Vulnerability Management
This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Understanding Vuln Management Stages
One key to designing your vulnerability management deployment and strategy is to understand the different lifecycle phases to be addressed:
Basic Concepts
- Vulnerabilities are present in the software that has been installed in the images during the build phase - when we define and assemble the image.
- A container image is immutable by definition. If we change the contents of an image, then it becomes a different image in practice (with different ImageID, etc.).
- Nevertheless, even if the image itself is immutable, Sysdig can discover new vulnerabilities contained in running container images (ex: kubernetes workloads) at any moment in time, given that the security feeds are constantly updated.
- For example, an image that had no known vulnerabilities at build time may be impacted by a newly discovered critical vulnerability 10 days after entering runtime. The image itself is exactly the same, but the security feeds discovered a new piece of information related to the image’s software.
Pipeline and Runtime
Although the underlying algorithm to analyze the image contents (SBOM) and match vulnerabilities to it is basically the same, Sysdig treats images differently depending on whether they are located in a pipeline or being used as the base for a running container, also known as runtime workloads.
Pipeline
Any analysis conducted prior to the runtime phase is considered pipeline. This typically means CI/CD builds (Jenkins, Github, etc), but can also be just an execution of the sysdig-cli-scanner binary performed on a developer laptop or with a custom scanning script.
- Pipeline images do not have runtime context.
- The scan happens outside of the execution nodes where the agent is installed:
- CI/CD
- External instrumentation
- Custom scripts or image scanning plugins
- Pipeline scans are one-off vulnerability reports; the information is a static snapshot with its corresponding execution date.
- If you want to evaluate a newer version of the image or just reevaluate the same image with newer feed information, the analysis needs to be triggered again.
- Images analyzed using the sysdig-cli-scanner will show up in the Pipeline section of the vulnerability management interface.
Runtime
Runtime workloads are executed from an image. Accessing the Runtime section of the Vulnerabilities menu, you will be able to see those images and their vulnerability and policy evaluation.
- Runtime workloads are located in an execution node and are being monitored by a Sysdig agent/node analyzer, for example a Kubernetes node that is instrumented using the Sysdig agent bundle.
- Runtime workloads will offer a live, auto-refreshing state. This means:
- Workloads that are no longer running will be removed from the runtime view
- Vulnerabilities and policies evaluations will automatically refresh without any user interaction, offering always the most up-to-date information known.
- Runtime workload have a runtime context associated with them, i.e. Kubernetes cluster and namespace.
- Workloads analyzed during runtime will show up in the Runtime section of the vulnerability management interface.
Vulnerabilities Features
Sysdig’s Vulnerabilities module addresses the top requirements for effective vulnerability management:
Provides highly accurate views of vulnerability risk at scale
Deep visibility into system calls provides high accuracy about active packages
Rich details provide precision about vulnerability risk (ex. CVSS vector, score, fix age) and insights from multiple expert feeds (ex. VulnDB)
Access to public exploits allows you to verify security controls and patch efficiently
Prioritized risk data focused on the vulns that are tied to the packages loaded at runtime
Accepting risks on a carefully considered basis
At this time, the Vulnerability Management engine supports: CI/CD pipeline & runtime image scanning, policies, notifications, and reporting for runtime. Registry scanning is not yet supported.
Getting Started with Vulnerabilities
Ensure you have completed the Sysdig Secure steps, so you have:
Log in to Sysdig Secure with Advanced User+ permissions and select Vulnerabilities.
The out-of-the-box policies for Pipeline and Runtime vulnerabilities will work without further setup.
Choose Pipeline or Runtime to see the scanning results.
Choose Reporting to configure schedules for creating downloadable reports on runtime vulnerability results.
To create or edit Pipeline or Runtime Vuln Policies and Rule Bundles, select the relevant links from the Policies tab in the navigation bar.
To accept the risk of detected vulnerabilities, configure an acceptance based on scope, justification, and length of time. See Understanding and Usage steps.
Understanding Accept Risk
As of November, 2022, users can choose to accept the risk of a detected vulnerability or asset. Accept Risk is available for both Runtime and Pipeline, and for specific CVEs or specified hosts or images.
Enablement Prerequisites
Accept Risk requires Sysdig Secure SaaS to be installed with:
Because Accept Risk is applied to both pipeline and runtime vuln results impartially, the required versions of both components are required.
