resource (S3 bucket, Deployment, DaemonSet…) or an Identity (Access Key, User, Policy…)
Source TypePossible values for IaC source: YAML, Helm, Kustomize, Terraform
SubscriptionThe container for your Azure resources. You create and manage your Azure resources in an Azure subscription
Version/OpenShift Cluster VersionThe version of your OpenShift cluster
VulnerabilityThe CVE identified on your vulnerable package
Vulnerability SeverityThe severity of the CVE
ZonesA business group of resources, defined by a collection of scopes of various resource types (for example: “Dev” - all my development resources)

Additional Attributes

Attributes that appear in the interface but cannot be searched/filtered on include:

Attribute NameAttribute Definition
Last SeenLast date when the resource was evaluated
Value*The value of your Kubernetes host’s or your cluster’s attribute.
* Only for Kubernetes hosts and clusters