Resources
Use the Inventory Resource page to:
- View all deployed resources across your cloud environments and code resources Infrastructure as Code (IaC) integrations.
- Find resources in your infrastructure that share properties, or belong to the same business unit.
- Take action on a posture violation or detected vulnerability by creating a Jira ticket, or accepting the risk.
Data in Inventory Resources is retained for 7 days. For more details, see Data Retention.
Enable Inventory Resources
| Resources | Configuration | Required |
|---|---|---|
| Cloud resources (AWS, GCP, Azure) | Connect a cloud account. See Connect Cloud Accounts. | Yes |
| Kubernetes resources (Users, Roles, Groups, Hosts, Workloads…) | Install the Sysdig agent with Kubernetes Security Posture Management (KSPM) enabled, using --set global.kspm.deploy=true \.See Install Kubernetes. | Yes |
| Container Images | When installing the Sysdig agent for Kubernetes resources, above, also install the Runtime Image Scanner. This is included automatically when you install the agent using the Quick Start Wizard. See Install Kubernetes. | Yes |
| Standalone Hosts (Linux, Docker) | Install the Posture Host Analyzer (non-Kubernetes) as a container. See Install Posture Host Analyzer | No |
| IaC Code | Check the IaC Supportability Matrix. - Set up a Git Integration. - Add Git Sources. See Git Integrations. | No |
| Vulnerable cloud hosts | Agent-based or Agentless Vulnerability Host Scanning | No |
| Vulnerable packages running on Kubernetes Workloads | Requires Risk Spotlight, which is auto-enabled from Sysdig agent v.12.15+. See Risk Spotlight. | No |
Navigate the Resources Page
To access and navigate Inventory Resources page:
Log in to Sysdig Secure and select Inventory > Resources from the left side bar.
Inventory displays all resources from cloud accounts, Kubernetes data sources, and IaC Git resources connected to Sysdig, along with their findings for compliance, vulnerabilities, exposure.
Data shown in the UI is refreshed every 24 hours when a compliance evaluation is run.
Data from newly added Zones may take up to 24 hours to appear.
Use the featured and unified filter to find targeted resources. If an account has an alias, use the account alias to search for the account in Inventory instead of the Account ID. Filtering based on Account ID is not currently supported if the account has an alias. See Filters and Queries.
Use Resource Indicators: On a resource card, hover over the Posture Policies Passing gauge, the Runtime Vulnerabilities thermometer, and the Network Exposure icon to get high-level insights about your resource.
Click a resource card to review the resource Posture, Vulnerabilities and Configuration details.
View Resource Details
Click on any resource to open the Resource Details drawer. This drawer summarizes everything Sysdig knows about a resource — all of its findings, events, misconfigurations, metadata, environment information, and more.
To open the Resource Details drawer:
Log in to Sysdig Secure.
Navigate to Inventory > Resources.
Perform a search or filter the resources page.
From the results, select a resource.
The Resource Details drawer opens.
This drawer lets you determine the status of a resource, and answer questions, such as:
- Does this resource have a ticket open on it?
- What’s the status of the ticket?
- Is this resource under investigation by our SOC team?
Remediate Vulnerabilities with the Resource Details Drawer
A possible work flow for using the Resource Details drawer to remediate a vulnerability might be:
- In the Sysdig Secure UI, you navigate to Inventory > Resources.
- You select a resource. The Resource Details drawer opens.
- On the Highlights tab, you learn the resource is exposed to the internet, and has a critical vulnerability.
- You select the Vulnerabilities tab to learn more, and discover the critical vulnerability has a remediation.
- The remediation involves updating a Python package. You copy the details.
- You select Create Ticket to open a Jira ticket form.
- You paste the details of the vulnerability and the remediation, and assign it to an engineer to implement.
Navigate Resource Detail Drawer Tabs
The Resource Details drawer features several tabs, each covering a different category of information about the resource. You can navigate through the tabs to accomplish different goals, like creating a Jira ticket, or discovering what vulnerabilities are associated with the resource.
Highlights Tab
This tab offers a high level security overview for the selected resource. It provides an overview of the Top Security Issues, Runtime Insights, Metadata, Resource Labels, and Assigned Zones.
You can copy any of the information shown here, such as the names of the assigned zones, or the attached labels.
