Pipeline
sysdig-cli-scanner
), review the results on the Pipeline page.This document applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Introduction
The Vulnerability Pipeline scanner (sysdig-cli-scanner) lets you manually scan a container image, either locally or from a remote registry. You can also integrate the sysdig-cli-scanner as part of your CI/CD pipeline or automations to automatically scan any container image right after it is built and before pushing to the registry scanner.
Development / CI/CD / Pipeline / Shift-Left / …: all of these terms refer to scanning performed on container images that are not (yet) executed in a runtime workload. You can scan these images using the sysdig-cli-scanner tool, and explore the results directly in the console or in the Sysdig UI.
Running the CLI Scanner
Prerequisite: Deploy the Vulnerability CLI Scanner (aka sysdig-cli-scanner
) .
Review Pipeline Scans in the Sysdig Secure UI
You can explore the details for every image that has been scanned by executing the sysdig-cli-scanner
in Sysdig Secure UI.
Navigate to
Vulnerabilities > Pipeline
.Filter the list by
Pass
|Fail
if desired.- The Policy Evaluation column reflects the policy state at evaluation time for that image and the assigned policies.
- Failed: If any of the policies used to evaluate the image is failing, the image is considered “Failed”.
- Passed If there is no violation of any of the rules contained in any of the policies, the image is considered “Passed”.
- The Policy Evaluation column reflects the policy state at evaluation time for that image and the assigned policies.
From here you can drill down to the scan result details.
Drill into Scan Result Details
Select a result from the Pipeline list to see the details, parsed in different ways depending on your needs.
Overview Tab
Focuses on the package view and filters for those that are fixable. Clickable cells lead into the Vulnerabilities list (next).
Vulnerabilities Tab
Expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.
The same security finding (for example, a particular vulnerability) can be present in more than one rule violation table if it happens to violate several rules.
Content Tab
This is organized by package view, with expanded filters and clickable CVE cells.
Policies Tab
Shows CVEs organized by the policy+rule that failed. Use the toggle to show or hide policies+rules that passed. Click CVE names for the details.
Filter and Sort Results
You can refine your view further within the Pipeline results tabs:
- Search by keyword or CVE name
- Use filters:
Severity (>=)
;CVSS Score (>=)
;Vuln Type
;Has Fix
;Exploitable
.
Accept Risk: Pipeline
As of November, 2022, you can choose to accept the risk of a detected vulnerability or asset. The process for handling Accepted Risk is the same for Pipeline as for Runtime.
Use the Runtime instructions, with the following difference:
Accept Validity - Pipeline
The pipeline scan results are point-in-time, so there is no automatic re-evaluation.
To trigger a new evaluation containing the accept:
- You must execute the pipeline process again over the same image.
- The N+1 scan will contain the accept.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.