SaaS: Sysdig Secure Release Notes

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested in the same way.

April 11, 2025

Sysdig CLI Scanner 1.22.1

A new version of the CLI scanner is available with the following improvements:

• Fixed a defect in the Amazon vulnerability feed where scans of amazoncorretto:17.0.14 would mistakenly detect irrelevant vulnerabilities.
• Added fixes for the following vulnerabilities:
  • CVE-2025-30204

April 10, 2025

Enhanced Network Exposure Detection

Sysdig has enhanced our network exposure detection capabilities with broader resource coverage and the ability to identify multiple exposure paths. With this release, you can now discover multiple network exposure paths for each resource resource, giving you deeper insight into your cloud network security.

Newly supported resource types include:

• Classic Load Balancers
• Security Groups
• Subnets
• Route Tables
• Internet Gateways

In the following weeks, we will add support for:

• Network Load Balancers (NLB)
• Application Load Balancers (ALB)
• Target Groups
• Managed Kubernetes resources

This feature is available by default in Secure SaaS. You can see if a resource is exposed through the Exposure tab of the Resource Details drawer.

For more details, such as the supported resource types, see the Exposure Tab.

Enhanced Health Status for Cloud Accounts and Sysdig Features

Sysdig has improved the onboarding experience with meaningful and actionable status messages for your cloud accounts and Sysdig features. The enhanced Health status provides clear, actionable status updates for cloud accounts and Sysdig features, both during onboarding and ongoing operation. With the tailored remediation guidance based on cloud provider, Sysdig features, and specific status messages, Health Check simplifies troubleshooting and improves the onboarding experience.

For more information, see:

AWS

• Connection Status for CSPM
• Connection Status for VM

Azure

• Connection Status for CSPM
• Connection Status for VM

GCP

• Connection Status for CSPM
• Connection Status for VM

OCI

Connection Status for CSPM

April 08, 2025

Multi-Factor Authentication

Users can now enable Multi-Factor Authentication (MFA) to add an additional layer of validation to their login. Once enabled, each login to Sysdig Monitor or Sysdig Secure must be validated with an authenticator app, such as Okta Verify or Google Authenticator. This improves your login security. For more details, see Multi-Factor Authentication.

April 04, 2025

Host Scanner v0.13.5

Sysdig released a new version of the Host Scanner with the following improvements:

• Fixed a defect where the host scanner was not getting the cluster name for windows host scans.
• Added the label gcp.instance.name.
• Added fixes for the followings vulnerabilities:
  • CVE-2024-40635
  • CVE-2020-11023

April 03, 2025

Enhanced Resource Drawers in Risk

Sysdig has improved the Risk experience with enhancements to the Resource details drawer. Now, when you select an Affected Resource under a Risk, or on the Inventory > Resources page, you can access everything Sysdig knows about the affected resources and relevant findings, such as vulnerabilities, events, misconfigurations, and metadata.

For more details, see View Resource Details.

Identity Risk without Log Ingestion

Sysdig now provides Basic CIEM (Cloud Infrastructure Entitlement Management) analysis as a standard functionality within CSPM (Cloud Security Posture Management), without requiring log ingestion.

Risk Policies such as Risky AWS Users and Data Exfiltration Risk in 1 Hop are available. Additional risks will be enriched with optional findings such as Permission Criticality, No MFA, and Administrative Access. You can access these configuration-based findings using Search.

The previous CIEM experience is now called Advanced CIEM, which includes analysis of in-use permissions and tailored remediations, such as Least Privilege Policy Optimization.

For more information, see Connect Cloud Accounts.

March 31, 2025

Posture for Windows Server in Standalone Hosts

Sysdig now provides compliance scanning for Windows Server standalone hosts, enabling security and regulatory compliance checks for Windows environments. This feature helps organizations enforce compliance policies and detect security misconfiguration.

With this new feature, Sysdig provides two new out-of-the-box policies:

• CIS Windows Server 2022 Benchmark v3.0.0
• CIS Windows Server 2019 Benchmark v3.0.1

These policies help organizations leveraging Windows Server standalone hosts align with industry standards like CIS, NIST, and ISO 27001.

