Image Scanning

Image scanning allows you to scan container images for vulnerabilities, secrets, license violations, and more. It can be used as part of a development build process, can validate images added to your container registry, and can scan the images used by running containers on your infrastructure.

Prerequisites

  • Network and port requirements

    Image Scanning requires access to an external vulnerability feed. To ensure proper access to the latest definitions, refer to the Network and Port requirements.

  • Whitelisted IP for image scanning requests

    Image scanning requests and Splunk event forwards both originate from 18.209.200.129. To enable Sysdig to scan private repositories, your firewall will need to allow inbound requests from this IP address.

How Sysdig Image Scanning Works

The basic set up for image scanning is simple: provide registry information where your images are stored, trigger a scan, and review the results.

Behind the scenes:

  • Image contents are analyzed.

  • The contents report is evaluated against multiple vulnerability databases.

  • It is then compared against default or user-defined policies.

  • Results are reported, both in Sysdig Secure and (if applicable) in a developer's external CI tool.

Image Contents Reported

The analysis generates a detailed report of the image contents, including:

  • Official OS packages

  • Unofficial OS packages

  • Configuration files

  • Credentials files

  • Localization modules and software-specific installers:

    • Javascript with NPM

    • Python PiP

    • Ruby with GEM

    • Java/JVM with .jar archives

  • Image metadata and configuration attributes

Vulnerability Databases Used

Sysdig Secure continuously checks against a wide range of vulnerability databases, updating the Runtime scan results with any newly detected CVEs.

The current database list includes:

Updating Vulnerability Feed in Airgapped Environments

NOTE: Sysdig Secure users who install in an airgapped environment do not have internet access to the continuous checks of vulnerability databases that are used in image scanning. (See also: How Sysdig Image Scanning Works.)

As of installer version 3.2.0-9, airgapped environments can also receive periodic vulnerability database updates.

To enable this feature, simply run (or re-run) the "-uber" installer. See Full Airgap Install. The installer will push the latest vulnerability database images to the internal registry and restart the existing Sysdig vulnerability database with the latest version, as of the day the installer -uber image was pulled. Repeat this process each time you want to update the vulnerability database.

Use Cases

As an organization, you define what is an acceptable, secure, reliable image running in your environment. Image scanning for the development pipeline follows a somewhat different flow than for security personnel.

Scanning During Container Development (DevOps)

Use image scanning as part of your development pipeline, to check for best practices, vulnerabilities, and sensitive content.

To begin:

  • Add Registry: Add a registry where your images are stored, along with the credentials necessary to access them.

  • Integrate CI Tool: Integrate image scanning with an external CI tool, using the Jenkins plugin or building your own integration from a SysdigLabs solution.

  • Scan Image(s): The plugin or CLI integration triggers the image scanning process. Failed builds will be stopped, if so configured.

  • Review Results (in CI tool): Developers can analyze the results in the integrated CI tool (Jenkins).

    (Optionally: add policies or refine the default policies to suit your needs, assign policies to particular images or tags, and configure alerts and notifications.)

Scanning Running Containers (Security Personnel)

Security personnel uses image scanning to monitor which containers are running, what their scan status is, and whether new vulnerabilities are present in their images.

  • Add Registry: Add a registry where your images are stored, along with the credentials necessary to access them.

  • Scan Image(s): Trigger an image scan (manually or by configuring an alert to auto-scan).

  • Review Results (in Sysdig Secure): Security personnel can analyze scan results in the Sysdig Secure image scanning UI.

    (Optionally: add policies or refine the default policies to suit your needs, assign policies to particular images or tags, and configure alerts and notifications.)

Note

Image Scanning requires access to an external vulnerability feed. To ensure proper access to the latest definitions, refer to the Network and Port requirements.

Add Scanning to Container Registries

In some cases, it is possible to integrate image scanning directly into a container registry and automatically trigger an event or action every time a new container is pushed into the registry. This feature is currently supported for the following container registry: