This doc applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use


Sysdig Secure will automatically analyze and scan the container image for the workloads in your clusters, providing a list of vulnerabilities, policy evaluations and the In Use spotlight, helping you focus on fixing the active, critical and exploitable vulnerabilities.

In order to scan the workloads in your clusters, you need to make sure that the Sysdig Runtime Scanner component is deployed as part of your Agent deployment. Follow the Sysdig Agent Installation.

Why Runtime Scanning?

Although shifting vulnerability management to the earliest phases (such as integrating with CI/CD) is essential, runtime vulnerability management remains important:

  • Strong defense: runtime VM provides an additional layer of defense to your arsenal
  • Up-to-date: new vulnerabilities are discovered every day; new discoveries need to be checked against your running images
  • Prioritized feedback: The In Use spotlight allows you to hone in on the most important vulnerabilities discovered within your running images so you can efficiently prioritize and act.

Sysdig’s runtime scanner will:

  • Automatically observe and report on all the Runtime workloads, keeping a close-to-real time view of images and workloads executing on the different Kubernetes scopes of your infrastructure
  • Perform period re-scans, guaranteeing that the vulnerabilities associated with the Runtime workloads and images are up-to-date with the latest vulnerabilities feed databases. It will automatically match a newly reported vulnerability to your runtime workloads without requiring any additional user interaction.

Understanding the Runtime Workload and Labels

Runtime entities are associated using the concept of workload, defined by:

  • A unique ImageID

  • A set of labels describing the runtime context (Kubernetes in this case)

These workload labels are in the order: cluster > namespace > type > container

  • Kubernetes cluster name, demo-kube-eks in the example above
  • Kubernetes namespace name, example-voting-app above
  • Kubernetes workload type deployment (or daemonset, etc.)
  • Kubernetes container name, metrics-3 above

This means:

  • Several replicas of the same deployment are considered the same workload (single entry on the table), as the images are identical and the runtime context is the same.
  • An identical image deployed on two different Kubernetes clusters will be considered two different workloads, as the runtime context is different.

About Runtime Policies

Policies allow you to define a set of rules that will evaluate each workload. After the evaluation, each policy will pass or fail. A policy failure or non-compliance happens if the scan result doesn’t meet all the rules in a policy.

Runtime policies contain a runtime scope filter, so it only applies workloads in that scope, or Entire infrastructure, which will apply globally.

Learn more about Vulnerability Management policies, the available rules, and how to define policies in Vulnerability Policies

Review Runtime Scan Results

  1. Navigate to Vulnerabilities > Runtime.

    By default, the entire infrastructure results are shown.

    Results are ranked by:

    • Number of actual exploits
    • Severity of vulnerabilities
    • Number of vulnerabilities
  2. From here you can:

    • Check what’s In Use
    • Drill down to image details
    • Filter results

    to find and remediate the priority issues discovered.

Understanding the In Use Column

The In Use designation allows you to focus first on the packages containing vulnerabilities that are actually being executed at runtime. If an image has 180 packages and 160 have vulnerabilities, but only 45 are used at runtime, then much of the vuln notification noise can be reduced.

Click on an image entry to see the the In Use panel and drill into the details, clicking on the vulnerabilities for details and examining the link to any known exploits that exist. (See also Drill into Image Details, below.)

To enable In Use in your account, please contact your Sysdig representative. It must also be enabled during the Sysdig Agent installation.

Drill into Scan Result Details

Select a worload from the Runtime results list

Overview Tab

Focuses on the package view and top-priority running images (In Use).

Clickable cells lead into the Vulnerabilities list (next).

Vulnerabilities Tab

Provides expanded filters and clickable list of CVEs that open the full CVE details, including source data and fix information.

Content Tab

Also organized by package view, with expanded filters and clickable CVE cells.

Policies Tab

Shows CVEs organized by the policy+rule that failed. Use the toggle to show or hide policies+rules that passed. Click CVE names for the details.

Filter and Sort Results

  • Filter by workload labels and optionally save constructed filters as Favorite or Default from the kebab (3-dot) menu on the filter bar.

    • Hover over the workload labels and click = or =! to add them to the filter bar to refine by cluster, namespace, type, etc.

  • Filter by evaluation: Pass / Fail / No Policy

  • Click In Use to list the results that have been evaluated for risk first

  • Use further-refined filters within the image detail tabs, e.g. CVE Name; Severity (>=); CVSS Score (>=); Has Fix; Exploitable.