This feature only supports standalone Windows Server hosts. It does not apply to Windows Server nodes running inside Kubernetes clusters, or Containers based on Windows images.

For installation, see Windows Hosts.

For more information, see Posture Policies Included.

Support for Host Scanning for Windows Server

Sysdig now provides coverage for Windows Server 2019 and 2022 with the GA Release of with Sysdig Host Shield for Windows 0.7.0

This release provides coverage for Windows Server Operating System Vulnerabilities sourced sourced from Microsoft Security Response Center.

In addition Sysdig Host Shield will detect any non-OS Package Vulnerabilities for supported languages

March 28, 2025

CSV Export for Search and Time-based Queries

Search has been enhanced with the following functionalities:

• Intuitive Time-Based Queries: The Query Builder now includes a calendar picker and logical operators to easily filter and compare time-based attributes.
• CSV Export and Download History: You can now export Graph Search results as a CSV file for further analysis. The Download History option allows you to retrieve previously generated CSVs.

For more information, see Search.

CSPM Health Management

CSPM Health Management is now available in the Integrations page under Cloud Accounts in the Secure UI. This feature provides visibility into the health of cloud scans, helping users identify ingestion issues, coverage gaps, and scan failures.

Key capabilities are:

• Monitor CSPM health across AWS, Azure, Google Cloud, OCI, and IBM Cloud
• Identify ingestion issues affecting cloud resource visibility
• Track scan execution status and troubleshoot failures

This enhancement ensures continuous policy enforcement and better visibility into CSPM operations.

New and Updated CIS Posture Benchmarks

Sysdig has updated the the CIS Posture Benchmarks for cloud service providers. In addition, we are introducing new CIS Posture Benchmark policies for Linux distributions. These updates include improved security controls and compliance checks, ensuring stronger alignment with industry best practices for securing cloud environments and Linux operating systems.

Cloud Providers

• CIS Amazon Web Services Foundations Benchmark v4.0.1
• CIS Amazon Web Services Foundations Benchmark v4.0.0
• CIS Google Cloud Platform Foundation Benchmark v3.0.0
• CIS Microsoft Azure Foundations Benchmark v3.0.0
• CIS Microsoft Azure Foundations Benchmark v2.1.0

Linux Distributions

• CIS Amazon Linux 2 Benchmark v3.0.0
• CIS Google Container-Optimized OS Benchmark v1.2.0
• CIS Talos Linux Benchmark v1.0.0

For more information, see Posture Policies Included.

March 27, 2025

Google Kubernetes Engine (GKE) Autopilot Security Posture Management (CSPM) Support

We are excited to announce full security posture management (CSPM) support for Google Kubernetes Engine (GKE) Autopilot in Sysdig Secure. With this release, security and DevOps teams can now detect misconfigurations, enforce security policies, and ensure compliance across their managed Kubernetes workloads in Google Cloud.

Additionally, this release includes the CIS Google Kubernetes Engine (GKE) Autopilot Benchmark policy, enabling you to assess your clusters against industry best practices.

For more information, see Posture Policies Included.

March 26, 2025

Tenant-Aware Hierarchical Posture Scanning

Sysdig is excited to announce the release of Tenant-Aware Hierarchical Posture Scanning, a new capability designed to streamline posture management in multi-tenant environments. This feature allows parent tenants to seamlessly integrate posture scanning results from child tenants, ensuring consistent policy application and reporting while eliminating the need for complex cross-region data transfers.

For more information, see Tenant-Aware Hierarchical Posture Scanning.

Improved Resource Drawer

Sysdig has released a major improvement to the Resource Details drawer. Now, when you select a resource in Inventory > Search, you can see everything Sysdig knows about a resource — all of its findings, vulnerabilities, events, misconfigurations, metadata, environment information, and more. This allows you to get the data you need, when you need it, all in one place.

For details, see View Resource Details.

March 25, 2025

Registry Scanner v0.8.0

• Added support for the following Operating Systems:
  • PhotonOS
  • CBL Mariner
  • Azure Linux
  • Suse Enterprise Linux 12 and 15
  • Suse Micro Linux
  • Microsoft Windows
• Added the config.scan.jobs.resources.limits.cpu parameter to allow configuring the CPU limits of the worker jobs.

