Resource and Component Support

Resource Support

Kubernetes Workloads

Sysdig Secure provides runtime monitoring and vulnerability scanning for the following Kubernetes workload types using the Sysdig Cluster Shield:

  • Pods
  • Deployments
  • StatefulSets
  • DaemonSets
  • Jobs
  • CronJobs
  • ReplicaSets
  • ReplicationController

Non-Orchestrated or Non-Kubernetes Containers

For non-orchestrated or non-kubernetes containers, Sysdig supports scanning using the Host Scanner with Container Scanning enabled.

Supported Container Runtimes

Host Scanner

  • Docker daemon
  • ContainerD
  • CRI-O

Cluster Shield

The Sysdig Cluster Shield supports any container runtime that Kubernetes will support. For supported Kubernetes runtimes, see the Kubernetes Supported Container Runtime documentation.

Standalone Hosts

For standalone hosts where a Supported Distributions is running, Sysdig Secure performs full host vulnerability scanning and monitoring. For more information, see Host Scanner Installation Guide.

Agentless Scanning for Cloud Hosts

Sysdig Secure provides agentless scanning capabilities for cloud providers, including:

AWS: Amazon EC2 instances running supported distributions
Azure: Microsoft Azure VM instances running supported distributions
Google Cloud: Google Compute Engine (GCE) instances running supported distributions

Agentless Scanning allows Sysdig Secure to discover vulnerabilities without the need to install agents directly on the hosts. To enable Agentless Scanning, see the Agentless Setup Guide.

Additionally, Sysdig Agentless scanning can also detect and scan running containers on Hosts Scanned Agentlessly that are running Supported Distributions.

CI/CD Pipeline

For CI/CD pipeline scanning, Sysdig provides a CLI-based scanner that can be easily integrated into your build pipeline to scan container images. For more information, see Sysdig CLI Scanner.

CLI Scanner Supported Container Image Formats and Loading Methods

PrefixNameDescription
docker://Docker DaemonLoad the image from the Docker daemon, honoring the DOCKER_HOST environment variable or other Docker configuration files.
podman://PodmanLoad the image from the Podman daemon.
file://Docker Archive (tar)Load the image from a .tar file saved as a Docker image archive (Docker save command).
containerd://ContainerdLoad the image from the Containerd daemon, which manages container lifecycles on the host.
crio://CRI-OLoad the image from the Containers Storage location used by CRI-O for Kubernetes environments.
pull://Docker RegistryForce pulling the image from a remote repository, ignoring local images with the same name.

Supported Container Image CPU Architectures

  • linux/amd64
  • linux/arm64
  • linux/s390x

VM Component Deprecation and Supportability

Legacy Engine Components

All V1 Engine Components will be deprecated on January 1st, 2025. After this date, Sysdig will not apply defect fixes or security patches. Below are the replacement components for the affected items:

Affected Components

Legacy ComponentDescriptionReplacement Components
Sysdig Image AnalyzerSysdig Legacy Engine Runtime Container scanner for Container WorkloadsAgent: Sysdig Cluster Shield or Sysdig Host Scanner
Agentless: Agentless Host-Based Scanning
Sysdig Host AnalyzerSysdig Legacy Engine Host Scanning Component for analyzing host-level vulnerabilitiesAgent: Sysdig Host Scanner
Agentless: Agentless Host-Based Scanning
Sysdig Inline ScannerSysdig’s command line scanner for Container ImagesCommand Line: Sysdig CLI Scanner
Sysdig Registry ScannerSysdig Legacy Scanning component for Container RegistriesSysdig Helm Chart Version 1.0.0 introduced the new scanning engine functionality by default: Registry Scanner

Scanning Engine Components

Certain components and versions used with the Sysdig Scanning Engine will reach end-of-life (EOL) or be considered out of support. Below are the affected components and their descriptions.

Affected Components

ComponentDescriptionEnd of Support
Sysdig Runtime ScannerThe first scanner introduced in the new Scanning Engine for Kubernetes workloads.
Yes
End of 2024, due to the switch to CSAF-VEX. Use Sysdig Cluster Shield.
Sysdig Cluster ScannerIntegrated into Sysdig Cluster Shield for an all-in-one deployable component for Kubernetes workloads. No longer supported as a standalone component.Yes - No longer supported as a standalone component. Use Sysdig Cluster Shield.
Sysdig Host ScannerThe scanner will continue to be supported, but Versions below v0.9.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025.Yes - Versions below v0.9.0, due to the switch to CSAF-VEX. Additionally please see Sysdig Host Shield (Tech Preview)
No - Versions above v0.10.0
Sysdig Registry ScannerThe scanner will continue to be supported, but Versions below v0.2.61 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025.Yes - Versions below v0.2.61, due to the switch to CSAF-VEX.
No - Versions above v0.2.62
Sysdig CLI ScannerThe scanner will continue to be supported, but Versions < 1.11.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025.Yes - Versions below v1.11.0, due to the switch to CSAF-VEX
No - Versions above v1.12.0