Vulnerabilities Tab
The Vulnerabilities tab contains the latest runtime vulnerabilities scan results for that image or workload. This tab lists all of the CVEs identified on this specific resource, with information such as CVE ID, Severity, Context (In Use, Has Exploit, Has Fix, Exception Exists), the Exploit Prediction Scoring System (EPSS) score, the image it is found on, and the package/path.
Click the Severity or EPSS columns to sort the list in ascending or descending order of severity or EPSS score.
Click a CVE listing to open the full CVE details.
Here, you can:
- Learn more about the vulnerability, such as where else it was reported, and whether a fix is available.
- Create a Jira ticket, if you have integrated Jira.
- Accept the Finding in Risk Acceptance.
Runtime image scans include the Image ID. If the image was also scanned in Pipeline or Registry, then you can view it in the Pipeline or Registry Vulnerabilities interface using the 3-dot menu.
Cloud Host scans are performed against runtime packages.
Use the Image ID to view container images as a first-class citizen in Inventory or the Runtime Vulnerabilities interface from Workloads.
With Risk Spotlight enabled you can see which of your vulnerable packages are currently loaded in Runtime.
Exposure Tab
This tab shows you how a resource is exposed to the Internet. You can explore the different paths of exposure visually by clicking on each of the nodes to learn more. Clicking on the exposure finding will drill you down to learn in detail about each exposure path.
You can also pivot to examining the Resource 360 drawers for each resource involved in the exposure paths. For instance, if you navigate to an EC2 resource and view its exposure path, clicking on the internet gateway within will overlay a new resource details panel, providing more information about that gateway.
Resources that currently have exposure analysis are:
- Buckets (including AWSS3Bucket, GCPCloudStorageBucket and AzureStorageAccountBlobServiceContainer)
- Kubernetes Workload
- Serverless (including AWSLambda, GCPCloudFunction and AzureFunction)
- Storage Account (including AzureStorageAccountBlobService, RDS)
- Virtual Machine (including Azure VM, GCPComputeInstance and EC2Instance)
Configuration Findings Tab
This tab shows you all of your failing Compliance policies for this resource and a breakdown of how many controls failed and passed within each failing policy.
Hover over the results of a failing policy to find out how many controls passed, and how many are failing.
Under Failing Controls, you can see the name of the failing control to be remediated, how many policies and requirements it belongs to, and its severity. The controls are grouped by requirement within each policy.
Hover over the number of policies or requirements to find out their name, and copy them to your clipboard with a click.
Exposure Tab
This tab shows you if and how a resource is exposed to the Internet.
Select Explore to open a diagram of the different exposure paths. Click on each of the nodes to learn more.
Under Exposure Findings, select a finding to learn about the exposure path in detail. You can discover the resource’s region, when it was last seen, and which platform it is on.
You can also pivot to looking at the Resource360 drawers for each of the resources involved in exposure paths.
Under Contributing Resources, you can find other resources in the same exposure path. Select any of the resources to open a new Resource 360 drawer for them.
Resources that currently have exposure analysis are:
- Buckets (including AWSS3Bucket, GCPCloudStorageBucket and AzureStorageAccountBlobServiceContainer)
- Kubernetes Workload
- Serverless (including AWSLambda, GCPCloudFunction and AzureFunction)
- Storage Account (including AzureStorageAccountBlobService, RDS)
- Virtual Machine (including Azure VM, GCPComputeInstance and EC2Instance)
Configuration Tab
This tab shows you different “Configurations” detected for the resource, depending on the type:
- CSPM Resource: Cloud security posture management (CSPM) resource represented in JSON or YAML format.
- Example: A k8s Deployment Yaml file, or the EC2 Instance description in JSON format.
- Host resource: List of host-configurations detected at the Linux-Host, or Containers
- Example: Docker iptables config, or /etc/shadow “password expiration”.
- IaC Resource: Resources that are read from a Source-Code-Repo show here that actual “Manifest” Yaml/Json that was detected as an Infra-As-Code file
- Example: A Json representation of the Terraform HCL configuration block for a EC2 Instance.
- Images: For Images we will show an empty screen.
Packages Tab
Where a resource has packages, this tab displays all the packages Sysdig has identified on the resource, and their paths. You can see how many vulnerabilities each package contains, and context about the vulnerabilities (In Use, Has Exploit, Has Fix).
