Vulnerability Management
This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Understanding Vuln Management Stages
One key to designing your vulnerability management deployment and strategy is to understand the different lifecycle phases to be addressed:
Basic Concepts
- Vulnerabilities are present in the software that has been installed in the images during the build phase - when we define and assemble the image.
- A container image is immutable by definition. If we change the contents of an image, then it becomes a different image in practice (with different ImageID, etc.).
- Nevertheless, even if the image itself is immutable, Sysdig can discover new vulnerabilities contained in running container images (ex: kubernetes workloads) at any moment in time, given that the security feeds are constantly updated.
- For example, an image that had no known vulnerabilities at build time may be impacted by a newly discovered critical vulnerability 10 days after entering runtime. The image itself is exactly the same, but the security feeds discovered a new piece of information related to the image’s software.
Pipeline and Runtime
Although the underlying algorithm to analyze the image contents (SBOM) and match vulnerabilities to it is basically the same, Sysdig treats images differently depending on whether they are located in a pipeline or being used as the base for a running container, also known as runtime workloads.
Pipeline
Any analysis conducted prior to the runtime phase is considered pipeline. This typically means CI/CD builds (Jenkins, Github, etc), but can also be just an execution of the sysdig-cli-scanner binary performed on a developer laptop or with a custom scanning script.
- Pipeline images do not have runtime context.
- The scan happens outside of the execution nodes where the agent is installed:
- CI/CD
- External instrumentation
- Custom scripts or image scanning plugins
- Pipeline scans are one-off vulnerability reports; the information is a static snapshot with its corresponding execution date.
- If you want to evaluate a newer version of the image or just reevaluate the same image with newer feed information, the analysis needs to be triggered again.
- Images analyzed using the sysdig-cli-scanner will show up in the Pipeline section of the vulnerability management interface.
Runtime
Runtime workloads are executed from an image. Accessing the Runtime section of the Vulnerabilities menu, you will be able to see those images and their vulnerability and policy evaluation.
- Runtime workloads are located in an execution node and are being monitored by a Sysdig agent/node analyzer, for example a Kubernetes node that is instrumented using the Sysdig agent bundle.
- Runtime workloads will offer a live, auto-refreshing state. This means:
- Workloads that are no longer running will be removed from the runtime view
- Vulnerabilities and policies evaluations will automatically refresh without any user interaction, offering always the most up-to-date information known.
- At least once per day
- Runtime workload have a runtime context associated with them, i.e. Kubernetes cluster and namespace.
- Workloads analyzed during runtime will show up in the Runtime section of the vulnerability management interface.
Vulnerabilities Features
Sysdig’s Vulnerabilities module addresses the top requirements for effective vulnerability management:
Provides highly accurate views of vulnerability risk at scale
Deep visibility into system calls provides high accuracy about active packages
Rich details provide precision about vulnerability risk (ex. CVSS vector, score, fix age) and insights from multiple expert feeds (ex. VulnDB)
Access to public exploits allows you to verify security controls and patch efficiently
Prioritized risk data focused on the vulns that are tied to the packages loaded at runtime
Accepting risks on a carefully considered basis
At this time, the Vulnerability Management engine supports: CI/CD pipeline & runtime image scanning, policies, notifications, and reporting for runtime. Registry scanning is not yet supported.
Getting Started with Vulnerabilities
Ensure you have completed the Sysdig Secure steps, so you have:
The correct Sysdig agent, which includes the vuln management engine and runtime scanner.
The downloaded cli-scanner.
Log in to Sysdig Secure with
Advanced User+
permissions and selectVulnerabilities
.The out-of-the-box policies for Pipeline and Runtime vulnerabilities will work without further setup.
Choose Reporting to configure schedules for creating downloadable reports on runtime vulnerability results.
To create or edit Pipeline or Runtime Vuln Policies and Rule Bundles, select the relevant links from the Policies tab in the navigation bar.
To accept the risk of detected vulnerabilities, configure an acceptance based on scope, justification, and length of time. See Understanding and Usage steps.
Understanding Accept Risk
As of November, 2022, users can choose to accept the risk of a detected vulnerability or asset. Accept Risk is available for both Runtime and Pipeline, and for specific CVEs or specified hosts or images.
Enablement Prerequisites
Accept Risk requires Sysdig Secure SaaS to be installed with:
sysdig-deploy
Helm chart version 1.5.0+vuln-runtime-scanner
version 1.4.0+
sysdig-cli-scanner
version 1.3.0+
Because Accept Risk is applied to both pipeline and runtime vuln results impartially, the required versions of both components are required.
If the minimum enablement requirements are not met, the Accept Risk
button and panel will show in your interface, but will not activate. The created Acceptance will appear in Pending
status for 20 minutes, then disappear as if you had never created it.
Check Your Versions
Check sysdig-deploy
Helm Chart: Must be 1.5.0+
helm list -n <namespace>
(default namespace is sysdig-agent)
Example:
$ helm list -n sysdig-agent
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
sysdig-agent sysdig-agent 5 2022-11-11 17:57:54.109917081 +0100 CET deployed sysdig-deploy-1.5.0
Upgrade Helm Chart Instructions here
Check Cli Scanner: must be 1.3.0+
./sysdig-cli-scanner --version
Upgrade Cli Scanner: Instructions here
When to Use
When faced with a large number of reported vulnerabilities, organizations need to know which are the most relevant for their security posture. Sysdig already highlights critical vulns with a fix available, and vulns that occur in images actually in use.
An additional feature is the targeted ability to accept the risk of a vuln and not count it towards a policy violation, for example, when:
- An internal security team has analyzed the vuln and declared it a false positive
- The preconditions of the vuln don’t apply
- Deployment in production is required and it is reasonable to postpone the fix
- etc.
What Types of Risk
You can accept risk for different entities:
- Individual CVE IDs
- Assets
- Container images
- Hosts
Accepting Risk in the context of vuln management applies an exception to the Vulnerability Policy. Adding an accept to a CVE doesn’t make the CVE disappear. It still shows in the list, but voids the policy violation associated with that CVE.
When accepting risks it is important to:
- Be careful with the accept scope or context; overly broad exceptions can create false negatives
- Sysdig offers several scoping options for the accepts created
- Remain aware of what is accepted so it doesn’t become a visibility gap
- The Sysdig UI presents clear indications of what is accepted and why
Usage
See:
Appendix: Supported Packages and Languages
Runtime
- Only Kubernetes Runtime for now, Hosts and Cloud infrastructure coming soon
- Supported container runtimes:
- Docker daemon
- ContainerD
- CRI-O
Installation Options
- Helm chart
- Plain daemonset
- Runtime scanner
- Runtime scanner + benchmark runner
CI/CD
Supported Container Image Formats
- Docker Registry V2 - compatible
- Docker Daemon
- Podman
- Docker Archive (tar)
- OCI Archive
Supported Package Types
- Debian
- Alpine
- RHEL
- Ubuntu
- Java Maven
- Golang (built with go 1.13+)
- Pypi (Python)
- NPM (JS)
- Ruby Gems
- NuGet (.Net)
- Cargo (Rust)
- Composer (PHP)
Supported Container Image CPU Architectures
- linux/amd64
- linux/arm64
- (others coming soon)
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.