• Added fixes for the followings vulnerabilities:
  • CVE-2025-30204
  • CVE-2025-22870
  • CVE-2025-22869
  • CVE-2025-24928
  • CVE-2024-56171

March 24, 2025

Linux Host Support for In-Use

Starting with Linux Host Shield v13.8.0, Sysdig can recognize In-Use Packages on hosts.

This addition extends Sysdig coverage and helps reduce scope of vulnerabilities you should care about first for remediation; further reducing noise in an ever expanding VM landscape.

For more information, see In-Use.

Sysdig CLI Scanner 1.22.0

• Adopted a new Fix Date process to align with the Vendor Fix Dates.
• Added the --platform parameter to scan a specific platform for a given image. See docs here
• Resolved a defect in Windows image scanning where fix versions are not processed correctly, leading to potential false negatives or incorrect fix versions.
• Added backend scanning support for the following Operating Systems:
  • PhotonOS
  • CBL Mariner
  • Azure Linux
  • Suse Enterprise Linux 12 and 15
  • Suse Micro Linux
  • Microsoft Windows

For full coverage, see Vulnerability Feeds.

March 19, 2025

Reporting Vulnerability Management Fix Date

Historically, Sysdig aligned all vulnerabilities to VulnDB’s fix dates. Moving forward, Sysdig will align fix dates based on the following priority order:

• Vendor Fix Dates: Vender fix dates will serve as Sysdig’s primary reference where applicable, ensuring alignment with vendor recommendations and fix availability.
• NVD Fix Dates: If vendor dates are unavailable, Sysdig will rely on the National Vulnerability Database fix dates.
• VulnDB Fix Dates: VulnDB fix dates will serve as a fallback when neither of the above options are available.

If you are using the following components, these changes will be applied automatically, with no action required, when using Sysdig backend Scanning components, such as Cluster Shield, Host Shield, and Registry Scanner (where enabled).

The CLI Scanner users will receive this change in the 1.22.0 release.

Vulnerability Management Operating System Coverage

Added support for the following Operating Systems:

• PhotonOS (Host and Container)
• CBL Mariner (Host and Container)
• Azure Linux (Host and Container)
• Suse Enterprise Linux 12 and 15 (Host and Container)
• Suse Micro Linux (Host and Container)
• Microsoft Windows (Host and Container Images with CLI only)

These Operating Systems are available for Scanning with Sysdig backend enabled components in the following versions:

• Linux Host Shield 13.8.1
• Windows Host Shield 0.7.0
• Cluster Shield 1.10.0
• CLI Scanner 1.22.0

Activity Audit Data Retention Update

From today, the retention period for File Accesses (File) and Connections (Net) entries in Activity Audit has been reduced to 7 days. Kubernetes and Commands (Cmd) continue to be retained for 90 days.

If you need to retain events for longer periods, you can use Events forwarding to send logs to a storage solution of your choice. Additionally, Captures let you take snapshots of all the activity happening on the host when an event occurs, supporting you in triage and investigation.

For more details, see Data retention.

March 18, 2025

Host Scanner v0.13.4

Sysdig released a new version of the Host Scanner with the following improvements:

• Fixed a defect where the host scanner would generate excessive logs if the Docker or Podman daemon restarted or disconnected.
• Fixed a defect on Mariner detection.
• Added fixes for the followings vulnerabilities:
  • CVE-2025-22869
  • CVE-2025-22870

March 12, 2025

SysQL Editor

You can now write and edit SysQL queries directly in the SysQL Editor. To access it, click the SysQL Editor icon on the top left of the Search page. Alternatively, open the three-dot menu in the Query Builder and select Edit in Code Editor.

This feature is in addition to the following options:

• Query Builder
• Sage-based search

For more information, see Search.

February 27, 2025

SysQL Public API

SysQL query language helps you query Sysdig Secure datastore. To help you programmatically interact with the Sysdig datastore over REST, Sysdig has released the following SysQL Public APIs:

• GET /api/sysql/v2/query
• POST /api/sysql/v2/query
• GET /api/sysql/v2/schema

You can use these APIs to execute standard SysQL statements and query resource metadata stored in the datastore.