If the minimum enablement requirements are not met, the Accept Risk button and panel will show in your interface, but will not activate. The created Acceptance will appear in Pending status for 20 minutes, then disappear as if you had never created it.
Check Your Versions
Check sysdig-deploy Helm Chart: Must be 1.5.0+
helm list -n <namespace> (default namespace is sysdig-agent)
Example:
$ helm list -n sysdig-agent
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
sysdig-agent sysdig-agent 5 2022-11-11 17:57:54.109917081 +0100 CET deployed sysdig-deploy-1.5.0
Upgrade Helm Chart Instructions here
Check Cli Scanner: must be 1.3.0+
./sysdig-cli-scanner --version
Upgrade Cli Scanner: Instructions here
When to Use
When faced with a large number of reported vulnerabilities, organizations need to know which are the most relevant for their security posture. Sysdig already highlights critical vulns with a fix available, and vulns that occur in images actually in use.
An additional feature is the targeted ability to accept the risk of a vuln and not count it towards a policy violation, for example, when:
- An internal security team has analyzed the vuln and declared it a false positive
- The preconditions of the vuln don’t apply
- Deployment in production is required and it is reasonable to postpone the fix
- etc.
What Types of Risk
You can accept risk for different entities:
Accepting Risk in the context of vuln management applies an exception to the Vulnerability Policy. Adding an accept to a CVE doesn’t make the CVE disappear. It still shows in the list, but voids the policy violation associated with that CVE.
When accepting risks it is important to:
- Be careful with the accept scope or context; overly broad exceptions can create false negatives
- Sysdig offers several scoping options for the accepts created
- Remain aware of what is accepted so it doesn’t become a visibility gap
- The Sysdig UI presents clear indications of what is accepted and why
Usage
See:
Appendix: Supported Packages and Languages
Runtime
- Only Kubernetes Runtime for now, Hosts and Cloud infrastructure coming soon
- Supported container runtimes:
- Docker daemon
- ContainerD
- CRI-O
Installation Options
- Helm chart
- Plain daemonset
- Runtime scanner
- Runtime scanner + benchmark runner
CI/CD
- Docker Registry V2 - compatible
- Docker Daemon
- Podman
- Docker Archive (tar)
- OCI Archive
Supported Package Types
- Debian
- Alpine
- RHEL
- Ubuntu
- Java Maven
- Golang (built with go 1.13+)
- Pypi (Python)
- NPM (JS)
- Ruby Gems
- NuGet (.Net)
- Cargo (Rust)
- Composer (PHP)
Supported Container Image CPU Architectures
- linux/amd64
- linux/arm64
- (others coming soon)
1 - Pipeline
This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Introduction
The sysdig-cli-scanner tools allow you to manually scan a container image, either locally or from a remote registry. You can also integrate the sysdig-cli-scanner as part of your CI/CD pipeline or automations to automatically scan any container image right after it is built and before pushing to the registry scanner.
Development / CI/CD / Pipeline / Shift-Left / …: all of these terms refer to scanning performed on container images that are not (yet) executed in a runtime workload. You can scan these images using the sysdig-cli-scanner tool, and explore the results directly in the console or in the Sysdig UI.
Optionally, you can create additional pipeline scanning policies and rules.
The Pipeline section in Sysdig Secure will display the scan results for all images that are scanned using the sysdig-cli-scanner
For Runtime workloads, see how they are automatically scanned by the Sysdig Runtime Scanner.
Running the CLI Scanner
The sysdig-cli-scanner is a binary you can download and execute locally in your computer or environment.
Scanning Images
- Download latest version of
sysdig-cli-scanner with:
Optionally, you can check the sha256sum as:
Set the executable flag on the file:
chmod +x ./sysdig-cli-scanner
You only need to download and set executable once. Then:
You can scan images by running the sysdig-cli-scanner command:
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> <image-name>
See Parameters for more detail.
Integrating in your CI/CD Pipelines
The sysdig-cli-scanner can be included as a step in your CI/CD pipelines (i.e. Jenkins, Github actions or others) simply by running the sysdig-cli-scanner command as part of your pipeline.
- Make sure that the
sysdig-cli-scanner binary is available as part of the worker or runner where the pipeline is executing.- If you are running an ephemeral environment in the pipeline, include the download and set executable steps in your pipeline to download the tool on every execution.
- Define a secret containing the API-Token and make it available in the pipeline (i.e. via a
SECURE_API_TOKEN environment variable). - Include a step in your pipeline to run the
sysdig-cli-scanner after building the container image, and providing the image name as paremeter. For example:
./sysdig-cli-scanner --apiurl <sysdig-api-url> ${IMAGE_NAME}
See some examples on how to use it on different CI/CD pipelines:
About CI/CD Policies
Policies allow you to define a set of rules that will evaluate each scan result. After the evaluation, each policy will pass or fail. A policy failure or non-compliance happens if the scan result doesn’t meet all the rules in a policy.
For CI/CD and manual image scans, you can tell the sysdig-cli-scanner tool to explicitly evaluate one or more policies using the --policy= policy1,policy2,... flag and provide a comma-separated list of policy IDs.
CI/CD policies can be configured as Always apply. If a policy has the Always apply flag, it will be evaluated on every scanned image even if you don’t specify it explicitly.
Learn more about Vulnerability Management policies, the available rules, and how to define policies in Vulnerability Policies.
Parameters
Basic usage of the sysdig-cli-scanner:
sysdig-cli-scanner [OPTIONS] <ImageName>
Required
| Option | Description |
|---|
SECURE_API_TOKEN | Provide the API token as environment variable SECURE_API_TOKEN . You can retrieve this from Settings > User Profile in Sysdig Secure. |
--apiurl=<endpoint> | Sysdig Secure Endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI. |
ImageName | The image that you want to scan. For example mongo-express:0.54.0. |
- The Sysdig CLI scanner will try to find a local image in Docker, ContainerD or other container runtimes, or try to pull if from the remote registry.
- Once the scan is complete, you will see the results directly in the console, and they will be available in the Pipeline section of the UI.
Registry credentials
Registry credentials can be supplied via the following environment variables
| Option | Description |
|---|
REGISTRY_USER | Provide the registry username as environment variable REGISTRY_USER. |
REGISTRY_PASSWORD | Provide the registry password as environment variable REGISTRY_PASSWORD. |
Example
$ REGISTRY_USER=<YOUR_REGISTRY_USERNAME> REGISTRY_PASSWORD=<YOUR_REGISTRY_PASSWORD> SECURE_API_TOKEN=<YOUR_API_TOKEN> ./sysdig-cli-scanner --apiurl https://secure.sysdig.com ${REPO_NAME}/${IMAGE_NAME}
Additional Parameters
Use the -h / --help flag to display a list of all available command line parameters:
Example
Usage:
sysdig-cli-scanner [OPTIONS] [ImageName]
Application Options:
-a, --apiurl= Secure API base URL
-t, --apitimeout= Secure API timeout (seconds) (default: 120)
--output-json= Output path of the scan result report in json format
-s, --skiptlsverify Skip TLS certificate verification (default: false)
-u, --skipupload Skip the scan results upload (default: false)
-d, --dbpath= Database full path. By default it uses main.db.gz from the same directory
--policy= Identifier of policy to apply
-p, --cachepath= Cache path
-c, --clearcache Clear the cache before to run (default: false)
-l, --loglevel= Log level (default: info)
-o, --logfile= File destination for logs, used if --console-log not passed
--console-log Force logs to console, --logfile will be ignored
--full-vulns-table Show the entire list of packages found
--detailed-policies-eval Show a detailed view of the policies evaluation
--no-cache config flag Disable the cache layer during the scan
--standalone config flag Disable communication towards the backend. This implies:
skip upload of the scan-result; offline-analyze; no
policies; no policy remediations; no risk-acceptances; no
download of the mainDB (local path for an existing one
needs to be provided with the dedicated parameter)
Help Options:
-h, --help Show this help message
Arguments:
ImageName: Image name
Image Sources
The Sysdig CLI scanner can load images from different sources. By default, it will try to automatically find the provided image name from all supported sources, in the order specified by the following list. However, you can explicitly select the image source by using the corresponding prefix for the image name:
file:// - Load the image from a .tar filedocker:// - Load the image from the Docker daemon (honoring DOCKER_HOST environment variable or other Docker configuration files)podman:// - Load the image from the Podman daemonpull:// - Force pulling the image from a remote repository (ignoring local images with same name)containerd:// - Load the image from Containerd daemoncrio:// - Load the image from Containers Storage location
i.e. pull the image from remote registry even if it is locally available:
./sysdig-cli-scanner -a https://secure.sysdig.com pull://nginx:latest
Sample Result in Terminal
It is possible to view scan results in the terminal window (see below)
$ SECURE_API_TOKEN=<YOUR_API_TOKEN> ./sysdig-cli-scanner --apiurl https://secure.sysdig.com redis
Type: dockerImage
ImageID: sha256:7614ae9453d1d87e740a2056257a6de7135c84037c367e1fffa92ae922784631
Digest: redis@sha256:db485f2e245b5b3329fdc7eff4eb00f913e09d8feb9ca720788059fdc2ed8339
BaseOS: debian 11.2
PullString: pull:*//redis*
66 vulnerabilities found
8 Critical (0 fixable)
2 High (0 fixable)
4 Medium (0 fixable)
5 Low (0 fixable)
47 Negligible (0 fixable)
POLICIES EVALUATION
Policy: Sysdig Best Practices FAILED (9 failures)`
You can use --full-vulns-table or --detailed-policies-eval flags to include further details in the output.
For a more user-friendly scan result, find the image in the UI.
JSON Output
You can use the --output-json=/path/to/file.json to write a JSON report of the scan result
Scan Logs (for troubleshooting)
The sysdig-cli-scanner automatically writes a log file on every execution. You can change the output path using -o or --logfile flags. For troubleshooting purposes, you can change the log level by setting --loglevel=debug. This will increase the verbosity of the log messages to the debug level.
Review Pipeline Scans in the UI
You can explore the details for every image that has been scanned by executing the sysdig-cli-scanner in Sysdig Secure UI.
Navigate to Vulnerabilities > Pipeline.
Filter the list by Pass | Fail if desired.
- The Policy Evaluation column reflects the policy state at evaluation time for that image and the assigned policies
- Failed: If any of the policies used to evaluate the image is failing, the image is considered “Failed”
- Passed If there is no violation of any of the rules contained in any of the policies, the image is considered “Passed”
From here you can drill down to the scan result details.
Drill into Scan Result Details
Select a result from the Pipeline list to see the details, parsed in different ways depending on your needs.
Overview Tab
Focuses on the package view and filters for those that are fixable. Clickable cells lead into the Vulnerabilities list (next).
Vulnerabilities Tab
Expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.
The same security finding (e.g. a particular vulnerability) can be present in more than one rule violation table if it happens to violate several rules.
Content Tab
Also organized by package view, with expanded filters and clickable CVE cells.
Policies Tab
Shows CVEs organized by the policy+rule that failed. Use the toggle to show or hide policies+rules that passed. Click CVE names for the details.
Filter and Sort Results
Within the Pipeline results tabs, there are ways to further refine your view:
- Search by keyword or CVE name
- Use filters:
Severity (>=); CVSS Score (>=); Vuln Type; Has Fix; Exploitable.
Accept Risk: Pipeline
As of November, 2022, users can choose to accept the risk of a detected vulnerability or asset. The process for handling Accepted Risk is the same for Pipeline as for Runtime.
Use the Runtime instructions, with the following difference:
Accept Validity - Pipeline
The pipeline scan results are point-in-time, so there is no automatic re-evaluation.
To trigger a new evaluation containing the accept:
- You must execute the pipeline process again over the same image
- The N+1 scan will contain the accept
2 - Runtime
Introduction
Sysdig Secure will automatically analyze and scan the container image for the workloads in your clusters, providing a list of vulnerabilities, policy evaluations, and the “In Use” spotlight, helping you focus on fixing the active, critical and exploitable vulnerabilities.
As of December, 2022, hosts can be scanned for vulnerabilities as well as containers. See Host Scanning for details.
Why Runtime Scanning?
Although shifting vulnerability management to the earliest phases (such as integrating with CI/CD) is essential, runtime vulnerability management remains important:
- Strong defense: Runtime VM provides an additional layer of defense to your arsenal
- Up-to-date: New vulnerabilities are discovered every day; new discoveries need to be checked against your running images
- Prioritized feedback: The In Use spotlight allows you to hone in on the most important vulnerabilities discovered within your running images so you can efficiently prioritize and act.
Sysdig’s runtime scanner will:
- Automatically observe and report on all the Runtime workloads, keeping a close-to-real time view of images and workloads executing on the different Kubernetes scopes of your infrastructure.
