Vulnerability Policies
This doc applies only to the Vulnerability Management engine. If your Sysdig Secure was deployed before April 20, 2022, use the Scanning features and the Threat Detection policy documentation. See also: Which Scanning Engine to Use
Overview
Sysdig includes scanning policies for both Pipeline and Runtime vulnerabilites that work out of the box, along with relevant rule bundles. The process of editing or creating new policies and rules is similar for both.
Create Rule Bundles
A rule bundle is a set of scanning rules that are grouped together.
Note:
- Default Sysdig rule bundles (identified with the Sysdig shovel icon) cannot be deleted, but they can be duplicated if you want to use them as a template for a new rule bundle
- The same rule bundle can be used for several different policies
- Rules order is irrelevant from the evaluation perspective, but you can organize them to your liking for easier visualization.
Creation Steps
Navigate to
Policies > Rule Bundles
and click+Add Bundle
.Enter the parameters:
- Name: User-assigned name for this rule bundle
- Description: User-assigned rule bundle description
- Rules: A rule bundle is composed of 1..N scanning rules; you can use the visual editor to create and configure new rules (represented as “cards” in the interface).
Click
Save
. You can now attach this rule bundle to policies.
Example
In the example below, a particular vulnerability will fail the check if:
- The severity is High or Critical AND
- It was discovered 60 days ago or more AND
- It has a published fix AND
- There is a public exploit available
Notes:
- You can create multiple version of the same rule template for the same policy bundle, i.e. you can have two or more cards like the one above of type
Vulnerabilities: Severities and Threats
" - Conditions between the same rule are evaluated with AND logic, as in the example above, a vulnerability needs to meet all the conditions in order to be considered a violation
- All the rules in a rule bundle are evaluated using OR logic
- If any rule is in violation, the rule bundle is in violation
- Also if any rule bundle is in violation, the policy containing it is in violation as well, considered “failed”.
Create Scanning Policies
You can create custom scanning policies and rule bundles as needed to meet your organization’s vulnerability management guidelines. The basic concepts of scanning polices and rules are:
- An image can be evaluated with 1..N policies at the same time
- A policy can contain 1..N rule bundles to be evaluated
- A rule bundle is composed of any number of rules to be evaluated
Pipeline
Navigate to
Policies | Vulnerabilities > Pipeline
. The Pipeline scanning policy list is displayed.Click
+Add Policy|Pipeline
.Enter the parameters:
Name: User-assigned name for this policy
Description: User-assigned policy description
Always apply toggle: Mapping strategy to use:
- If
Always Apply
isenabled
, every execution of the scanner will apply this policy. This cannot be overridden by the CLI parameters. - If
Always Apply
isdisabled
, this policy must be explicitly requested when executing the scanner in order to apply it to the evaluation.
- If
Rule Bundles: A policy contains rule bundles to be evaluated. Using this widget you can add, remove, or modify the bundles used for this policy.
Click
Edit Assigned Rule Bundles
and toggle on the bundle(s) to be assigned. ClickUpdate
.
How to Scan Images with this policy: Helper widget that previews the command line to be used in order to apply the policy to the scanner run. See also: Getting Started with Sysdig Secure.
Click
Create
.
Runtime
Navigate to
Policies | Vulnerabilities > Runtime
. The Runtime scanning policy list is displayed.Click
+Add Policy|Runtime
.Enter the parameters:
Name: User-assigned name for this policy
Description: User-assigned policy description
Scope: Use
Entire Infrastructure
or build out a desired scope.- Click
See Workloads in this Scope
to check that the scope is valid and working as expected.
- Click
Rule Bundles: A policy contains rule bundles to be evaluated. Using this widget you can add, remove, or modify the bundles used for this policy.
Click
Edit Assigned Rule Bundles
and toggle on the bundle(s) to be assigned. ClickUpdate
.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.