Select any Package/Path to see more details about it, such as its source, and package type. You can also check whether any update or patch is necessary.
Work with IaC Resources
If you have configured IaC scanning, you can view the resources supported by the Git-integrated scanner in the Inventory, such as YAML, Terraform, and Helm charts. The view of each code resource includes:
- resource metadata
- configuration details
- posture violations that can be remediated with automated workflows.
For more information, see IaC Support.
Search for IaC Resources
IaC resources from Git repository scans are labeled code in the Inventory UI, to distinguish them from deployed resources in your cloud environments.
Filter for
Resource Origin = Code.In the resulting list, a visual tag
(< >)on the logo to distinguish code resources.
Other options: Filter by Source Type, Location, Git Integration, or Repository.
View Vulnerable Resources
If you have installed the Runtime image scanner, you can view your container images in Inventory. For each resource, you can see:
- Resource metadata
- Runtime context of Package vulnerabilities
- Vulnerability details (has fix, has exploit) that support your remediation workflows
Search for Container Images
Container images from Runtime scans are a new Resource Type in the Inventory UI.
- Filter for Resource Type
isImage
Other options: Filter by Platform, Image ID, Image Digest, Image Registry, Image Pullstrings or Image Tags
Search for Vulnerable Workloads
- Quickly discover workloads running container images with vulnerable packages.
- Filter for Resource Type
in(Deployment, DaemonSet, CronJob, Job, etc)ANDVulnerabilityinCVE-2005-2541 - Other options: Filter by Resource Type AND Package, Package Path, Vulnerability Severity
Search for Vulnerable Cloud Hosts
Inventory currently supports AWS (EC2 Instance) and GCP (Compute Instance) Hosts. Azure VMs are out of scope.
Find cloud hosts running images with vulnerable packages.
- Filter for Resource Type in (EC2 Instance, Compute Instance) AND Vulnerability in
CVE-2023-0464 - Other options: Filter for Resource Type AND ARN, Resource ID
Filters and Queries
There are two filtering options in the Inventory UI: the Sysdig unified filter bar at the top, and the Featured Filters column on the left.
Unified Filter
As in other parts of the Sysdig Secure interface, the unified filter bar allows you to build sophisticated queries using:
- Drop-down menu items and operators
- Clickable resource elements on the Inventory page
Featured Filters
The Featured Filters panel, populated by Sysdig, displays your environment’s most useful filter types. It lets you narrow down to your most prevalent and “at risk” resources and includes resource counting and risk indicators.
You can:
Open and close the panel from the top-left arrow symbol.
Click
In/!InorYes/Nobeside any featured filter item to include it in the query you are building in the unified filter.View by Risk indicators associated with Vulnerabilities:
Has FixandHas Exploits
Featured Queries
You can structure queries in the unified filter to solve common use cases as follows:
Find Resources by Name and Attributes
- I want to search for all S3 buckets in the EU regions
Resource TypecontainsS3ANDRegionstartsWitheu
- I want to search for all Workloads of type host with names starting with prod
Resource TypeishostANDNamestartsWithprod
- I want to view the configuration of my GKE Worker nodes
Node TypeisWorkerANDKubernetes Distributionisgke
- I want to search for all clusters running on OpenShift V4
Resource TypeisClusterANDKubernetes Distributionisocp4
- I want to search for all IaC resources
Resource OriginisCode
Find Resources Owned by Business Unit
- I want to search for all resources belonging to my PCI zones
ZonesstartsWithPCI
- I want to search for all resources labeled
app:retailLabelsinapp:retail
- I want to search for all resources within the
financenamespaceNamespaceisfinance
- I want to search for all resources belonging to my
dockerclustersClustercontainsdocker
Find your Environment Blind Spots
- I want to view all resources on which there are 0 policies applied
Posture Applied Policynot exists
- I want to view all resources that belong to 0 zones
Zonesnot exists
- I want to view all resources that are not labeled
Labelsnot exists
Find Resources by Posture Details
- I want to view all resources on which policy X is applied
Posture Applied Policyis (p1)Posture Applied Policyin (p1, p2, p3)
- I want to view all resources on which
CIS Kubernetes V1.23 Benchmarkpolicy is appliedPosture Applied Policyin CIS Kubernetes V1.23 Benchmark
- I want to view all resources that fail ISO/IEC 27001 policy
Posture Failed PolicyinISO/IEC 2700
- I want to view all resources that are failing at least one policy
Posture Failed Policyexists
- I want to view all resources that are failing at least one control
Posture Failed Controlexists
- I want to view all resources for which a risk has been accepted on a control
Posture Accepted Riskyes
Find Vulnerable Resources
- I want to view all Quay.io images that have the same Image ID.