- Perform periodic re-scans, guaranteeing that the vulnerabilities associated with the Runtime workloads and images are up-to-date with the latest vulnerabilities feed databases. It will automatically match a newly reported vulnerability to your runtime workloads without requiring any additional user interaction.
Understanding the Runtime Workload and Labels
Runtime entities are associated using the concept of workload, defined by:
These workload labels are in the order: cluster > namespace > type > container
Kubernetes cluster name, demo-kube-eks in the example aboveKubernetes namespace name, example-voting-app aboveKubernetes workload type, deployment (or daemonset, etc.)Kubernetes container name, sysdiglabs/example-voting-app-result:metrics-3 above
This means:
- Several replicas of the same deployment are considered the same workload (single entry on the table), as the images are identical and the runtime context is the same.
- An identical image deployed on two different Kubernetes clusters will be considered two different workloads, as the runtime context is different.
About Runtime Policies
Policies allow you to define a set of rules that will evaluate each workload. After the evaluation, each policy will pass or fail. A policy failure or non-compliance happens if the scan result doesn’t meet all the rules in a policy.
Runtime policies contain a runtime scope filter, so it only applies workloads in that scope, or Entire infrastructure, which will apply globally.
NOTE: If you have enabled host scanning, then you can assign runtime policies to container image workloads, hosts, or the entire infrastructure.
Learn more about Vulnerability Management policies, the available rules, and how to define policies in Vulnerability Policies
Review Runtime Scan Results Overview
Navigate to Vulnerabilities > Runtime.
By default, the entire infrastructure results are shown.
Results are ranked by:
- Number of actual exploits
- Severity of vulnerabilities
- Number of vulnerabilities
From here you can:
to find and remediate the priority issues discovered.
Understanding the In Use Column
The In Use column depends upon Image Profiling and is currently in Controlled Availability status.
- To enable In Use in your account, please contact your Sysdig representative.
- You will also need to set a parameter in the Node Analyzer of the Sysdig Agent and enable Image Profiling. See Profiling | Enable for Risk Spotlight and In Use.
Data in the In Use column will appear approximately 12 hours after the feature has been deployed.
The In Use designation allows you to focus first on the packages containing vulnerabilities that are actually being executed at runtime. If an image has 180 packages and 160 have vulnerabilities, but only 45 are used at runtime, then much of the vuln notification noise can be reduced.
Click on an image entry to see the In Use panel and drill down, clicking on the vulnerabilities for details and examining the link to any known exploits that exist.
Drill into Scan Result Details
Select a workload from the Runtime results list
Overview Tab
Focuses on the package view and top-priority running images (In Use).
Clickable cells lead into the Vulnerabilities list (next).
Vulnerabilities Tab
Provides expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.
Content Tab
Also organized by package view, with expanded filters and clickable CVE cells.
Policies Tab
Shows CVEs organized by the policy+rule that failed. Use the toggle to show or hide policies+rules that passed. Click CVE names for the details.
Filter and Sort Results
Filter by workload labels and optionally save constructed filters as Favorite or Default from the kebab (3-dot) menu on the filter bar.
Hover over the workload labels and click = or =! to add them to the filter bar to refine by cluster, namespace, type, etc.
Filter by evaluation: Pass / Fail / No Policy
Click In Use to list the results that have been evaluated for risk first
Use further-refined filters within the image detail tabs, e.g. CVE Name; Severity (>=); CVSS Score (>=); Has Fix; Exploitable.
Accept Risk: Runtime
As of November, 2022, users can choose to accept the risk of a detected vulnerability or asset.
Review Understanding Accept Risk and the Enablement Prerequisites if needed.
If the minimum enablement requirements are not met, the Accept Risk button and panel will show in your interface, but will not activate. A created Acceptance would appear in Pending status for 20 minutes, then disappear as if you had never created it.
The process for Accept Risk is the same for Runtime and for Pipeline.
For a Failed CVE
Navigate to Vulnerabilities > Runtime.
Either:
Select a failed asset from the list and choose the Vulnerabilities panel, then hover over the far-right column to see the Accept Risk button
Select a failed asset from the list and choose the Policies panel, then hover over the far-right column to see the Accept Risk button
Click Accept Risk and continue to Complete the Configuration.