For more information, see:

• SySQL API Documentation
• SySQL Reference Library

CLI Scanner v1.21.0

Sysdig released a new version of the CLI Scanner with the following improvements:

• Added support for Windows Container images.
• Added support to Photon OS and SUSE.
• Improved model for managing package versions and version ranges, reducing false positives and false negatives.
• Improved the precision of matching RHEL custom Java package versions.
• Added support for “known not affected” vulnerabilities for CentOS, reducing false positives.
• Optimized vulnerability database to reduce disk space usage, memory consumption, and CPU load.

February, 25, 2025

S3 Log Ingestion

Sysdig now supports another integration option to provide Cloud Detection and Response (CDR) and Identity & Access Management (IAM) features on AWS. Previously, only EventBridge was supported. From today, you can also integrate through S3. This gives you the option to choose between a faster but more expensive EventBridge method, or the more budget-friendly S3 method, while still providing runtime security coverage for your AWS accounts.

To set up log ingestion with S3, see Configure CDR and CIEM for AWS.

Registry Scanner v0.7.5

• Fixed a defect that prevented Registry Scanner from detecting vulnerabilities in Amazon Linux images.

• Added fixes for the followings vulnerabilities:
  • CVE-2024-12797
  • CVE-2019-12900
  • CVE-2020-11023
  • CVE-2022-49043

February 18, 2025

Host Scanner v0.13.2

Sysdig released a new version of the Host Scanner with the following improvements:

• Fixed a regression bug introduced in v0.13.1 that made the application unresponsive on some redhat distributions.

February 13, 2025

CLI Scanner v1.20.0

Sysdig released a new version of the CLI Scanner with the following improvements:

• You can now export the vulnerabilities list in CSV format, either to standard output or as a CSV file.
• Added fixes for the followings vulnerability:
  • CVE-2024-11218

For more details, see Running in VM Mode

February 12, 2025

Policy Unification for Vulnerability Management

Sysdig lets you to create unified Vulnerability Management Policies, streamlining policy management across all stages—Pipeline, Registry, Runtime, and Admission Control. This enhancement brings unified policy definitions, greater flexibility with scope filters, and expanded support for registry policies.

• Registry Policy Support: Policies can now be applied to images scanned in registries, expanding coverage to all critical stages of your software development lifecycle.
• Unified Policy Definition: Policies are now defined once with a set of rules and scope filters. These policies can then apply to any or all stages—Pipeline, Registry, Admission Control, and Runtime—reducing complexity and duplication.
• Image Name scope for All Stages: Policies can now be scoped using filters such as Image Reference (also known as Image Name or Pullstring), enabling granular control and consistency across Pipeline, Registry, Runtime, and Admission Control.

The new unified policy system is available to all users of Vulnerability Management. Any existing policies remain functional. Existing policies will be converted automatically to an equivalent policy in the new unified model.

For more information, see Vulnerability Management Policies.

MLPS 2.0 and ITSG-33 Compliance Policies for China and Canada

Sysdig has expanded its compliance coverage with two new policies:

• Multi-Level Protection Scheme (MLPS) 2.0: China’s cybersecurity framework, defining four security levels based on system importance, risk impact, and required protections. Organizations must assess their level and implement corresponding controls, with Level 2+ systems requiring certified evaluations.
• Information Technology Security Guidance (ITSG-33): Canada’s cybersecurity standard, providing a structured catalog of security controls across Technical, Operational, and Management categories to support government security assurance.

These frameworks are critical for organizations operating in China and Canada, ensuring compliance with regulatory expectations and strengthening cybersecurity postures.

For more information, see Posture Policies.

February 10, 2025

OCI Support Now Generally Available

Oracle Cloud Infrastructure (OCI) support is now generally available across all regions. This milestone builds on Sysdig’s Controlled Availability (CA) phase, delivering multi-regional scanning for enhanced security visibility. OCI support is now available by default for all customers. Get started by onboarding your OCI tenants and compartments and leveraging Sysdig multi-region scanning to strengthen your cloud security posture.