Resource Typeis Image ANDPlatformis Quay.io ANDImage IDis sha256:4fc533e8180ac3805582d3b2a9f8008d54d346211894d6131d92a82d17ee5458
- I want to view all images that have Log4j packages and Apache Log4j Vulnerability.
Resource Typeis Image ANDPackagecontains log4j ANDVulnerabilityin CVE-2021-44832
- I want to view all images with critical vulnerabilities that have an exploit and a fix.
Resource Typeis Image ANDVulnerability Severityin Critical ANDHas ExploitYes ANDHas FixYes
- I want to view all workloads that have OpenSSL packages and OpenSSL Vulnerability.
Resource Typeis Deployment ANDPackagecontains openssl ANDVulnerabilityin CVE-2023-0464
- I want to view all workloads with critical vulnerabilities that have an exploit and a fix.
Resource Typeis DaemonSet ANDVulnerability Severityin Critical ANDHas ExploitYes ANDHas FixYes
- I want to view all workloads with In Use packages that belong to my HR team.
Resource Typeis StatefulSet ANDIn UseYes ANDResource Labelsin team:hr
Find IaC Resources
- I want to find the code for the deployment of my mobile application’s frontend.
Resource OriginisCodeANDResource TypeisDeploymentANDLocationcontainsmobile-appANDNamecontainsmobile-frontend
- I want to see all Terraform code managed by the Marketing team
Source TypeisTerraformANDLabelsinOwnedBy:team-marketingANDRepositoryismy-git-repo
- I want to know which IaC of my EC2 Instances are failing a control
Resource OriginisCodeANDResource TypeisEC2 InstanceANDPosture Failed Controlexists
- I want to see all IaC repos not being evaluated by policies
Git Integrationismy-iac-reposANDPosture Applied Policynot exists
View a Resource’s Applied Configuration
- I want to view the bucket policy for
bucket123Resource TypecontainsbucketANDNamecontains123+ click on resource card to scroll through configuration details
- I want to view the default
runAsUserapplied configuration for workloadabcNameisabc+ click on resource card to scroll through configuration details
Use the Inventory API
Query the Secure API to get a list of multiple inventory resources or retrieve a single one.
For details, see the Inventory entries in the API documentation.
For API doc links for additional regions or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.
At this time, only resource metadata and posture data are in scope. Vulnerabilities, package, and exposure data are currently not available.
Inventory Data Dictionary
You can construct searches/filters by attribute name in the Inventory unified filter.
| Filter Operators |
|---|
| is (=) is not (!=) in (in) not in (!in) yes (Y) no (N) startsWith (^) contains (%) (wildcards not supported) exists/not exists |
| Attribute Name | Attribute Definition |
|---|---|
| Account | The container for your AWS resources. You create and manage your AWS resources in an AWS account. If an account has an alias, use the alias to search for the account in Inventory instead of the Account ID. |
| Architecture | The CPU architecture for which your container image is built |
| ARN | The unique identifier of your AWS cloud resource |
| Attribute* | The attributes defined within the configuration of your Kubernetes host or cluster * Only filtered from within a Kubernetes host or cluster resource configuration. |
| Base OS | Base operating system of your container image |
| Category | Classification or grouping of your resources and services based on their functionalities, characteristics, and use cases. |
| Cluster | Name of your Kubernetes cluster |
| Containers | The container name(s) of your workload(s) |
| Created | Date your container image was created |
| CVSS | The CVSS score (0.0 - 10.0) of the CVE |
| External DNS | The DNS name of your Kubernetes host’s node that will resolve into an address with external address characteristics |
| Git Integration | Name of the Git integration. See IaC Scanning/Git Integrations |
| Git Repository | Name of the repository, example: IaC_Demo |
| Has Exploit | If the vulnerability has a known exploit |
| Has Fix | If the vulnerability has a known fix |
| Host Image ID | The unique identifier associated with a custom or public image used to create and launch your virtual machine instances. Examples: AWS: ImageID (ex: ami-0123456789abcdef0) GCP: sourceImage or sourceDisk (ex: projects/canonical-cloud/global/images/family/ubuntu-2004-lts) |
| Host OS | Operating System of your Kubernetes host |
| Image Digest | Hash value computed from the content of your container image to verify its integrity (ex: sha256:0278c0…) |
| Image ID | Unique identifier assigned to your container image (ex: sha256:062ab3…) |
| Image OS | The operating system environment encapsulated within your container image |
| Image Pullstrings | The path where your container image was pulled from in the registry |
| Image Registry | Storage system where your container is hosted and managed |
| Image Tags | Labels or identifiers associated with your container images (ex: latest, v1.4) |
| In Use | If the package is running |
| Kubernetes Distribution | GKE, EKS, AKS, Rancher, Vanilla, OpenShift v4, IKS, MKE |
| Location | Path to the file or module directory in the repository (IaC resources): - Kubernetes manifest: path to the YAML file- Helm charts: Helm chart folder- Kustomize: path to the manifests folder (folder containing the base kustomization.yaml file)- Terraform: path to the .tf module folder |
| Namespace | Kubernetes cluster namespace |
| Node Type | Master or Worker node of your Kubernetes host |
| Organization | Root node of your managed cloud resources hierarchy |
| Origin* | The origin of your Kubernetes host’s or your cluster’s configuration (Docker, Linux, Kubernetes, etc.) * Only filtered from within a Kubernetes host’s resource configuration.. |
| OS Image | Name and version of your host’s Operating System |
| Package | The name of a package |
| Package Path | The file system location or directory path where your software package is stored or installed |
| Package Type | The format or structure used to package and distribute your software (ex: Java, OS) |
| Platform | AWS, Azure, GCP, Kubernetes, or Linux |
| Posture Accepted Risk | Whether or not a risk has been accepted for a resource’s control |
| Posture Applied Policy | Name(s) of the policies applied to the resource |
| Posture Failed Control Severity | High, medium, or low |
| Posture Failed Control | Name(s) of the failed control(s) applied to the resource |
| Posture Failed Policy | Name(s) of the failed policy(ies) applied to the resource |
| Posture Failed Requirement | Name(s) of the failed requirement(s) applied to the resource |
| Posture Passed Policy | Name of the passed policy applied to the resource |
| Project | The container for your Google Cloud resources. You create and manage your GCP resources in a GCP project |
| Exposed | If the resource is publicly or ingress exposed |
| Region | Region of the world where your managed cloud resource is deployed (such as us-east, eu-west, asia-northeast) |
| Resource ID | The unique identifier of your Google or Azure cloud resource |
| Resource Labels | Labels are key/value pairs, such as team:research, that you have applied to your resource from Kubernetes or Managed Cloud platforms (AWS, GCP, Azure). For Kubernetes, the Labels field includes all the labels for the resource, including nested labels. For example, a search on a label that exists on a container will return the workload that contains the container. |
| Resource Name | Name of your resource |
| Resource Origin | - Code: IaC resources from Git integrations - Deployed: Runtime resources |
| Resource Type | For Kubernetes, can be a Workload, Service Account, Role, Cluster Role, Host, User, Cluster, or Group. For managed clouds, it can be a Resource (S3 bucket, Deployment, DaemonSet…) or an Identity (Access Key, User, Policy…) |
| Source Type | Possible values for IaC source: YAML, Helm, Kustomize, Terraform |
| Subscription | The container for your Azure resources. You create and manage your Azure resources in an Azure subscription |
| Version/OpenShift Cluster Version | The version of your OpenShift cluster |
| Vulnerability | The CVE identified on your vulnerable package |
| Vulnerability Severity | The severity of the CVE |
| Zones | A business group of resources, defined by a collection of scopes of various resource types (for example: “Dev” - all my development resources) |
Additional Attributes
Attributes that appear in the interface but cannot be searched/filtered on include:
| Attribute Name | Attribute Definition |
|---|---|
| Last Seen | Last date when the resource was evaluated |
| Value* | The value of your Kubernetes host’s or your cluster’s attribute. * Only for Kubernetes hosts and clusters |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
