RSS

Sysdig On-Premises Release Notes

Here are the most recent release notes for the On-Premises version of Sysdig Platform. Review the entries to learn about the latest features and enhancements.
  • Supported Web Browsers: Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested with the same rigour.
  • Falco Rules: You may also want to review the update log for Falco Rules. used in the Sysdig Secure Policy Editor.

7.3.1 Hotfix Release, August 2025

Upgrade Process

Supported Upgrades From: 6.x, 7.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Defect Fixes

This hotfix fixes an issue with Neo4j installations when deployed in non-default custom namespaces.

7.4.0 Release, August 2025

Upgrade Process

Supported Upgrades From: 6.x, 7.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation. If you are currently using on-prem version below v6.15.x and plan to upgrade to v7.4.0, ensure that you have first upgraded to any on-prem version up to v7.2.x before upgrading to v7.4.0.

Sysdig Platform

Helm Values Restructuring

As of this release v7.4.0, we’ve restructured the values.yaml file used in our Helm charts to improve clarity, modularity, and maintainability. This includes:

  • Clear separation of global and service-level configurations
  • Removal of duplicate or redundant values
  • Enhanced consistency across all configuration sections

These changes affect both internal Helm charts and customer-provided user.values.yaml files. To make the transition easier, a new Installer migrate-values command will help migrate existing user.values.yaml to the new structure. Please Contact Sysdig Support to open a support case for guidance and assistance with the upgrade process.

IP Allowlist

You can now control which IP ranges/IP addresses are allowed to access your Sysdig UI/API. For more details, see IP Allowlist.

Sysdig Secure

Kubernetes Security Posture Management (KSPM)

You can now use Kubernetes Security Posture Management (KSPM), enabling posture assessment and compliance monitoring directly within your On-premises Kubernetes clusters. This feature allows users to evaluate configuration risks and monitor compliance across their infrastructure.

The KSPM module checks selected controls from various compliance standards, and compiles and reports the findings enabling the following:

  • Automated checks based on CIS Benchmarks for Kubernetes, Docker, and supported Linux distributions.
  • Predefined assessments for regulatory frameworks (e.g., PCI-DSS, NIST, ISO 27001).
  • Policy management, posture dashboards, and findings drill-down by cluster, node, and workload.
  • Compliance reporting tools for audit and governance use cases.

See the list of supported benchmarks and standards

Admission Controller

Admission Controller is a Kubernetes-native component that evaluates resource creation requests after they are authenticated and authorized, but before they are deployed to the cluster. It applies real-time security policies from posture controls to image scanning rules to block non-compliant workloads at deploy time and enables a shift-left approach by preventing risky configurations and vulnerable images from reaching production. This reduces runtime exposure and strengthens security posture across Kubernetes environments.

Admission Controller enables multiple layers of security checks across runtime security, audit logging, and posture management with the following features:

  • Deploy-Time Image Scanning: Admission Controller integrates with scan policies to evaluate images at deployment time, blocking workloads that use images with CVEs, misconfigurations, or policy violations. Workloads are rejected before scheduling to a node, eliminating unnecessary risk.
  • Kubernetes Audit Logging: This feature enables Audit Detections to record API-level admission decisions, including who attempted deployments, when, and why actions were allowed or blocked. This provides a complete audit trail for security investigations and policy tuning.
  • Kubernetes Posture Enforcement: This feature applies posture policies to define best practices, such as preventing privileged containers, enforcing non-root users, or applying resource limits. The Admission Controller evaluates these policies during admission and blocks non-compliant deployments. You can assign different policies per Zone to account for environment-specific constraints (for example, staging versus production).

Once enabled, you can use Admission Controller to integrate Kubernetes Security Posture Management (KSPM) and Vulnerability Management (VM) into your deployment workflows. For more details, see Install and Configure Admission Controller.

Expanded Operator Support for Vulnerability Management Policies

You can now filter Vulnerability Management policies with operators for granular control and flexibility in crafting precise policies across your pipeline, registry, runtime, and admission control surfaces.

  • Pipeline & Registry now support starts with, is, is not, contains, and not contains.
  • Runtime now supports starts with, is, is not, contains, and not contains.

Drift Detection Policy Enhancements

Sysdig has updated the Drift Detection Policy (formerly known as the Container Drift Policy) with enhancements to optional rules and event descriptions.

The Drift Detection Policy supports three optional rules:

  • Detect Binary Drift: Detects binaries added or modified after container deployment.
  • Detect Volume Drift: Detect all binaries originating from mounted volumes.
    • To enable this rule independently of Detect Binary Drift, you need shield version 14.0+. For details, see Policy Rules.
  • Block Prohibited Binary Execution: Blocks execution of detected drifted binaries
    • Requires agent version 13.2.0+.

