Integrate Image Scanning into Development Pipeline

You have the option to use image scanning as part of your development pipeline, to check for best practices, vulnerabilities, and sensitive content.

Inline Scanning

As of version 2.5.0, Sysdig Secure users have the option to scan and analyze images locally, sending their infrastructure metadata back to the Sysdig platform without providing access to their registry. The feature may be desired in a variety of cases:

  • Images don't leave their own environment 

  • SaaS users don't send images and proprietary code to Sysdig's SaaS service

  • Registries don't have to be exposed

  • Images can be scanned in parallel more easily

  • Images can be scanned before they hit the registry, which can

    • cut down on registry costs

    • smplify the build pipeline

Prerequisites

  • Sysdig Secure and the ability to connect to the Sysdig installation

  • Docker engine

  • Access to DockerHub

  • Bash

Implement Inline Scanning

  • Access the script

    Download the inline_scan.sh  script here.

  • Review the parameters and example

    The ReadMe file on GitHub describes the script parameters, their usage, and gives a full example.

  • Expected output

    After the scan is triggered, the command line will post a result message of pass or fail. 

    To see the complete result analysis, log in to the Sysdig Secure dashboard and review the Scan Results page.

Pipeline Integration Examples

There are well-documented examples for a variety of pipelines:

Integrate with Jenkins

Sysdig has a plugin to integrate Sysdig image scanning into a Jenkins-based build process.

Install and Configure the Jenkins Plugin

The Sysdig Secure Jenkins Plugin documentation (at jenkins.io) describes:

  • Prerequisites

  • Obtaining the plugin

  • Necessary system configuration steps in the Jenkins UI

  • Adding Sysdig Secure Image Scanning as build step (in the Jenkins UI)

  • Configuring the actions to take on scanned builds (e.g. when to fail a build or issue a warning).

Obtain Scan Results in Jenkins

The Sysdig plugin generates a scan report listed in the Jenkins build list:

Click on the Sysdig Scanning Report to view the summary information and a list of policy checks and results.