Compatibility and Vulnerability Sources
Sysdig Secure continuously checks against a wide range of vulnerability databases. The current database list includes:
- NIST NVD
- VulnDB
- NPM
- Python
- Ruby
- Alpine Linux
- Centos
- Debian
- Red Hat
- Rocky ERRATA
- Ubuntu
- Amazon Linux
- Alibaba Linux
- Oracle Linux
- Chainguard
- Wolfi
- Amazon BottleRocket
- PHP Advisory
- Go Vulnerability Database
- GitHub Advisories
- GitLab Advisories
Supported Operating Systems
| Operating System | Versions | Source | CVSS Score | Severity |
|---|---|---|---|---|
| Alpine Linux | 3.2+ | Alpine Linux | NVD | NVD |
| CentOS | 7 8-stream 9-stream | CentOS | NVD | NVD |
| Debian | 10 (Buster) 11 (Bullseye) 12 (Bookworm) Trixie (unstable) | Debian | NVD | Debian Urgency |
| Red Hat | 7 8 9 | RedHat CSAF-VEX | RedHat | RedHat Impact |
| Rocky Linux | 8 9 | Rocky ERRATA | NVD | NVD |
| Ubuntu | 18.04 LTS (Bionic) 20.04 LTS (Focal) 22.04 LTS (Jammy) 23.04 (Lunar) | Ubuntu | NVD | Ubuntu Priority |
| Amazon Linux | 2 2022 2023 | Amazon Linux | NVD | Amazon Severity |
| Alibaba Linux | 2 | Alibaba Linux | Alibaba | Alibaba Severity |
| Oracle Linux | 7 8 9 | Oracle Linux | Oracle | Oracle Severity |
| Chainguard | N/A | Chainguard | NVD | NVD |
| Wolfi | N/A | Wolfi | NVD | NVD |
| Amazon BottleRocket | 1.10 1.11 | Amazon BottleRocket | NVD | NVD |
| Google Distroless | Tracks Debian 12 (Bookworm) | Debian CVE Tracker | NVD | NVD |
| Flatcar | All versions | Gentoo GLSA | NVD | Gentoo Impact |
Non-OS-Based Sources and Supported Package Types
| Non-OS-Based Sources | Matched Package Types | Source | CVSS Score | Severity |
|---|---|---|---|---|
| NPM (JavaScript) | NPM (JavaScript) | NPM | NVD | NVD |
| Python (Pypi) | Python | Python Advisory > GitHub > GitLab | NVD | NVD |
| Ruby | Ruby Gems | GitHub > GitLab > Ruby Advisory | NVD | NVD |
| Rust | Cargo (Rust) | GitHub > GitLab | NVD | NVD |
| Go | Golang (built with Go 1.13+) Go Runtime | GitHub > GitLab > Go Vulnerability Database | NVD | NVD |
| Java | Java JAR WAR EAR | GitHub > GitLab | NVD | NVD |
| PHP | Composer (PHP) | PHP Advisory > GitHub > GitLab | NVD | NVD |
| C# | NuGet (.Net) | GitHub > GitLab | NVD | NVD |
Column Legend
| Column | Description |
|---|---|
| Source | The specific database or advisory where Sysdig matches vulnerabilities, whether it’s from a vendor, an operating system, or a non-OS package. |
| Matched Package Types / Versions | The programming languages or operating system versions that are scanned for vulnerabilities, matched against specific sources. For packages, it indicates supported types, and for OS, the supported versions. |
| CVSS Score | The primary vulnerability score, such as NVD, displayed in the UX or reports. Additional scores from vendor-specific sources may also be available. |
| Severity | The primary severity level derived from the score, shown in the UX or reports. Vendor-specific severities may also be displayed where applicable. |
Resource Support
Kubernetes Workloads
Sysdig Secure provides runtime monitoring and vulnerability scanning for the following Kubernetes workload types using the Sysdig Cluster Shield
- Pods
- Deployments
- StatefulSets
- DaemonSets
- Jobs
- CronJobs
- ReplicaSets
- ReplicationController
Non-Orchestrated or Non-Kubernetes Containers
For non-orchestrated or non-kubernetes containers, Sysdig supports scanning using the Host Scanner with Container Scanning enabled
Supported Container Runtimes
Host Scanner
- Docker daemon
- ContainerD
- CRI-O
Cluster Shield
The Sysdig Cluster Shield supports any container runtime that Kubernetes will support. For supported Kubernetes runtimes, see the Kubernetes Supported Container Runtime documentation
Standalone Hosts
For standalone hosts where a Supported Distributions is running, Sysdig Secure performs full host vulnerability scanning and monitoring. For more information, see Host Scanner Installation Guide.