Key Features:

• Multi-Regional Scanning: You can now assess your OCI security posture across multiple OCI regions, ensuring comprehensive coverage.
• Performance Enhancements: Improved efficiency in ingesting and processing OCI security findings within Sysdig Graph.
• Expanded Coverage: Security insights now span multiple regions, eliminating blind spots.
• Graph-Based Security Analytics: Fully integrated OCI resources and findings into Sysdig’s Graph, enabling deeper security correlation and the creation of Custom Risks.
• Out-of-the-box Compliance: An extensive library of 46 compliance policies with 103 controls specific to OCI.

February 07, 2025

Host Scanner v0.13.1

• Added fixes for the followings vulnerabilities:
  • CVE-2024-45336
  • CVE-2024-45341

Registry Scanner v0.7.4

• Added a new parameter to enforce the use of Federal Information Processing Standards (FIPS) images.

  To perform this enforcement, set image.fips: true. For more details, see the Registry Scanner Helm Chart.

• Fixed a defect where the registry scanner was not using the correct FIPS validated endpoints for Amazon Elastic Container Registry (ECR) installations.

To use Registry Scanner v0.7.4, update Helm charts to version 1.6.8. To do this, run helm repo update.

February 05, 2025

Runtime Scanner v1.8.2

• Added fixes for the followings vulnerabilities:
  • CVE-2024-34155
  • CVE-2024-34156
  • CVE-2024-34158
  • CVE-2024-45336
  • CVE-2024-45337
  • CVE-2024-45338
  • CVE-2024-45339
  • CVE-2024-45341
  • CVE-2024-8260

February 04, 2025

Registry Scanner v0.7.3

• Fixed a defect where the registry skipTLS was not being honored for AWS ECR installations
• Added fixes for CVE-2024-45339

February 03, 2025

Oracle Cloud Infrastructure (OCI) Support Release

Sysdig is excited to announce out-of-the-box (OOTB) support for Oracle Cloud Infrastructure (OCI), enabling you to seamlessly onboard your OCI tenants and compartments into Sysdig Secure.

Key Features:

• CSPM (Posture and Compliance) Support:
  • Full visibility into your OCI resources, with actionable insights into posture and compliance findings.
  • Automated assessments aligned with industry best practices and compliance standards.
• Compliance Policies: A robust library of 46 compliance policies, covering regulatory frameworks and security benchmarks tailored for OCI environments.
• CIS Benchmarks: Dedicated policies for OCI and OKE:
  • OCI Benchmarks: 51 controls.
  • OKE Benchmarks: 52 controls.
• Graph-Based Security & Custom Risk Creation: All OCI resources and findings are fully ingested into Sysdig’s Graph. This means:
  • Resources and findings are accessible via Graph Search and SysQL.
  • You can create Custom Risks by leveraging graph-based queries and correlations.
  • OCI data is seamlessly integrated with other multi-cloud security insights in the platform.

This release delivers comprehensive coverage for OCI, ensuring compliance, enhanced security posture, and a faster path to meeting governance standards. With a total of 46 supported policies, your OCI workloads are secured and aligned with best practices.

For instructions on setup, onboarding OCI tenants, and accessing compliance reports, see Connect Oracle Cloud.

January 30, 2025

Registry Scanner v0.7.2

Fixed a defect where the main job tries to grab logs from the workers.

• Added fixes for the followings vulnerabilities:
  • CVE-2024-45336
  • CVE-2024-45341

January 27, 2025

New Compliance Policies for CAF, SOX, and FISMA

The following policies expand compliance coverage and enhance security:

• NCSC Cyber Assessment Framework (CAF): Aligns with the UK National Cyber Security Centre (NCSC) guidelines for assessing and improving cyber resilience.
• Sarbanes-Oxley (SOX) Act: Ensures compliance for financial reporting controls and regulations.
• Federal Information Security Modernization Act (FISMA): Supports compliance with US federal information security standards.

For more information, see Posture Policies Included.

