Reporting
This document applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use
Introduction
Reporting in Vulnerability Management allows you to:
- Create a report definition.
- Schedule its frequency.
- Define notification channel(s) in which to receive the reports (email, Slack, or webhook).
- Preview how the data will appear (optional).
- Download the resulting reports in .csv, .json, or .ndjson.
- Optionally, generate a manual (unscheduled) report.
NOTE: Regardless of the schedule, reports always include the data from the past 24 hours. Therefore, most users schedule a daily report to avoid having any gaps.
Past reports are stored for two weeks. Therefore, if you scheduled a weekly report, the list would only contain two records.
Create a Report Definition
Access Report Definition
Log in to Sysdig Secure with Advanced User or higher permissions, and select Vulnerabilities > Reporting.
The Vulnerabilities Reporting list page appears. If you have previously created report definitions, you can click one to see the details.
Click Add Report. The New Report page is displayed.
Choose the report Entity you want and follow the appropriate steps below:
For Runtime Workloads
NOTE: These reports are available whenever you have the current Vulnerability Management module installed (not Legacy Scanning)
Access the Report Definition and complete:
Basic Info: Define the report basic info:
- Name
- Description
- Export file format: .csv, .json, or .ndjson
Select Definitions:
Entity: Runtime Workloads
Scope: Entire infrastructure or subset from the drop-down menu
Conditions: (Optional) Add Conditions from the drop-down if you want to filter the items reported on.
The available conditions include:
- Image Name * (only for this Entity)
- OS Name
- In Use * (only for this Entity)
- Package Name
- Package Path
- Package Type
- Package Version
- Vulnerability ID
- CVSS Score
- CVSS Vector
- Vuln Publish Date
- Exploitable
- Fix Available
- Risk Accepted
- Severity
- Vuln Fix Date
Example 1: You want a report of all vulnerabilities with a Severity >= High, and for which a Fix is Available.
Example 2: You want a report of all vulnerabilities that are In Use with Accepted Risks.
Schedule: Define the Schedule (frequency and time of day) that the report should be run.
Note: The schedule determines when the report data collection begins. As soon as evaluation is complete, you will receive a notification in the configured notification channels.
Notification Channel: If you have configured them, you can use email, Slack, or webhook notification channels, and they will appear in the dropdown. Since reports are typically large, the actual data is not sent to the notification channel; you receive a link to download it. You must be a valid Sysdig Secure user (Advanced User+) to access the link.
Data Preview: Click Refresh to apply the configuration you’ve chosen and pull up on the center bar of the Data Preview panel to see sample results.
Click Save.
For Runtime Hosts
NOTE: To get these reports, you must have Vulnerability Host scanning installed.
Access the Report Definition and complete everything the same as for Runtime Workloads, with the following exceptions:
Basic Info: Define the report basic info:
- Name
- Description
- Export file format: .csv, .json, or .ndjson
Select Definitions:
Entity: Runtime Hosts
Scope: Entire infrastructure or subset from the drop-down menu
Conditions: (Optional) Add Conditions from the dropdown if you want to filter the items reported on.
The available Conditions include:
Architecture * (only for this entity)
OS Name
Package Name
Package Path
Package Type
Package Version
Vulnerability ID
Vuln Publish Date
Exploitable
Fix Available
Severity
Vuln Fix Date
For Container Image Registries
NOTE: To get these reports, you must have Registry scanning installed.
Access the Report Definition and complete everything the same as for Runtime Workloads, with the following exceptions:
Basic Info: Define the report basic info:
- Name
- Description
- Export file format: .csv, .json, or .ndjson
Select Definitions:
Entity: Image Registry
Scope: Entire infrastructure or subset from the drop-down menu
Conditions: (Optional) Add Conditions from the dropdown if you want to filter the items reported on.
