Vulnerability Findings

Vulnerability Findings offers a comprehensive list of vulnerabilities and policy evaluations, helping you prioritize the remediation of active, critical, and exploitable vulnerabilities at every stage of code development.

Understand Image Scanning

Image scanning enables you to examine container images for vulnerabilities, misconfigurations, and license violations. You can integrate image scanning into your development build process to verify images added to your container registry, as well as scan images used by active containers in your infrastructure.

Image scanning provides registry insights into where your images are stored, initiates scans, and allows you to review the scan results.

Behind the scenes:

  • SBOM is analyzed

  • SBOM is compared against multiple vulnerability databases

  • SBOM is then evaluated against default or user-defined policies.

  • Results are reported, both in Sysdig Secure and (if applicable) in a developer’s external CI tool.

Platform-Based Scanning

Sysdig Vulnerability Management module offers platform-based scanning by default. The scanning tools analyze images and host filesystems to extract the Software Bill of Materials (SBOM) and send them to the Sysdig backend for vulnerability matching and policy evaluation. You can retrieve the scanning result by using an API.

Prerequisites

  • VM Tools installed

    The following version of VM tools support SBOM scanning:

    • Host Scanner v0.7.0 and above for non-Kubernetes containers

      Host scanner for host filesystem is not currently supported

    • Cluster Scanner v1.23 and above

    • CLI Scanner v1.8.0 and above

    • Registry Scanner v1.1.26 and above

    • Agentless scanning

  • For on-prem environment, use v6.8.0

View SBOM

To retrieve the SBOM of your asset, issue a curl GET request against the Sysdig Secure endpoint:

curl -XGET -H 'Authorization: Bearer <API_TOKEN>' 'https://<HOSTNAME>/secure/vulnerability/v1beta1/sboms?assetId=<sha256:xxxxxx>&assetType=container-image'

Query Parameters

  • assetId: The ID of the asset for which you want to retrieve the SBOM. It’s the imageId for container-image and the hostId for hosts. For example, assetId=sha256:xxxxxx. You can provide bomIdentifier or both assetId and assetType
  • assetType: The type of the asset for which you want to retrieve the SBOM. For example, container-image. Provide this with the assetId if you are not providing bomIdentifier.
  • bomIdentifier: The ID of a single SBOM. Either you can provide bomIdentifier or both assetId and assetType to retrieve the SBOM result. For example, bomIdentifier=urn:uuid:45667rrrr-b8f2-42345-b996-dkffllflp.

Instant Scanning with Scan Now

You can skip deploying CLI-based scanning tools such as Registry Scanner and directly scanning the images in your running environment using the Scan Now button. This initiates platform-based scanning, making it easier to get started with Vulnerability Management. You can effortlessly scan and view image results without needing to deploy any extra components. For more information, see Manual Image Scanning.

Layered Analysis

Container images are optimized for distribution by composing by layers. Each change or instruction executed when building an image generates a new layer. Every set of filesystem changes you make, be it additions, deletions, or modifications causes the previous image to change, thus creating a new layer.

Layered Analysis helps detect and display vulnerabilities and packages associated with each image layer and identify different remediation actions and ownership depending on the layer that introduces them. For example, vulnerabilities in the base OS layer are remediated by updating the base image version, typically performed by the security team. In contrast, the ones belonging to the application or non-os layers are remediated by bumping the versions of libraries and dependencies in the corresponding application or service owned by the development teams.

Additionally, layered analysis can detect sibling images that are built on top of the same base image and enables routing remediation actions to the right layer and the right owner.

Prerequisites and Guidelines

  • CLI Scanner v1.12.0 or higher

    Use the --separate-by-layer and --separate-by-image options to change the output of the CLI scanner to show image hierarchy or layer information. For more information, see Display Image Layers.

  • Cluster Shield

    Platform scanning is enabled by default

  • Registry Scanner v1.1.26 or higher

    Platform scanning is enabled by default

  • Legacy runtime-scanner is not supported

  • Use Scan Results API JSON to view the new fields for layer information

Caveats

  • The FROM shown in the Image Hierarchy should not be confused with the FROM in the Dockerfile, as they might differ. Sysdig detects base images by matching a common set of layers and displays these base images using the known name and digest as FROM in the Image Hierarchy. Since tags and image names might mutate or be aliases for the same image, the displayed name might differ. For example, an image built using the command FROM alpine in the Dockerfile might be shown as FROM alpine:3.18.1, alpine@sha256:1ab61723... in the image hierarchy.

  • The SBOM of the base images must be known to Sysdig to identify them as part of the image hierarchy. For example, you can scan the alpine:3.18.1 base image using pipeline or registry scanning, and runtime scanning helps recognize it when running any workload based on alpine:3.18.1.

  • Under the Image Hierarchy:

    • All layers shows the total number of vulnerabilities in the final image composition, including vulnerabilities from both the application layers and OS layers. Commonly the total number displayed will be the sum of the base images and the application layers, but this is not always the case. If a vulnerability is fixed by upgrading or removing a package or library in one of the intermediate layers, the count in the All layers won’t include that vulnerability.

    • The base images (prefixed with FROM) display the vulnerabilities present in that base image, including those inherited from parent images. However, the Application layers counter includes vulnerabilities introduced in the application layers only. It doesn’t include the ones from base images.

View Image Layers

See the Recommendations tab associated with an image or pipeline scan to view list of CVEs, fixable packages, and the commands to fix the issues.

The Vulnerabilities tab provides you with the hierarchy of the image, all the layers of the image, and the total number of CVEs. Select a layer to view the CVEs associated with that particular layer.

See the Packages tab to view the list of layers associated with the selected image and packages associated with each layer.

Report Scanning Results

The analysis generates a detailed report of the image contents, including:

  • Official OS packages

  • Unofficial OS packages

  • Configuration files

  • Credentials files

  • Image layers

  • Localization modules and software-specific installers:

    • Javascript with NPM

    • Python PiP

    • Ruby with GEM

    • Java/JVM with .jar archives

  • Image metadata and configuration attributes

Remediate with Jira

Sysdig has an API-enabled remediation workflow with Jira, if you have enabled the Jira Integration

To create a Jira ticket from the Sysdig Secure Vulnerabilities module:

  1. Navigate to any results page.

  2. Open the Vulnerabilities tab.

  3. Click on a vulnerability

    The details panel will open on right.

  4. Click Create a Jira ticket.

  5. Fill in the details, such as Project, Ticket type, assignee, and customer labels.

  6. Submit the ticket.

Once submitted the CVE drawer will note that there is an existing Jira ticket for that remediation.