Event Feed Grouping

In the Events Feed in the Threats module, you can now group events in a variety of ways, such as by policy, rule, clusters, workloads and cloud accounts. This lets you construct useful lists of events according to your needs. For more details, see Group By.

January 22, 2025

CLI Scanner v1.19.2

Sysdig released a new version of the CLI Scanner to fix a defect that caused an error in the policies evaluation in on-prem environments.

January 21, 2025

New Posture Policies for AKS, OpenShift, FERPA, GLBA, and NERC CIP

The following policies have been added to enhance security and compliance across key platforms and regulations:

• CIS Azure Kubernetes Service (AKS) Benchmark v1.5.0: Offers improved security guidance for Azure Kubernetes environments based on the CIS v1.5.0 benchmark.
• CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0: Incorporates the latest best practices to ensure compliance with the CIS v1.6.0 benchmark for AKS.
• CIS Red Hat OpenShift Container Platform Benchmark v1.6.0: Enhances compliance for OpenShift environments in accordance with the CIS v1.6.0 benchmark.
• CIS Red Hat OpenShift Container Platform Benchmark v1.7.0: Strengthens compliance for OpenShift environments in alignment with the CIS v1.7.0 benchmark.
• Family Educational Rights and Privacy Act (FERPA): Ensures compliance with data privacy and security requirements for educational institutions handling student records.
• Gramm-Leach-Bliley Act (GLBA): Supports financial institutions in meeting data security and privacy obligations under GLBA.
• NERC Critical Infrastructure Protection (CIP): Addresses the cybersecurity requirements for bulk electric system entities, ensuring compliance with NERC CIP standards.

For more information, see Posture Policies Included.

January 16, 2025

Host Scanner v0.13.0

Sysdig released a new version of Host Scanner with the following improvements:

• Support for OpenSUSE and AlmaLinux
• Added the HOST_DIRS_TO_SKIP environment variable with the possibility to specify a list of folders to skip while scanning the host
• Added the IGNORE_CONTAINER_SCAN_INIT_FAILURE environment variable, which can be configured to continue operation when container scanning is enabled and the host-scanner fails to connect to container runtimes socket
• Fixed a defect that prevented Cloud and K8s metadata to be propagated to the backend when performing container scanning
• Fixed a defect that could prevent the scan result to be generated if the host had a large number of kernels installed
• Fixed the CVE-2024-45338 vulnerability

January 14, 2025

Vulnerability Management API v1

Sysdig has upgraded the existing Vulnerability Management API to v1. The API v1 enhances consistency and alignment with platform API standards, and offers improved response schema. See Vulnerability Management API V1 for more information.

Note that the v1beta1 version of the API will be retained for backward compatibility during the following 6 months, with no further changes or evolution. If you are using the older version, we recommend that you upgrade to v1.

January 10, 2025

CLI Scanner v1.19.0

Sysdig released a new version of the CLI Scanner with the following improvements:

• Support for OpenSUSE and AlmaLinux

• Added support for Red Hat Extended Update Support (EUS) feed

• Added fixes for the followings vulnerabilities:

  • CVE-2025-21613
  • CVE-2024-45337
  • CVE-2024-45338
  • CVE-2024-9675
  • CVE-2025-21614
  • CVE-2024-51744

Vulnerability Detection Supported on AlmaLinux and OpenSUSE

You are now able to detect, generate SBOMs, and receive scan results using the CLI Scanning, Host Scanner, and Agentless Scanning on AlmaLinux and OpenSUSE platforms.

January 08, 2025

Track Risk Acceptance Actions of Users

Sysdig has enhanced its Vulnerability Management capabilities by introducing the ability to track user actions related to risk acceptance. You can now easily discover:

• Which user created the risk
• Which user last updated the risk
• When these actions occurred

These enhancement provide greater transparency and control over risk acceptance and update workflows, enabling you to manage vulnerabilities more effectively.

For more information, see Accepted Risk for Vulnerabilities.

January 07, 2025

Full Custom Controls for Kubernetes

Sysdig now offers the ability to create Custom Controls for Kubernetes via Terraform. You now can create controls from scratch by defining your own REGO code, remediation playbooks, and control severity.

For more information, see Create Custom Controls with Terraform.