Pipeline

The terms, such as Development, CI/CD, Pipeline, or Shift-Left, refer to scanning performed on container images that are not executed yet in a runtime workload. You can scan these images using the sysdig-cli-scanner tool, and explore the results directly in the console or on the Sysdig Secure UI.

Prerequisite

Ensure that you have deployed sysdig-cli-scanner in your environment. For information on installation, see Install Sysdig CLI Scanner.

Review Pipeline Scan Results

You can explore the details for every image that has been scanned by executing the sysdig-cli-scanner in Sysdig Secure UI.

1. Navigate to Vulnerabilities > Pipeline.

   

2. Filter the list by Pass or Fail if desired.

   The Policy Evaluation column reflects the policy state at evaluation time for that image and the assigned policies.

   • Failed: If any of the policies used to evaluate the image is failing, the image is considered “Failed”.
   • Passed: If no violation of any of the rules contained in any of the policies occurred, the image is considered “Passed”.

From here you can drill down to the scan result details.

Drill into Scan Result Details

Select a result from the Pipeline list to see the details, parsed in different ways depending on your needs.

Overview Tab

Shows the recommendations, provides an overview of vulnerabilities and fixable packages associated with the selected image. You can also view the policy details on this tab. Click on the desired row to see detailed information in the Packages, Policies, or Recommendations tabs.

Recommendations Tab

Shows image hierarchy, surfaces image layers, identify vulnerability issues in packages contained in each layer, and provides actionable instructions to fix the issues.

Vulnerabilities Tab

Expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.

The same security finding, such as a particular vulnerability, can be present in more than one rule violation table if it happens to violate several rules.

Additionally, you can view the image hierarchy and the layers belong to the selected image. Click on a layer to view the packages, their versions, and vulnerabilities detected in the layer.

Packages Tab

This is organized by software packages, with expanded filters and clickable CVE cells. You can also view the image hierarchy and the layers belong to the selected image. Click on a layer to view the packages, their versions, and vulnerabilities detected in the layer.

Policies Tab

Shows the list of CVEs organized by the policies that are failed. Use the toggle to show or hide policies that are passed. Click CVE names for the details.

Details Tab

Use the Details tab to get the image information, such as the image ID, digest, author, labels used, and the operating system.

Filter Results

Vulnerabilities Tab

You can refine your view further within the Vulnerabilities tabs:

• Search by keyword or CVE name
• Use filters: Severity (>=); CVSS Score (>=); Vuln Type; Has Fix; Exploitable.

Packages Tab

You can refine your view further within the Packages tabs:

• Search by the keyword or the package name
• Filter by Package Type
• Filter by Severity >=|= Critical, High, Medium, Low, Negligible.

Accept Risk: Pipeline

You can choose to accept the risk of a detected vulnerability or asset. The process for handling Accepted Risk is the same for both Pipeline and Runtime.

Use the Runtime instructions, with the following difference:

The pipeline scan results are point-in-time, so there is no automatic re-evaluation.

To trigger a new evaluation containing the accept:

• You must execute the pipeline process again over the same image.
• The N+1 scan will contain the accept.