Agentless Scanning for Cloud Hosts
Sysdig Secure provides agentless scanning capabilities for cloud providers, including:
AWS: Amazon EC2 instances running supported distributions
Azure: Microsoft Azure VM instances running supported distributions
Google Cloud: Google Compute Engine (GCE) instances running supported distributions
Agentless scanning allows Sysdig Secure to discover vulnerabilities without the need to install agents directly on the hosts. See the Agentless Setup Guide to enable Agentless Vulnerability Scanning.
Additionally, Sysdig Agentless scanning can also detect and scan running containers on Hosts Scanned Agentlessly that are running Supported Distributions.
CI/CD Pipeline
For CI/CD pipeline scanning, Sysdig provides a CLI-based scanner that can be easily integrated into your build pipeline to scan container images. For more information, see Sysdig CLI Scanner.
CLI Scanner Supported Container Image Formats and Loading Methods
| Prefix | Name | Description |
|---|---|---|
docker:// | Docker Daemon | Load the image from the Docker daemon (honoring the DOCKER_HOST environment variable or other Docker configuration files). |
podman:// | Podman | Load the image from the Podman daemon. |
file:// | Docker Archive (tar) | Load the image from a .tar file saved as a Docker image archive (Docker save command). |
containerd:// | Containerd | Load the image from the Containerd daemon, which manages container lifecycles on the host. |
crio:// | CRI-O | Load the image from the Containers Storage location (used by CRI-O for Kubernetes environments). |
pull:// | Docker Registry | Force pulling the image from a remote repository, ignoring local images with the same name. |
Supported Container Image CPU Architectures
- linux/amd64
- linux/arm64
- linux/s390x
VM Component Deprecation and Supportability
Legacy Engine Components
All V1 Engine Components will be deprecated on January 1st, 2025. After this date, Sysdig will not apply defect fixes or security patches. Below are the replacement components for the affected items:
Affected Components
| Legacy Component | Description | Replacement Components |
|---|---|---|
| Sysdig Image Analyzer | Sysdig Legacy Engine Runtime Container scanner for Container Workloads | Agent: Sysdig Cluster Shield or Sysdig Host Scanner Agentless: Agentless Host-Based Scanning |
| Sysdig Host Analyzer | Sysdig Legacy Engine Host Scanning Component for analyzing host-level vulnerabilities | Agent: Sysdig Host Scanner Agentless: Agentless Host-Based Scanning |
| Sysdig Inline Scanner | Sysdig’s command line scanner for Container Images | Command Line: Sysdig CLI Scanner |
| Sysdig Registry Scanner | Sysdig Legacy Scanning component for Container Registries | Sysdig Helm Chart Version 1.0.0 introduced the new scanning engine functionality by default: Registry Scanner |
Scanning Engine Components
Certain components and versions used with the Sysdig Scanning Engine will reach end-of-life (EOL) or be considered out of support. Below are the affected components and their descriptions.
Affected Components
| Component | Description | End of Support |
|---|---|---|
| Sysdig Runtime Scanner | The first scanner introduced in the new Scanning Engine for Kubernetes workloads. | Yes End of 2024, due to the switch to CSAF-VEX. Use Sysdig Cluster Shield. |
| Sysdig Cluster Scanner | Integrated into Sysdig Cluster Shield for an all-in-one deployable component for Kubernetes workloads. No longer supported as a standalone component. | Yes - No longer supported as a standalone component. Use Sysdig Cluster Shield. |
| Sysdig Host Scanner | The scanner will continue to be supported, but Versions < 0.9.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v0.9.0, due to the switch to CSAF-VEX. Additionally please see Sysdig Host Shield (Tech Preview) No - Versions above v0.10.0 |
| Sysdig Registry Scanner | The scanner will continue to be supported, but Versions < 0.2.61 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v0.2.61, due to the switch to CSAF-VEX. No - Versions above v0.2.62 |
| Sysdig CLI Scanner | The scanner will continue to be supported, but Versions < 1.11.0 will no longer detect RedHat vulnerabilities due to the switch to CSAF-VEX on Jan 1st, 2025. | Yes - Versions below v1.11.0, due to the switch to CSAF-VEX No - Versions above v1.12.0 |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.