For a Failed Host or Image
You can accept risk for an entire host or image, based on the image name or host name.
Note:
- In this case, you are not accepting the vulnerabilities within, just the asset as a whole
- The ImageID or digests are not taken into account
Navigate to Vulnerabilities > Runtime and select a failed asset.
Choose the Policies panel and select the Accept image as a risk button.
Continue to Complete the Configuration.
Complete the Configuration
Select Accept Risk or Accept image as risk.
Enter the configuration details:
Reason: Risk Owned, Transferred, Avoided, Mitigated, Not Relevant, or Custom
Add details in the free-text box if needed.
Context: Defines the scope, i.e., the cases to which the Accept will apply.
- Global: Every time this vulnerability is found, regardless of the asset or the package and also regardless of the phase (Pipeline, Runtime), this vulnerability will always be accepted.
- Package: You are accepting only the combination of this CVE and a particular package. There are two sub options:
Package name AND package version (default). For example: rpm 4.14.4Package name - Any package version For example, rpm (any version)
- This image: Select the particular image or host name from the drop-down.
Note that the context can affect multiple assets with a single configuration. For example, accepting one CVE globally would affect the policy evaluation of all the different images in which that vuln is found.
Expires In: 7/30/60/90 days, Custom time frame or Permanent
- Accepts should be exceptional choices; normally they should not mask a security risk forever
- When the Accept expires, the vulnerability (or asset) reappears in the violations count, potentially causing an evaluation to fail again.
Click Accept.
A green acknowledgement message is displayed, and a greyed out Shield icon shows the Accept is in Pending status.
Manage Accepts
Accept Validity
The creation, editing, or revocation of an Accept does not take effect immediately. The change is in Pending status with the grey shield icon until the next runtime scan is:
- Automatically triggered
- Within 20 minutes
No additional changes can made to the Accept configuration while it is pending.
Note: This differs in Pipeline
Limits
There is a limit of 1000 Accept Risk items (per customer account)
- This is the number of configurations created, not the number of impacted assets/CVEs
- For example, a global CVE Accept impacting 30 images counts as 1 Accept Risk item
- Both CVE accepts and Asset accepts count towards that total
Review Accepts
When no longer pending, the Accept Risk shield is not greyed out and appears in the list of assets. You can also filter by Accept Risk to see all assets where an Accept has been applied.
Click in to the asset to see more, and hover over the shield icon to see all the Accept Risk config details.
Accepted Risk on a CVE will be shown in the:
- List of CVEs in the “Vulnerabilities” panel
- List of Policy violations under the “Policies” panel
- Policy evaluation card, showing the number of overridden violations
Passing Evaluations
A policy will pass if:
- All the rules inside the policy pass, or
- All the violations to a policy have been voided by a matching accept
A host or image will pass if:
All the policies attached to the asset pass, or
The asset itself is accepted
In this example, the policies are failing but the asset has been accepted, indicated by the shield icon beside the [PASSED] global evaluation.
Edit an Accept
To edit an existing risk, click on the pencil icon in the Accept details.
You can edit the
ReasonDescriptionExpiration
To change the affected resource or the context, you must create a new Accept configuration, and delete the old one if no longer valid.
2.1 - Host Scanning
A “host” is any runtime entity where you could execute the Sysdig agent, including virtual machines, Kubernetes nodes, bare metal, cloud-managed hosts such as EC2, etc.
Scanning for vulnerabilities on hosts is as important as scanning on containers, and certain standards such as NIST 800-190 require vulnerability reports on running hosts to pass compliance. Sysdig’s host scanning feature provides a unified flow with image scanning, for a smooth user experience.
Note: Having the agent installed on the hosts is not required, but is recommended. Metadata autocomplete on the filters and searches depend on the Sysdig agent.
Enable Host Scanning
Installation methods include Helm (recommended), Docker container, or non-containerized binaries.
Supported OSes and Host Types
- Ubuntu 22.04
- Ubuntu 20.04
- Debian 11
- Debian 10
- Redhat Red Hat Enterprise Linux 9
- Redhat Red Hat Enterprise Linux 8
- Redhat Red Hat Enterprise Linux 7
- Red Hat Red Hat Enterprise Linux Core OS
- Amazon Linux 2
- Flatcar Container Linux
- Alibaba Cloud Linux (a.k.a. Aliyun Linux)
- Google Container-Optimized OS (COS), build 89+
Currently Supported CPU Architectures
AMD64 (x86_64)
ARM (arm64)
Current Feature Limitations
- No Risk Spotlight/In Use integration
How Long until Host Scan Results Appear in the UI?
