After you deploy the Sysdig Vulnerability Pipeline Scanner (sysdig-cli-scanner), review the results on the vulnerability Pipeline page.

This document applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use


The Vulnerability Pipeline scanner (sysdig-cli-scanner) lets you manually scan a container image, either locally or from a remote registry. You can also integrate the sysdig-cli-scanner as part of your CI/CD pipeline or automations to automatically scan any container image right after it is built and before pushing to the registry scanner.

Development / CI/CD / Pipeline / Shift-Left / …: all of these terms refer to scanning performed on container images that are not (yet) executed in a runtime workload. You can scan these images using the sysdig-cli-scanner tool, and explore the results directly in the console or in the Sysdig UI.

Running the CLI Scanner

Prerequisite: Deploy the Vulnerability CLI Scanner (aka sysdig-cli-scanner ) .

Review Pipeline Scans in the Sysdig Secure UI

You can explore the details for every image that has been scanned by executing the sysdig-cli-scanner in Sysdig Secure UI.

  1. Navigate to Vulnerabilities > Pipeline.

  2. Filter the list by Pass | Fail if desired.

    • The Policy Evaluation column reflects the policy state at evaluation time for that image and the assigned policies.
      • Failed: If any of the policies used to evaluate the image is failing, the image is considered “Failed”.
      • Passed If there is no violation of any of the rules contained in any of the policies, the image is considered “Passed”.

From here you can drill down to the scan result details.

Drill into Scan Result Details

Select a result from the Pipeline list to see the details, parsed in different ways depending on your needs.

Overview Tab

Focuses on the package view and filters for those that are fixable. Clickable cells lead into the Vulnerabilities list (next).

Vulnerabilities Tab

Expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.

The same security finding (for example, a particular vulnerability) can be present in more than one rule violation table if it happens to violate several rules.

Content Tab

This is organized by package view, with expanded filters and clickable CVE cells.

Policies Tab

Shows CVEs organized by the policy+rule that failed. Use the toggle to show or hide policies+rules that passed. Click CVE names for the details.

Filter and Sort Results

You can refine your view further within the Pipeline results tabs:

  • Search by keyword or CVE name
  • Use filters: Severity (>=); CVSS Score (>=); Vuln Type; Has Fix; Exploitable.

Accept Risk: Pipeline

As of November, 2022, you can choose to accept the risk of a detected vulnerability or asset. The process for handling Accepted Risk is the same for Pipeline as for Runtime.

Use the Runtime instructions, with the following difference:

Accept Validity - Pipeline

The pipeline scan results are point-in-time, so there is no automatic re-evaluation.

To trigger a new evaluation containing the accept:

  • You must execute the pipeline process again over the same image.
  • The N+1 scan will contain the accept.