The available Conditions include:
Image Name
OS Name
Package Name
Package Path
Package Type
Package Version
Vulnerability ID
Vuln Publish Date
Exploitable
Fix Available
Severity
Vuln Fix Date
Container Images do not have runtime-specific scopes and metadata, like
Kubernetes cluster name
. Instead, they have registry-specific metadata and filters, such asregistry.vendor
. See the following table:
Attribute | Possible Values | Description |
---|---|---|
cloudProvider.name | aws , azure , ibm | a shortname of the Cloud Provider, if applies |
cloudProvider.region | one of AWS cloud provider regions | For AWS only, the region in where the cloud registry is located |
cloudProvider.account.id | AWS account id ex. 012345678901 | For AWS only, the accountID in where the cloud registry is located |
registry.vendor | installation configuration config.registryType value | Specific value given in the installation to identify the vendor specific scanner type |
registry.name | ex.: given example.com/k8s-project/metrics-server:v0.6.1 it would be example.com | Registry hostname, up till first / |
registry.image.repo | ex.: given example.com/k8s-project/metrics-server:v0.6.1 it would be /k8s-project/metrics-server | Image repository including possible intermediate paths, from first / up till the : |
Scheduling
The frequency with which reporting is configured in registry is closely linked to the refresh cycle, defined during installation. The report frequency must be set up to be coherent with the cronjob.schedule
cycle.
For example, the default value ( "0 6 * * 6" as every Saturday morning
) is set to be performed weekly, which implies that daily reports would not make sense, since all results would be the same within those dates.
Limitations
- Registry Scanner does not handle Vulnerability Policies yet
cloudProvider.*
attributes will only be populated for AWS cloud provider.
For Image Pipeline
NOTE: To get these reports, you must have Pipeline scanning installed.
Access the Report Definition and complete everything the same as for Runtime Workloads, with the following exceptions:
Basic Info: Define the report basic info:
- Name
- Description
- Export file format: .csv, .json, or .ndjson
Select Definitions:
Entity: Image Pipeline
Scope: Entire infrastructure or subset from the drop-down menu
Conditions: (Optional) Add Conditions from the dropdown if you want to filter the items reported on.
The available Conditions include:
Image Name
OS Name
Package Name
Package Path
Package Type
Package Version
Vulnerability ID
Vuln Publish Date
Exploitable
Fix Available
Risk Accepted
Severity
Vuln Fix Date
Container Images do not have runtime-specific scopes and metadata, like
Kubernetes cluster name
. Instead, they have registry-specific metadata and filters, such asregistry.vendor
. See the following table:Attribute Possible Values Description registry.name
ex.: given example.com/k8s-project/metrics-server:v0.6.1
it would beexample.com
Registry hostname, up till first /
registry.image.repo
ex.: given example.com/k8s-project/metrics-server:v0.6.1
it would be/k8s-project/metrics-server
Image repository including possible intermediate paths, from first /
up till the:
Manage Reports
View and Edit Report Definition
Select an entry in the Reporting list to see the detail panel.
Click Edit to change the report definition parameters. You can also access this panel from the kebab (3-dot) menu.
Make your edits, click Refresh to see the Data Preview, and Save.
Download Reports
From the Reporting list, the latest report download link appears in the Download column.
To see older reports, select an entry in the Reports list to open the detail panel and select from the report download list.
The report will be downloaded in the format you defined; the file is zipped (.gz) – double-click to unzip and view.
Generate Report Manually
- Select an entry in the Reporting list to see the detail panel.
- Click Generate Now. A Scheduled entry will appear. In approximately 15 minutes, it will change to Completed and you can download the manually generated report.
Duplicate a Report Definition
- Choose the kebab (3-dot) menu for a scheduled report.
- Click Duplicate.
Report Definition Retention
The scheduled and manually created reports are retained for 14 days.
Delete a Report Definition
Be sure to download any needed reports before deleting the definition.
Choose the kebab (3-dot) menu for a scheduled report.
Click Delete, click Yes when prompted.
The report definition and all associated reports are deleted.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.