After installation:
- If the default parameter
nodeAnalyzer.nodeAnalyzer.hostScanner.scanOnStart=true is set, then a scan will start just after the pod is ready. You can expect the results in a few minutes, ~15 min max. - If this parameter is not set, results will be shown ~11 hours from install
- In all cases, scans are refreshed every 12 hours
- Helm chart and Docker container installations behave the same
Helm Install
If you have Kubernetes, the Helm install is the preferred method.
Prerequisites
Host scanning requires Sysdig Secure SaaS to be installed with:
sysdig-deploy Helm chart version 1.5.0+HostScanner container version 0.3.0+ (*0.3.1+ for Google COS)- Included by default on the helm chart version 1.5.0+, unless the user pins or modifies the defaults
- Host scanning is installed out of the box by default with the Helm chart; you can opt-out if desired.
Check Your Versions
Check your sysdig-deploy Helm chart (default namespace is sysdig-agent)
helm list -n <namespace>
Example:
$ helm list -n sysdig-agent
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
sysdig-agent sysdig-agent 5 2022-11-11 17:57:54.109917081 +0100 CET deployed sysdig-deploy-1.5.0
Upgrade Helm Chart Instructions here
Opting Out
If for some reason you don’t want to use host scanning, you can opt-out using the Helm chart flag:
--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=false
Docker Container Install
If you have non-Kubernetes hosts but still want to use containers, you can deploy Host scanning without Helm as follows:
docker run --detach -e HOST_FS_MOUNT_PATH=/host -e SYSDIG_ACCESS_KEY=<access-key> -e SYSDIG_API_URL=<sysdig-secure-endpoint> -e SCAN_ON_START=true -v /:/host:ro --uts=host --net=host quay.io/sysdig/vuln-host-scanner:$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)
Non-Containerized Install
The Helm chart is the recommended installation method, but if you want to scan a host without using containers at all, we also offer a standalone binary and an RPM package.
The configuration is passed via environment variables, specifically:
- Retrieve your access key to use for
SYSDIG_ACCESS_KEY=<your-access-key> - Check your Sysdig Secure endpoint by region to use for
SYSDIG_API_URL=https://<sysdig-url>
RPM
Compatible with any host that supports the RPM package format, such as RHEL.
# Configure the repo
$ rpm --import https://download.sysdig.com/DRAIOS-GPG-KEY.public
$ curl -s -o /etc/yum.repos.d/draios.repo http://download.sysdig.com/stable/rpm/draios.repo
# Update index
$ yum update
# Install the package
$ yum install vuln-host-scanner
# Create your configuration file
$ cat /opt/draios/etc/vuln-host-scanner/env
SYSDIG_ACCESS_KEY=<access-key>
SYSDIG_API_URL=<api-url>
SCAN_ON_START=true # optional
# Enable the service
$ systemctl enable vuln-host-scanner.service
# Start the service
$ systemctl start vuln-host-scanner.service
# Check logs
$ journalctl -u vuln-host-scanner.service
Raw Binary
## Binary
$ ARCH=amd64; curl -s https://download.sysdig.com/scanning/bin/sysdig-host-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-host-scanner/latest_version.txt)/linux/$ARCH/sysdig-host-scanner > sysdig-host-scanner
# ARCH=arm64 for arm architectures
# Give exec permission
$ chmod +x sysdig-host-scanner
# Run it
$ SYSDIG_ACCESS_KEY=<access-key> SYSDIG_API_URL=<api-url> ./sysdig-host-scanner
Kubernetes Metadata:
If your node is part of an existing Kubernetes installation and you’re not using the official Helm chart, you’ll be in charge of setting node name and cluster name via
K8S_CLUSTER_NAME
K8S_NODE_NAME
Other environment variables for the Host Scanner are listed in the chart.
Usage
Once you have deployed the host scanner in your environment, the Runtime UI will integrate the findings alongside the runtime workload results, based on an out-of-the-box Vulnerability policy.
Filter for Hosts
You can filter to find results of host scanning using the quick links in the banner at the top of the page, and/or the filter bar.
