Vulnerability Findings
Technical Preview: This feature is currently in rapid development and may change frequently.
Understand Vulnerability Findings
The Vulnerability Findings view provides a detailed, sortable list of all discovered vulnerabilities across your infrastructure. This table is designed for analysts and engineers to drill into specific findings, understand context, and take remediation action.
Each row in the table represents a unique vulnerability finding, identified by:
| Title | Description |
|---|---|
| CVE ID | Common Vulnerabilities and Exposures identifier assigned to the vulnerability. Clicking the CVE navigates to the Vulnerability Findings page for full context. |
| Affected Resource | The asset where the vulnerability was detected, such as a container, host, or Kubernetes workload. See Supported Resources for more details. |
| Affected Package and Version | The software package and specific version containing the vulnerability. |
| Severity | The CVE Severity sourced from the detected context. Where possible, severity is sourced from the vendor. If unavailable, we fall back to NVD, and then VulnDB. For more information, see Vulnerability Feeds. |
| Context | Security attributes including: Has Fix – Fix available, In Use – Package is active at runtime, Exploitable – Public exploit exists, Risk Accepted – Finding has been reviewed and accepted. |
| CISA Kev | Indicates the vulnerability is part of the CISA KEV Catalog, meaning it’s confirmed to be exploited in the wild and should be prioritized. |
| EPSS Score | EPSS (Exploit Prediction Scoring System) indicates the likelihood (%) that a vulnerability will be exploited in the next 30 days. Higher scores signal higher real-world risk. |
| Zones | Indicates the number of Sysdig Zones the affected resource is part of. More zones may suggest broader infrastructure impact and remediation urgency. |
| First Seen | Shows the first time the finding or affected resource was discovered by Sysdig components. Useful for identifying aging risks or recent introductions. Calculation varies by grouping: - None – Time the finding was first seen on the associated resource. - CVE – First time the CVE was seen in the environment. - Image – First time the affected image was seen. - Runtime Resource – First time the specific resource (e.g., container or host) was seen. |
| Number of Findings | Count of vulnerability instances for the given resource or grouping. Available when using Groupings. |
| Status | Marks findings first detected in the last 24 hours. Useful for identifying recently disovered or published vulnerabilities.. |
Use this view to:
- Review your findings by scanning severity, exploitability, and runtime context
- Prioritize what’s real, fixable, and likely to be exploited
Grouping Findings
There are four groupings available within the Vulnerability Findings to select from, they are:
- None – Every finding is displayed as a single entity (CVE × Package × Resource).
- CVE – All findings grouped by CVE ID.
- Image – All findings grouped by the underlying container image from runtime resources.
- Runtime Resource – All findings grouped by the resource (e.g., pod, container, host, workload) they were detected on.
Grouping allows you to pivot your view based on how you prefer to triage and understand the spread of vulnerabilities across your infrastructure.
The Vulnerability Findings Pages currently shows Findings only from Runtime Resources. The current Runtime Resources supported are as follows:
- Kubernetes Workloads
- Container Workloads
- Hosts
Prioritizing with Filters
Use filters to focus on the vulnerabilities that matter most, such as those that are in use, exploitable, and have a fix available.
You can also refine results using metadata from your runtime resources, such as clusters, namespaces, images, or applications.
This helps you cut through the noise and surface only the findings that are real, actionable, and impacting your most critical assets.
Supported Filters
| Filter Key | Example | Description |
|---|---|---|
Zone name | Production | Name of the logical grouping or environment. For example, staging and production. |
Crit | true | Filters for critical severity vulnerabilities. |
High | true | Filters for high severity vulnerabilities. |
Med | true | Filters for medium severity vulnerabilities. |
Low | true | Filters for low severity vulnerabilities. |
Neg | true | Filters for negligible severity vulnerabilities. |
Vulnerability hasExploit | true | Indicates whether a known exploit exists. |
Vulnerability inUse | true | Indicates whether the vulnerable package is in use. |
Vulnerability hasFix | true | Indicates whether a fix is available for the vulnerability. |
Vulnerability AcceptedRisk | true | Indicates if the vulnerability is marked as accepted risk. |
RuntimeMetadata architecture | x86_64 | System architecture of the runtime resource. |
RuntimeMetadata category | container | Category of the runtime. For example, container and VM. |
RuntimeMetadata containerName | nginx | Name of the container. |
RuntimeMetadata imageId | sha256:abc123... | Unique ID of the container image. |
RuntimeMetadata imageReference | registry.io/nginx:latest | Full container image reference. |
RuntimeMetadata imageRegistry | registry.io | Registry where the image is hosted. |
RuntimeMetadata imageRepository | nginx | Repository name of the container image. |
RuntimeMetadata imageTag | 1.0 | Tag of the container image. |
RuntimeMetadata manifestDigest | sha256:... | Digest of the image manifest. |
RuntimeMetadata operatingSystem | redhat 9.5 | Operating system used by the container image. |
RuntimeMetadata platform | GCP | Cloud platform where the runtime is deployed. |
RuntimeMetadata type | Cloud Run Job | Type of runtime metadata source. |
RuntimeResource accountId | 123456789012 | Cloud account ID where the resource resides. |
RuntimeResource clusterName | prod-cluster | Name of the Kubernetes cluster. |
RuntimeResource containerId | abcdef123456 | Container instance identifier. |
RuntimeResource hostname | node-1 | Hostname of the runtime node. |
RuntimeResource isExposed | true | Indicates if the resource is externally accessible. |
RuntimeResource location | us-west1 | Cloud region or location. |
RuntimeResource name | nginx-deployment | Resource name within the environment. |
RuntimeResource namespace | default | Namespace for the Kubernetes resource. |
RuntimeResource organization | engineering | Organizational unit responsible for the resource. |
RuntimeResource platform | eks | Platform where the runtime resource is hosted. |
RuntimeResource projectId | my-project | Identifier for the cloud project. |
RuntimeResource status | running | Current status of the runtime resource. |
RuntimeResource subscriptionId | sub-001 | Subscription ID for cloud billing/accounting. |
RuntimeResource taskDefinitionFamily | web-task | Task definition family for ECS resources. |
RuntimeResource taskDefinitionArn | arn:aws:ecs:... | Full ARN of the ECS task definition. |
Vulnerability cvssScore | 9.8 | CVSS base score of the vulnerability. |
Vulnerability epssPercentile | 0.95 | Percentile rank of the EPSS score. |
Vulnerability epssScore | 0.82 | Likelihood of exploitation based on EPSS. |
Vulnerability knownRansomwareCampaignUse | true | Flags if the CVE has been used in ransomware campaigns. |
Vulnerability name | CVE-2024-12345 | CVE identifier of the vulnerability. |
Vulnerability packageName | libssl1.1 | Name of the vulnerable package. |
Vulnerability packageType | Java | Package type. For example, Java, Golang, and OS. |
Reviewing Findings in Detail
Each row in the table is clickable. Clicking a finding opens Findings, where you’ll see in-depth context including affected packages, runtime usage, exposure indicators, and remediation actions.
Use this to investigate:
- What exactly is affected
- Whether it’s active in runtime
- If it has an exploit or known fix
- Which environments or Zones it spans
This flow helps teams move from detection to action with full visibility and confidence.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
