This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

  • 1:

    Review Scan Results

    This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use

    When you have set up your build environment for scanning (if applicable), added the desired registries, and either triggered a scan manually or configured an alert to scan automatically, then an image scanning report is generated.

    There are different ways to access scan results:

    • Externally (for developers): From an external Continuous Integration (CI) tool such as Jenkins.

    • Internally (for security personnel): From the Runtime tab or the Scan Results tab (formerly titled “Repositories”) in the Image Scanning module of Sysdig Secure.

    NOTE: Images containing RPM packages with SHA512 hashes are not supported.

    Scan Results Landing Page

    Once a scan has been run, choose Image Scanning > Scan Results to see the landing page.

    From here you can:

    • Check quick-view charts for at-a-glance summaries of:

      • Number of images scanned

      • Pass/fail status

      • Origins of image feeds

    • Search and filter results, by:

      • Keyword

      • Pass/fail status

      • Origin (drop-down menu)

      • Registry (drop-down menu)

      Save or Reset a search from the three-dots menu to the right of the nav bar.

    • Sort the results list by date.

    • Select an Image to see its Summary page.

    Summary View

    Select Image Scanning > Scan Results and select an Image to land on the results summary.

    On the Summary page you can:

    • Review results of vulnerability matching and policy evaluations in two separate sections

    • Check the date and time of the vulnerability match and the most recent policy evaluation. These usually differ.

    • Expand/collapse the policy breakdown for ease of view and removal of visual clutter

    • Click Reevaluate Policies to trigger new policy results.

    • Download results as a PDF, including all the policy and vulnerability details.

    Select detail pages from the left navigation to see detail views.

    Runtime View

    Runtime provides an always-updated report on images that have been running in your environment over the past 1 hour.

    In the left column: view the Entire Infrastructure or drill down to a namespace.

    In the Image Overview: See the percentage of Unscanned, Failed, and Passed images and click on each to get the relevant filtered list.

    Use the Search bar: To find images based on Registry, Image Name, or Tag.

    You can drill down to the Scan Result Details.

    Unscanned Images

    Select an unscanned image to manually trigger a scan.

    Scanned Images

    Select a scanned image to drill down into the details: a Summary page, Policy details, Vulnerability details, and Content violations (e.g., licenses).

    1 -

    Scan Result Details

    This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use

    When you drill down into the Scan Results list, the details menu provides a variety of ways to view vulnerability and policy violation data at a glance.

    • Policy Summary views

    • Vulnerabilities summaries

    • Content summaries

    These summaries provide:

    • An easy-to-parse view of why a specific image failed

    • Which rules generated the most Warn and Stop actions

    • Overview of how an image has performed against the various audit policies that have been put in place

    • Ability to filter for high-severity CVEs, and see which have an available fix

    You can also download the Policy Summary to PDF and the Vulnerabilities Summary to a CSV file.

    Policy Results Views


    The landing page of a Scan Results detail is the Policy Summary view.

    You can:

    • Get a birds-eye view of scanning status

    • Drill down to a detail page

    • Click Download as PDF to get a full report, including all underlying CVEs.

    • Added On: See the date and time the scan was added.

    • Added By: See the mechanism by which the scan was reported.

      Possible values are: Sysdig Secure UI, Node Image Analyzer, API, Sysdig Inline Scanner, or Scanning alert.

    • Re-evaluate: Click the button to fetch the newest scan results

    Select Dates for Past Scans

    From the dropdown, select the date of the scan you’d like to analyze.

    Review Scanning Policy Details

    Select a listed Policy to see details about the STOP and WARN actions triggered in the Evaluation,

    as well as the underlying Rules affected.

    Review Vulnerability Summaries

    Select either Operating System-related or Non-Operating System-related Vulnerability summaries to review.

    You can:

    • Get a birds-eye-view of vulnerability status

    • Click a CVE number to get the full details and/or add it to an Exceptions list

    • Search or filter by severity: Critical, High, Medium, Negligible, Unknown. Also filter by whether it “Has a Fix”.

    • Click Download CSV to get the vulnerabilities data as a CSV file

    • Open the Vulnerabilty Details panel on the right by selecting an image from the list

    • Added On: See the date and time the scan was added.

    Red Hat Vulnerability Details

    For Red Hat vulnerabilities, the details panel provides both the Sysdig severity rating and the equivalent severity label from the Red Hat Security Tracker.

    The labels are mapped as follows:

    Sysdig SeverityRed Hat SeverityRed Hat Definition
    CriticalCriticalThis rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. Flaws that require authentication, local or physical access to a system, or an unlikely configuration are not classified as Critical impact. These are the types of vulnerabilities that can be exploited by worms.
    HighImportantThis rating is given to flaws that can easily compromise the confidentiality, integrity or availability of resources. These are the types of vulnerabilities that allow local or authenticated users to gain additional privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication or other controls, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.
    MediumModerateThis rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations.
    LowLowThis rating is given to all other issues that may have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences. This includes flaws that are present in a program’s source code but to which no current or theoretically possible, but unproven, exploitation vectors exist or were found during the technical analysis of the flaw.

    Vulnerability Comparison

    The vulnerability comparison allows users to compare two different tags within the same repo to see which vulnerabilities are new or have been fixed in version X compared to version Y.

    This allows developers easily to compare the latest image to a previous version to easily report on which vulnerabilities have been addressed and which are new.

    1. Select an image from a line in the Scan Results list.

    2. From the Compare To drop-down, select another version of this image with which to compare.

    3. The comparison report is displayed.

    Review Content Details

    Navigate through node, ruby, python, java, OS packages, and the files in a container to search for details about a particular package or file.