Resource and Component Support
Resource Support
Kubernetes Workloads
Sysdig Secure provides runtime monitoring and vulnerability scanning for the following Kubernetes workload types using the Sysdig Cluster Shield:
- Pods
- Deployments
- StatefulSets
- DaemonSets
- Jobs
- CronJobs
- ReplicaSets
- ReplicationController
Non-Orchestrated or Non-Kubernetes Containers
For non-orchestrated or non-kubernetes containers, Sysdig supports scanning using the Host Scanner with Container Scanning enabled.
Supported Container Runtimes
Host Scanner
- Docker daemon
- ContainerD
- CRI-O
Cluster Shield
The Sysdig Cluster Shield supports any container runtime that Kubernetes will support. For supported Kubernetes runtimes, see the Kubernetes Supported Container Runtime documentation.
Standalone Hosts
For standalone hosts where a Supported Distributions is running, Sysdig Secure performs full host vulnerability scanning and monitoring. For more information, see Host Scanner Installation Guide.
Agentless Scanning for Cloud Hosts
Sysdig Secure provides agentless scanning capabilities for cloud providers, including:
AWS: Amazon EC2 instances running supported distributions
Azure: Microsoft Azure VM instances running supported distributions
Google Cloud: Google Compute Engine (GCE) instances running supported distributions
Agentless Scanning allows Sysdig Secure to discover vulnerabilities without the need to install agents directly on the hosts. To enable Agentless Scanning, see the Agentless Setup Guide.
Additionally, Sysdig Agentless scanning can also detect and scan running containers on Hosts Scanned Agentlessly that are running Supported Distributions.
CI/CD Pipeline
For CI/CD pipeline scanning, Sysdig provides a CLI-based scanner that can be easily integrated into your build pipeline to scan container images. For more information, see Sysdig CLI Scanner.
CLI Scanner Supported Container Image Formats and Loading Methods
Prefix | Name | Description |
---|---|---|
docker:// | Docker Daemon | Load the image from the Docker daemon, honoring the DOCKER_HOST environment variable or other Docker configuration files. |
podman:// | Podman | Load the image from the Podman daemon. |
file:// | Docker Archive (tar) | Load the image from a .tar file saved as a Docker image archive (Docker save command). |
containerd:// | Containerd | Load the image from the Containerd daemon, which manages container lifecycles on the host. |
crio:// | CRI-O | Load the image from the Containers Storage location used by CRI-O for Kubernetes environments. |
pull:// | Docker Registry | Force pulling the image from a remote repository, ignoring local images with the same name. |
Supported Container Image CPU Architectures
- linux/amd64
- linux/arm64
- linux/s390x
VM Component Deprecation and Supportability
Legacy Engine Components
All V1 Engine Components will be deprecated on January 1st, 2025. After this date, Sysdig will not apply defect fixes or security patches. Below are the replacement components for the affected items:
Affected Components
Legacy Component | Description | Replacement Components |
---|---|---|
Sysdig Image Analyzer | Sysdig Legacy Engine Runtime Container scanner for Container Workloads | Agent: Sysdig Cluster Shield or Sysdig Host Scanner Agentless: Agentless Host-Based Scanning |
Sysdig Host Analyzer | Sysdig Legacy Engine Host Scanning Component for analyzing host-level vulnerabilities | Agent: Sysdig Host Scanner Agentless: Agentless Host-Based Scanning |
Sysdig Inline Scanner | Sysdig’s command line scanner for Container Images | Command Line: Sysdig CLI Scanner |
Sysdig Registry Scanner | Sysdig Legacy Scanning component for Container Registries | Sysdig Helm Chart Version 1.0.0 introduced the new scanning engine functionality by default: Registry Scanner |
Scanning Engine Components
Certain components and versions used with the Sysdig Scanning Engine will reach end-of-life (EOL) or be considered out of support. Below are the affected components and their descriptions.
Affected Components
Component | Description | End of Support |
---|---|---|
Sysdig Runtime Scanner | The first scanner introduced in the new Scanning Engine for Kubernetes workloads. | Yes End of 2024, due to the switch to CSAF-VEX. Use Sysdig Cluster Shield. |
Sysdig Cluster Scanner | Integrated into Sysdig Cluster Shield for an all-in-one deployable component for Kubernetes workloads. No longer supported as a standalone component. | Yes - No longer supported as a standalone component. Use Sysdig Cluster Shield. |
Sysdig Host Scanner | The scanner will continue to be supported, but Versions below v0.9.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v0.9.0, due to the switch to CSAF-VEX. Additionally please see Sysdig Host Shield (Tech Preview) No - Versions above v0.10.0 |
Sysdig Registry Scanner | The scanner will continue to be supported, but Versions below v0.2.61 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v0.2.61, due to the switch to CSAF-VEX. No - Versions above v0.2.62 |
Sysdig CLI Scanner | The scanner will continue to be supported, but Versions < 1.11.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v1.11.0, due to the switch to CSAF-VEX No - Versions above v1.12.0 |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.