Vulnerability Policies

This doc applies only to the Vulnerability Management engine. If your Sysdig Secure was deployed before April 20, 2022, use the Scanning features and the Threat Detection policy documentation. See also: Which Scanning Engine to Use

Overview

Sysdig includes scanning policies for both Pipeline and Runtime vulnerabilites that work out of the box, along with relevant rule bundles. The process of editing or creating new policies and rules is similar for both.

Create Rule Bundles

A rule bundle is a set of scanning rules that are grouped together.

Note:

  • Default Sysdig rule bundles (identified with the Sysdig shovel icon) cannot be deleted, but they can be duplicated if you want to use them as a template for a new rule bundle
  • The same rule bundle can be used for several different policies
  • Rules order is irrelevant from the evaluation perspective, but you can organize them to your liking for easier visualization.

Creation Steps

  1. Navigate to Policies > Rule Bundles and click +Add Bundle.

  2. Enter the parameters:

    • Name: User-assigned name for this rule bundle
    • Description: User-assigned rule bundle description
    • Rules: A rule bundle is composed of 1..N scanning rules; you can use the visual editor to create and configure new rules (represented as “cards” in the interface).

  3. Click Save. You can now attach this rule bundle to policies.

Example

In the example below, a particular vulnerability will fail the check if:

  • The severity is High or Critical AND
  • It was discovered 60 days ago or more AND
  • It has a published fix AND
  • There is a public exploit available

Notes:

  • You can create multiple version of the same rule template for the same policy bundle, i.e. you can have two or more cards like the one above of type Vulnerabilities: Severities and Threats"
  • Conditions between the same rule are evaluated with AND logic, as in the example above, a vulnerability needs to meet all the conditions in order to be considered a violation
  • All the rules in a rule bundle are evaluated using OR logic
    • If any rule is in violation, the rule bundle is in violation
    • Also if any rule bundle is in violation, the policy containing it is in violation as well, considered “failed”.

Create Scanning Policies

You can create custom scanning policies and rule bundles as needed to meet your organization’s vulnerability management guidelines. The basic concepts of scanning polices and rules are:

  • An image can be evaluated with 1..N policies at the same time
  • A policy can contain 1..N rule bundles to be evaluated
  • A rule bundle is composed of any number of rules to be evaluated

Pipeline

  1. Navigate to Policies | Vulnerabilities > Pipeline. The Pipeline scanning policy list is displayed.

  2. Click +Add Policy|Pipeline.

  3. Enter the parameters:

    • Name: User-assigned name for this policy

    • Description: User-assigned policy description

    • Always apply toggle: Mapping strategy to use:

      • If Always Apply is enabled, every execution of the scanner will apply this policy. This cannot be overridden by the CLI parameters.
      • If Always Apply is disabled, this policy must be explicitly requested when executing the scanner in order to apply it to the evaluation.

    • Rule Bundles: A policy contains rule bundles to be evaluated. Using this widget you can add, remove, or modify the bundles used for this policy.

      • Click Edit Assigned Rule Bundles and toggle on the bundle(s) to be assigned. Click Update.

    • How to Scan Images with this policy: Helper widget that previews the command line to be used in order to apply the policy to the scanner run. See also: Getting Started with Sysdig Secure.

  4. Click Create.

Runtime

  1. Navigate to Policies | Vulnerabilities > Runtime. The Runtime scanning policy list is displayed.

  2. Click +Add Policy|Runtime.

  3. Enter the parameters:

    • Name: User-assigned name for this policy

    • Description: User-assigned policy description

    • Scope: Use Entire Infrastructure or build out a desired scope.

      • Click See Workloads in this Scope to check that the scope is valid and working as expected.

    • Rule Bundles: A policy contains rule bundles to be evaluated. Using this widget you can add, remove, or modify the bundles used for this policy.

      • Click Edit Assigned Rule Bundles and toggle on the bundle(s) to be assigned. Click Update.


Last modified May 20, 2022