Drift Detection Policy events now detail the precise reason they were created. For example, which rule triggered the event.

These improvements let you fine-tune your Drift Detection policies, and offer your security and operation teams greater transparency into the drifted binaries, containers and volumes in your environments, ensuring faster investigation and response.

For more details, see Configure a Drift Detection Policy.

7.3.0 Release, June 2025

Upgrade Process

Supported Upgrades From: 6.x, 7.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Platform

Multi-Factor Authentication

You can now enable Multi-Factor Authentication (MFA) to add an additional layer of validation to your Sysdig login. Once enabled, each login to Sysdig Monitor or Sysdig Secure must be validated with an authenticator app, such as Okta Verify or Google Authenticator. This improves your login security.

For more details, see Multi-Factor Authentication.

Sysdig Secure

Response Actions

You can now respond to Runtime events using the following Response Actions:

  • Kill/Stop/Pause container
  • Kill process
  • File acquire
  • File quarantine

With the required permissions, you can execute response actions actions from the Events Feed. This enables you to contain threats and gather information to support investigations. Some response actions can even be reverted if taken by mistake, or as a temporary counter-measure. To use response actions, update your agents to version 13.9 or above and configure them accordingly. See Response Actions for more details.

Vulnerability Management Improvements

Sysdig Secure introduces significant improvements to Vulnerability Management with an updated vulnerability database and the following enhancements:

  • Windows Container Image Support: CLI Scanner now supports scanning Windows container images. Host Shield v0.7 adds Windows host support.
  • Broader OS Coverage: Vulnerability Management now supports PhotonOS and SUSE across all major scanners.
  • Improved Matching Accuracy: Enhanced handling of complex version formats and RHEL-specific packaging reducing false positives and negatives.
  • Reduced False Positives on CentOS: Improved alignment with RHEL advisories significantly reducing noise in scan results.
  • Improved Performance: The updated database is approximately 40% smaller than the previous database, lowering memory and compute usage for faster, more efficient scans.

The updated database is fully integrated with Cluster Shield, Host Scanner, and Registry Scanner components. To take advantage of these improvements using the CLI Scanner, ensure you’re running version 1.22.0 or later.

7.2.0 Release, April 2025

Upgrade Process

Supported Upgrades From: 6.x, 7.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Platform

Sysdig Documentation Hub in Airgap Environments

Sysdig documentation is now available through the UI for airgapped environments. Find it under the Help section of the user menu in the bottom left corner of the Secure or Monitor UI.

Sysdig Secure

Automations for Vulnerability Management Risk Acceptance

The Sysdig Secure Automations module now supports Vulnerabilities Accepted Risks automations. This lets you create automated actions, such as sending notifications via email, Slack or MS Teams, in response to events related to Risk Acceptance in Vulnerability Management, such as:

  • Risk Acceptance Created
  • Risk Acceptance Updated
  • Risk Acceptance Deleted
  • Risk Acceptance Expired
  • Risk Acceptance Expiring

For more information, see Automations.

Vulnerability Management Policies Public API

The Unified Vulnerability Management Policies are now exposed via Public API allowing you to streamline policy management across all stages: Pipeline, Registry and Runtime.

7.1.0 Release, April 2025

Upgrade Process

Supported Upgrades From: 6.x, 7.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Secure

YARA Rules and Regex Exceptions for Malware Control Policy

You can now utilize YARA rules, maintained by Sysdig’s Threat Research Team, to enhance the Malware Control policy’s detection capabilities. You can customize exceptions for files, processes, and hashes with Regex or exact string matching. For more information, see Malware Control Policy — Detect.

Policy Unification for Vulnerability Management

You can now create unified Vulnerability Management Policies, streamlining policy management across all stages: Pipeline, Registry and Runtime. This updates brings unified policy definitions, greater flexibility with scope filters, and expanded support for registry policies.

The new unified policy system is available to all users of Vulnerability Management. Existing policies remain functional, and will be automatically converted to an equivalent policy in the new unified model.

For more information, see Vulnerability Management Policies.

  • Unified Policy Definition: Policies are now defined once with a set of rules and scope filters. These policies can apply to any or all stages: Pipeline, Registry, and Runtime. This removes the need for policy duplication and reduces complexity.

  • Registry Policy Support: Policies can now be applied to images scanned in registries, expanding coverage to all critical stages of your software development lifecycle.

  • Image Name Scope for All Stages: You can now scope policies using filters, such as Image Reference (also known as Image Name or Pullstring). This gives you granular control and ensures consistency across Pipeline, Registry and Runtime.