Hosts can be filtered using
- Kubernetes cluster name
- Cloud account id
- Cloud account region
- Host Name
- Agent tags
See also, Vulnerability Policies|Runtime.
Download Reports
You can schedule and download reports for scanning done on hosts as well as containers.
See Vulnerabilities|Reporting.
3 - Reporting
This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Introduction
Use the Vulnerability Reporting interface to schedule asynchronous reports about detected runtime vulnerabilities along with package and image data. You can schedule reports for runtime (container) scanning and/or host scanning.
Here you can:
- Create a report definition
- Schedule its frequency
- Define notification channel(s) in which to receive the reports (email, Slack, or webhook)
- Preview how the data will appear (optional)
- Download the resulting reports in
.csv, .json, or .ndjson - Optionally, generate a manual (unscheduled) report
NOTE: Regardless of the schedule, reports always include the data from the past 24 hours. Therefore, most users schedule a daily report to avoid having any gaps
Past reports are stored for two weeks. Therefore, if you scheduled a weekly report, the list would only contain two records.
Create a Report Definition
For Runtime Workloads
Access: Log in to Sysdig Secure with Advanced User or higher permissions, and select Vulnerabilities > Reporting.
The Vulnerabilities Reporting list page is displayed. If you have previously created report definitions, you can click one to see the details.
Create: Click Add Report . The New Report page is displayed.
Basic Info: Define the report basic info:
- Name
- Description
- Export file format: .csv, .json, or .ndjson
Select Definitions:
Conditions: (Optional) Add Conditions from the drop-down if you want to filter the items reported on.
The available conditions include:
- Image Name * (only for this Entity)
- OS Name
- In Use * (only for this Entity)
- Package Name
- Package Path
- Package Type
- Package Version
- Vulnerability ID
- CVSS Score
- CVSS Vector
- Vuln Publish Date
- Exploitable
- Fix Available
- Risk Accepted
- Severity
- Vuln Fix Date
Example 1: You want a report of all vulnerabilities with a Severity >= High, and for which a Fix is Available.
Example 2: You want a report of all vulnerabilities that are In Use with Accepted Risks.
Schedule: Define the Schedule (frequency and time of day) that the report should be run.
Note: The schedule determines when the report data collection begins. As soon as evaluation is complete, you will receive a notification in the configured notification channels.
Notification Channel: If you have configured them, you can use email, Slack, or webhook notification channels, and they will appear in the drop-down. Since reports are typically large, the actual data is not sent to the notification channel; you receive a link to download it. You must be a valid Sysdig Secure user (Advanced User+) to access the link.
Data Preview: Click Refresh to apply the configuration you’ve chosen and pull up on the center bar of the Data Preview panel to see sample results.
Click Save.
For Runtime Hosts
All of the steps are the same as for Runtime Workload reports, except:
Basic Info: Select Runtime Hosts as the entity.
Conditions: (Optional) Add Conditions from the drop-down if you want to filter the items reported on.
The available Conditions include:
- Architecture * (only for this entity)
- OS Name
- Package Name
- Package Path
- Package Type
- Package Version
- CVSS score
- CVSS vector
- Vuln Publish Date
- Exploitable
- Fix Available
- Risk Accepted
- Severity
- Vuln Fix Date
Manage Reports
View and Edit Report Definition
Select an entry in the Reporting list to see the detail panel.
Click Edit to change the report definition parameters. You can also access this panel from the kebab (3-dot) menu.
Make your edits, click Refresh to see the Data Preview, and Save.
Download Reports
From the Reporting list, the latest report download link appears in the Download column.
To see older reports, select an entry in the Reports list to open the detail panel and select from the report download list.
The report will be downloaded in the format you defined; the file is zipped (.gz) – double-click to unzip and view.
Generate Report Manually
- Select an entry in the Reporting list to see the detail panel.
- Click
Generate Now. A Scheduled entry will appear. Within 15 minutes or so it will change to Completed and you can download the manually generated report.
Duplicate a Report Definition
- Choose the kebab (3-dot) menu for a scheduled report.
- Click
Duplicate.
Report Definition Retention
The scheduled and manually created reports are retained for 14 days.
Delete a Report Definition
Be sure to download any needed reports before deleting the definition.
Choose the kebab (3-dot) menu for a scheduled report.
Click Delete, click Yes when prompted.
The report definition and all associated reports are deleted.
