Vulnerability Findings
Understand Image Scanning
Image scanning enables you to examine container images for vulnerabilities, misconfigurations, and license violations. You can integrate image scanning into your development build process to verify images added to your container registry, as well as scan images used by active containers in your infrastructure.
Image scanning provides registry insights into where your images are stored, initiates scans, and allows you to review the scan results.
Behind the scenes:
SBOM is analyzed
SBOM is compared against multiple vulnerability databases
SBOM is then evaluated against default or user-defined policies.
Results are reported, both in Sysdig Secure and (if applicable) in a developer’s external CI tool.
Platform-Based Scanning
Sysdig Vulnerability Management module offers platform-based scanning by default. The scanning tools analyze images and host filesystems to extract the Software Bill of Materials (SBOM) and send them to the Sysdig backend for vulnerability matching and policy evaluation. You can retrieve the scanning result by using an API.
Prerequisites
VM Tools installed
The following version of VM tools support SBOM scanning:
Host Scanner v0.7.0 and above for non-Kubernetes containers
Host scanner for host filesystem is not currently supported
Cluster Scanner v1.23 and above
CLI Scanner v1.8.0 and above
Registry Scanner v1.1.26 and above
Agentless scanning
For on-prem environment, use v6.8.0
View SBOM
To retrieve the SBOM of your asset, issue a curl GET request against the Sysdig Secure endpoint:
curl -XGET -H 'Authorization: Bearer <API_TOKEN>' 'https://<HOSTNAME>/secure/vulnerability/v1beta1/sboms?assetId=<sha256:xxxxxx>&assetType=container-image'
Query Parameters
assetId
: The ID of the asset for which you want to retrieve the SBOM. It’s theimageId
for container-image and thehostId
for hosts. For example,assetId=sha256:xxxxxx
. You can providebomIdentifier
or bothassetId
andassetType
assetType
: The type of the asset for which you want to retrieve the SBOM. For example,container-image
. Provide this with theassetId
if you are not providingbomIdentifier
.bomIdentifier
: The ID of a single SBOM. Either you can providebomIdentifier
or bothassetId
andassetType
to retrieve the SBOM result. For example,bomIdentifier=urn:uuid:45667rrrr-b8f2-42345-b996-dkffllflp
.
Instant Scanning with Scan Now
You can skip deploying CLI-based scanning tools such as Registry Scanner and directly scanning the images in your running environment using the Scan Now button. This initiates platform-based scanning, making it easier to get started with Vulnerability Management. You can effortlessly scan and view image results without needing to deploy any extra components. For more information, see Manual Image Scanning.
Layered Analysis
Container images are optimized for distribution by composing by layers. Each change or instruction executed when building an image generates a new layer. Every set of filesystem changes you make, be it additions, deletions, or modifications causes the previous image to change, thus creating a new layer.
Layered Analysis helps detect and display vulnerabilities and packages associated with each image layer and identify different remediation actions and ownership depending on the layer that introduces them. For example, vulnerabilities in the base OS layer are remediated by updating the base image version, typically performed by the security team. In contrast, the ones belonging to the application or non-os layers are remediated by bumping the versions of libraries and dependencies in the corresponding application or service owned by the development teams.
Additionally, layered analysis can detect sibling images that are built on top of the same base image and enables routing remediation actions to the right layer and the right owner.
Prerequisites and Guidelines
CLI Scanner v1.12.0 or higher
Use the
--separate-by-layer
and--separate-by-image
options to change the output of the CLI scanner to show image hierarchy or layer information. For more information, see Display Image Layers.Cluster Shield
Platform scanning is enabled by default
Registry Scanner v1.1.26 or higher
Platform scanning is enabled by default
Legacy runtime-scanner is not supported
Use Scan Results API JSON to view the new fields for layer information
Caveats
The FROM shown in the Image Hierarchy should not be confused with the
FROM
in the Dockerfile, as they might differ. Sysdig detects base images by matching a common set of layers and displays these base images using the known name and digest as FROM in the Image Hierarchy. Since tags and image names might mutate or be aliases for the same image, the displayed name might differ. For example, an image built using the commandFROM alpine
in the Dockerfile might be shown asFROM alpine:3.18.1, alpine@sha256:1ab61723...
in the image hierarchy.The SBOM of the base images must be known to Sysdig to identify them as part of the image hierarchy. For example, you can scan the
alpine:3.18.1
base image using pipeline or registry scanning, and runtime scanning helps recognize it when running any workload based onalpine:3.18.1
.Under the Image Hierarchy:
All layers shows the total number of vulnerabilities in the final image composition, including vulnerabilities from both the application layers and OS layers. Commonly the total number displayed will be the sum of the base images and the application layers, but this is not always the case. If a vulnerability is fixed by upgrading or removing a package or library in one of the intermediate layers, the count in the All layers won’t include that vulnerability.
The base images (prefixed with FROM) display the vulnerabilities present in that base image, including those inherited from parent images. However, the Application layers counter includes vulnerabilities introduced in the application layers only. It doesn’t include the ones from base images.
View Image Layers
See the Recommendations tab associated with an image or pipeline scan to view list of CVEs, fixable packages, and the commands to fix the issues.
The Vulnerabilities tab provides you with the hierarchy of the image, all the layers of the image, and the total number of CVEs. Select a layer to view the CVEs associated with that particular layer.
See the Packages tab to view the list of layers associated with the selected image and packages associated with each layer.
Report Scanning Results
The analysis generates a detailed report of the image contents, including:
Official OS packages
Unofficial OS packages
Configuration files
Credentials files
Image layers
Localization modules and software-specific installers:
Javascript with NPM
Python PiP
Ruby with GEM
Java/JVM with .jar archives
Image metadata and configuration attributes
Remediate with Jira
Sysdig has an API-enabled remediation workflow with Jira, if you have enabled the Jira Integration
To create a Jira ticket from the Sysdig Secure Vulnerabilities module:
Navigate to any results page.
Open the Vulnerabilities tab.
Click on a vulnerability
The details panel will open on right.
Click Create a Jira ticket.
Fill in the details, such as Project, Ticket type, assignee, and customer labels.
Submit the ticket.
Once submitted the CVE drawer will note that there is an existing Jira ticket for that remediation.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.