Vulnerability Management Policies
Prerequisites
The prerequisites depend on what Vulnerability Management coverage you need:
- Container Images in CI/CD Pipelines - Install the Sysdig CLI Scanner either via Integration or Standlone execution inside your CI Pipelines.
- Container Registries - Install the Sysdig Registry Scanner.
- See Registry Scanning.
- Kubernetes Workloads and Hosts - Install the
shieldChart with the following features supported and enabled. - Linux Hosts - Install the Sysdig Host Shield.
- Windows Hosts - This feature requires the installation of the Sysdig Windows Host Shield.
- Agentless Hosts, Containers and Workloads - Install the Sysdig Agentless Scanning components.
Concepts
Policies
A Vulnerability Policy is a definition of a series of Rule Bundles, Scopes, and Notifications. A policy can accept one or many Rule Bundles to validate the SBOMs generated by the Sysdig scanning components.
A policy definition (with the exception of Admission Controller) operates on a Pass or Fail basis.
Certain rules may only apply to certain versions of the CLI Scanner, it is important to keep your version up to date to support the latest Sysdig Vulnerability and Image Configuration, and Content Rules.
Scopes and Stages
A Vulnerability Policy scope defines what Resources, such as Hosts, Workloads or static Images, you wish to apply your policies to, and the stage in which they are scanned.
Pipeline Stage
A Pipeline stage and scope is specifically used with the Sysdig CLI Scanner. This stage supports the following filtering in an AND fashion and can be used to block your images from progressing in your CI/CD pipelines or on your developer machines.
- Scopes
- All Images: Used for when you want to apply the Policy to any execution of the CLI Scanner, whether on individual runs or via Integrations
- Image Reference: The pullstring of the image(s) you wish to target e.g. quay.io/sysdig
- Supported Operators:
starts with: Single Value.is: Single Value.is not: Single Value.contains: Single Value.not contains: Single Value.
Registry Stage
A Registry stage and scope is specifically used with the Sysdig Registry Scanner. This stage supports the following filtering in an AND fashion and can be used audit images inside your registry, evaluate your common base images or scan third-party images you may have mirrored into your internal registries for use in your Container Runtime environments.
- Scopes
- All Images: Used for when you want to apply the Policy to any execution of the Registry Scanner on any Registry
- Image Reference: The pullstring of the image you wish to target for the specific Registry or Repository e.g. quay.io/sysdig
- Supported Operators:
starts with: Single Value.is: Single Value.is not: Single Value.contains: Single Value.not contains: Single Value.
- Supported Operators:
Admission Control Stage
An Admission Control stage and scope is specifically used with the Sysdig Admission Controller. This stage supports the following filtering in an AND fashion and can be used to Warn, Reject, or Reject and Scan images that fail the policy checks. It is the only Sysdig Vulnerability Management Policy with a Warning function.
- Scopes:
- Kubernetes Labels:
kubernetes.cluster.distribution,kubernetes.cluster.name,kubernetes.namespace.name,kubernetes.node.name,kubernetes.pod.container.name,kubernetes.workload.name,kubernetes.workload.type - Supported Operators:
is: Single Value,is not: Single Value,in: Single Value or List,not in: Single Value or List,contains: Single Value,not contains: Single Value,starts with: Single Value - Image Reference: The pullstring of the image you wish to target for the specific Registry or Repository
- Supported Operators:
starts with: Single Value,is: Single Value,is not: Single Value,contains: Single Value,not contains: Single Value
- Supported Operators:
- Kubernetes Labels:
Policy Failure Actions
Upon Policy Failure you have two individual options to choose from when evaluating an Image for Admission into your Kubernetes Cluster.
- Reject Image: Will completely reject the image for admission into your cluster until all applicable issues are resolved or Exceptions are applied to the Findings on the image.
- Warn: Will indicate that the Image did not pass its Policy checks but will only Warn the users that it failed.
For more information on Sysdig Admission Policies and Evaluations please refer to the Sysdig Admission Controller documentation.
Unknown Image Actions
Upon evaluation of an Unknown or not previously scanned Image, the Sysdig Admission Controller can perform one of three actions against the offending image.
- Reject: Outright reject the Image with an indication that the Image is unknown to Sysdig and that it should be scanned prior to admission.
- Reject and Scan: Outright reject the Image and initiate a scan of the Image via the Sysdig Cluster Shield.
- Warn: Warn that the image has not been scanned by Sysdig before, and still allow it admittance into a Kubernetes Cluster.
