New Scanning Engine [Preview]
Sysdig is developing a new scanning engine with major improvements and additional features. Some of the features offered with the first iteration of the new engine are:
- Provides faster scan times when analyzing an image from the CI/CD pipeline or from your developer machine.
- Offers more advanced and accurate vulnerability data and CVSS vector scoring from different vendors and exploitability metrics.
- Features improved and more intuitive user experience.
The new engine is currently under development, but it can be enabled already as a Preview.
In Sysdig parlance, Preview means showcasing a new feature that is under heavy development. In this case:
The new scanning engine cannot be used for production data or flows and there are no forward compatibility guarantees for the data or the configuration yet. We recommend that you do not store any data beyond testing and evaluation.
The new scanning engine is distinct and independent from the existing scan engine. What it means is that, for example, an image scanned with the new inline scanner will be available only in the new scanning engine menu options.
However, it is safe to test the new scanning engine while you are still using the current scanning engine for production. These features will not interfere with each other in any way.
- The main goal of Preview is to collect feedback from you, and use it to keep advancing the feature set.
Enable the New Scanning Engine for Your Account
Log in to Sysdig Secure.
Navigate to Settings > User Profile.
In the Sysdig Labs section, enable New Scanning Engine.
Check whether the Vulnerability Management section is displayed.
Scan results are separated from the scan results in the current scanning engine to indicate that data and configurations for these interfaces are completely detached from the current scanning engine.
Get the Inline Scanner Binary
- Download the inline scanner binary and use it to scan the target containers:
curl -LO "https://download.sysdig.com/scanning/inlinescan/inlinescan_$(curl -L -s https://download.sysdig.com/scanning/inlinescan/latest_version.txt)_linux_amd64"
curl -LO "https://download.sysdig.com/scanning/inlinescan/inlinescan_$(curl -L -s https://download.sysdig.com/scanning/inlinescan/latest_version.txt)_darwin_amd64"
- On both Linux and MacOS, ensure that you make the inline scan executable by using
chmod +x ./inlinescan_<version>_<arch>. Replace
<version>with the latest version that you have downloaded. Replace
<arch>with your OS/architecture version.
Currently supported OS and arch:
Analyze an Image with Inline Scanner
Run the following command:
SECURE_API_TOKEN=<user_API_token> ./inlinescan_<version>_<arch> --apiurl https://secure.sysdig.com mongo-express:0.54.0
You can get the inline help by running
--help from the command line. For example:
inlinescan_<version>_<arch> [OPTIONS] ImageName
- SECURE API TOKEN : The
SECURE_API_TOKENis an environment variable. Navigate to Settings > User Profile to find the API token associated with your user account.
- API URL:
--apiurlspecifies the Secure backend location where you want to push the scanning results.
- Image: The image that you want to scan. In the example given, it is
ImageName: Required parameter. Specify the image name.
--help: Show the command line help.
Application Options: -a, --apiurl= Secure API base URL -t, --apitimeout= Secure API timeout (seconds) (default: 120) --output-json= Output path of the scan result report in json format -s, --skiptlsverify Skip TLS certificate verification (default: false) -u, --skipupload Skip the scan results upload (default: false) -d, --dbpath= Database full path. By default it uses main.db.gz from the same directory -p, --cachepath= Cache path -c, --clearcache Clear the cache before to run (default: false) -l, --loglevel= Log level (default: info) -o, --logfile= File destination for logs, used if --console-log not passed --console-log Force logs to console, --logfile will be ignored --full-vulns-table Show the entire list of packages found Help Options: -h, --help Show this help message Arguments: ImageName: Image name
Compatibility and Supported Modes
Supported Registries and Image Types
- Docker Registry V2 - compatible
- Docker Daemon
- Docker Archive (tar)
- OCI Archive
Supported Package Types
- Java Maven
- NPM (JS)
- Ruby Gems
- Cargo (Rust)
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.