Sysdig Documentation

Reports

Image Scanning Reports

Overview

Please contact Sysdig Support to enable this feature

The reports feature allows users to query the contents of a scan against a static or run-time scope to generate a report that shows the risk, exposure, or components of an image.

Use cases could include:

  • A new CVE has been announced, let me find all the running images in my US East Cluster that are exposed to that CVE

  • Show me all images within my Google Container registry that have the tag prod and have a vulnerability with a fix that's more than 30 days old

  • Show me all images with a high severity vulnerability with a fix that are running in my billing namespace

Run a Report

  1. Select Image Scanning > Reports.

    The Reports interface is displayed.

    Reports.png
  2. Select the appropriate query parameters and click Run.

    • Type: Changes the columns that are displayed and the conditions available to filter the report output

      • Vulnerability Get a list of vulnerabilities based on Vuln ID, Severity, Fix, package name, etc.

      • Package

      • Policy

    • Scope: What images are being queried at part of this report

      • Static: Evaluate images based on their registry context. To evaluate all images with a “Prod” tag with your Example Prod Image Policy, use the assignment (registry/repo/tag):  */*/Prod

      • Runtime: Evaluate images based on the labels exposed from the run-time containers, cloud providers, and orchestrators such as Kubernetes

    • Condition: How to further filter the report results to generate meaningful results. More details are shown in each breakdown of the query type.

  3. Optional: Click Download CSV to capture the report.

Note

You must select at least one condition or add a repository scope to successfully generate a report.

Query by Vulnerabilty

This report returns rows of vulnerabilities mapped to packages within images in a static or run-time scope.In the image below, a search for a particular vulnerability  ( CVE-2017-8831) shows the two images actively running in the environment with the CVE.

Condition fields available are:

  • Vuln ID

  • Severity

  • Fix Available?

  • Package Name

  • Package Version

  • Age

Query by Package

This report shows all images actively running in the environment that have a version of the package. It also shows if multiple images are running the same package name & version and if there are any CVEs associated.

Condition fields available are:

  • Package Name

  • Package Version

Query by Policy

Policy reports show all the policy evaluations that have occurred, whether they passed or failed, and the reason why an image may have passed or failed. Reasons for passing or failing could include whitelists, blacklists, or simply a standard policy evaluation.

Condition fields available are:

  • Evaluation Results (Pass/Fail)

  • Reason (Whitelist, Blacklist, Error, Policy Evaluation)

  • Age