For more information on Sysdig Admission Policies and Evaluations please refer to the Sysdig Admission Controller documentation.
Runtime Stage
An Runtime stage and scope is specifically used components that perform any Runtime Scanning such as the Sysdig Cluster Shield. This stage supports the following filtering in an AND fashion and can be used to evaluate your runtime resources status against your compliance, posture, and best practice policies.
- Scopes
- Resource Labels: Resource labels are pieces of metadata collected by Sysdig Runtime Scanning components.
| Category | Fields |
|---|---|
| Kubernetes | kubernetes.cluster.name, kubernetes.namespace.name, kubernetes.node.name, kubernetes.workload.type, kubernetes.workload.name, kubernetes.pod.container.name |
| AWS | aws.account.id, aws.account.name, aws.organization.id, aws.region, aws.ecs.cluster.name, aws.ecs.cluster.arn, aws.ecs.task.arn, aws.ecs.task.launch_type, aws.ecs.task_definition.arn, aws.ecs.task_definition.family, aws.ecs.task.container.name, aws.ecs.task.container.image, aws.ecs.service.arn, aws.ecs.service.name, aws.lambda.arn, aws.lambda.name, aws.lambda.version, aws.lambda.image, aws.lambda.package_type, aws.lambda.revision, aws.instance.name, aws.host.name |
| Azure | azure.subscription.id, azure.subscription.name, azure.tenant.id, azure.resource_group.name, azure.resourceGroup, azure.location, azure.region, azure.instance.id, azure.instance.name, azure.containerapp.id, azure.containerapp.name, azure.containerapp.container.name, azure.containerapp.container.image |
| GCP | gcp.organization.id, gcp.project.name, gcp.project.id, gcp.project.numericId, gcp.region, gcp.instance.zone, gcp.instance.id, gcp.instance.name, gcp.cloudrun.service.id, gcp.cloudrun.service.name, gcp.cloudrun.service.namespace, gcp.cloudrun.service.resource_version, gcp.cloudrun.service.container.image, gcp.cloudrun.job.id, gcp.cloudrun.job.name, gcp.cloudrun.job.namespace, gcp.cloudrun.job.resource_version, gcp.cloudrun.job.container.image, gcp.cloudfunction.id, gcp.cloudfunction.name |
| Cloud Provider | cloudProvider, cloudProvider.account.id, cloudProvider.region, cloudProvider.instance.name |
| Container | container.name, container.id, container.runtime.type |
| Workload | workload.orchestrator, workload.name, asset.type, host.hostName |
- Agent Tags: Agent tags are supported and represented as
agent.tag.<tag name>for Resources scanned with the Sysdig Host Shield. - Supported Operators:
is: Single Value,is not: Single Value,in: Single Value or List,not in: Single Value or List,contains: Single Value,not contains: Single Value,starts with: Single Value - Image Reference: The pullstring of the image you wish to target for the specific Registry or Repository
- Supported Operators:
starts with: Single Value,is: Single Value,is not: Single Value,contains: Single Value,not contains: Single Value
- Supported Operators:
Rule Bundles
A Rule Bundle is a grouping of Sysdig Vulnerability, Image Configuration, and Content rules you wish to be applied to the individual scope defined in your Vulnerability Policy. These rules operate in a Pass or Fail fashion evaluate conditions generated in the SBOM generated by the Sysdig scanning components. For more information please refer to the Sysdig Vulnerability Management Rule Bundles documentation.
Policy Alerts
A Vulnerability Policy alert is a mechanism to inform your Program Owners or Teams that a policy has failed on a specific set of resources. For more details, see Vulnerability Management Policy Alerts documentation.
Create a Scanning Policy
To create a Vulnerability Scanning Policy you must specify the following fields:
- Main Info
- Name: Name of the specified policy.
- Description: A short sentence describing your policy. Often this aligns with a set of best practices or environment information you wish to include in the policy.
- Rules
- One or many defined sets of Rule Bundles
- Scopes
- A defined set of Scopes and Stages you wish to apply your policy to.
- Notifications
- Enabled: Determines whether or not you wish to enable notifications for this particular policy.
- Silence Period: The silence period you wish to select for this policy.
- Channel: The supported Notification Channel you wish to specify for this policy.
Once you have defined your specified criteria you may save your Vulnerability Management Policy.
Saving a Vulnerability Management Policy triggers a re-evaluation of all Runtime Resources within your environment, generating new Scan Results and Vulnerability Matches where applicable.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