7.0.0 Release, February 2025

Upgrade Process

Supported Upgrades From: 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Platform

Next Gen Sysdig API Documentation

The Next Gen API Docs are the new and standardized documentation for both Sysdig Secure and Monitor APIs. To access them, see Next Gen API Docs.

Sysdig Secure

Zones

You can now use Zones to filter the results across Vulnerability Findings and the Events feed. A zone is a collection of scopes that represent logical groupings of your infrastructure or workloads. For example, you can create a zone for your production environment, a staging environment, or a region. They allow you to scope the infrastructure based on specific attributes for Hosts, Kubernetes, Image and Git. For more information, see Zones.

Configurable Data Retention for Scan Results

You can now configure the data retention period for Pipeline and Registry scan results, up to a maximum of 90 days. For more information, See Scan Results Retention.

Automations for Vulnerability Findings (Technical Preview)

You can use the new Sysdig Secure Automations feature to create automated actions, such as sending notifications via email and Slack, in response to conditions you specify. You can use this feature to create automations to alert on any new Vulnerability Findings. For more information, see Automations.

The feature is not enabled by default and requires a new Graph datastore added to the Sysdig On-Premise backend. As a result, this release may require additional hardware resources. Contact Sysdig Support to open a support case for guidance and assistance with the upgrade process.

Sysdig Monitor

Enhanced IOPS & NFS Visibility

Sysdig introduced the following metrics to enhance IOPS and NFS visibility at the filesystem mount level:

NFS Host
  • sysdig_host_fs_nfs_op_count
  • sysdig_host_fs_nfs_op_request_count
  • sysdig_host_fs_nfs_op_sent_bytes
  • sysdig_host_fs_nfs_op_recv_bytes
  • sysdig_host_fs_nfs_op_queue_time_us
  • sysdig_host_fs_nfs_op_round_trip_time_us
  • sysdig_host_fs_nfs_op_total_client_time_us
NFS Container
  • sysdig_container_fs_nfs_op_count
  • sysdig_container_fs_nfs_op_request_count
  • sysdig_container_fs_nfs_op_sent_bytes
  • sysdig_container_fs_nfs_op_recv_bytes
  • sysdig_container_fs_nfs_op_queue_time_us
  • sysdig_container_fs_nfs_op_round_trip_time_us
  • sysdig_container_fs_nfs_op_total_client_time_us
IOPS
  • sysdig_fs_file_total_time
  • sysdig_fs_file_open_count
  • sysdig_fs_file_error_total_count
  • sysdig_fs_file_total_bytes
  • sysdig_fs_file_in_bytes
  • sysdig_fs_file_out_bytes

For additional details, see Metrics Dictionary.

Defect Fixes

  • Fixed the login issue when using OpenID Connect integration.
  • Fixed the issue with setting up a Custom Role when using LDAP integration.

6.14.3 Hotfix Release, February 2025

Upgrade Process

Supported Upgrades From: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Defect Fixes

This hotfix fixes an issue with setting up a Custom Role when using the lightweight directory access protocol (LDAP) integration.

6.16.2 Hotfix Release, January 2025

Upgrade Process

Supported Upgrades From: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Defect Fixes

This hotfix fixes the issue with authentication when using OpenID Connect.

6.16.1 Release, January 2025

Upgrade Process

Supported Upgrades From: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Secure

Platform Audit Logs for CLI Scanner

Sysdig Platform Audit Logs now record the following CLI Scanner actions:

  • vm-collector-write
  • vm-policies-read
  • vm-policies-write
  • vm-riskacceptance-read-scanner
  • vm-riskacceptance-read-ui
  • vm-riskacceptance-write-ui

Track Risk Acceptance Actions of Users

Sysdig has enhanced its Vulnerability Management (VM) capabilities by introducing the ability to track user actions related to risk acceptance. You can now easily discover:

  • Which user created the risk
  • Which user last updated the risk
  • When these actions occurred

These enhancement provide greater transparency and control over risk acceptance and update workflows, enabling you to manage vulnerabilities more effectively. For more information, See Accepted Risks for Vulnerabilities.

Hide Accepted Risks

You can now hide accepted risks. This lets you focus on unresolved vulnerabilities. To support this, the Sysdig Vulnerability Overview pages and the Vulnerabilities tab on the scanning result pages now include a Risk Acceptance filter. This filter help you view All Risks or Accepted Risks, or hide accepted risks by selecting Risk Not Accepted. For more information, see, Filters.

SBOM Download Button

You can now download a complete Software Bill of Materials (SBOM) from your scan results in CycloneDX JSON format. For more information, see SBOM Download.