SaaS: Sysdig Secure Release Notes


You may also want to review the update log for Falco rules used in the Policy Editor: Falco Rules Changelog.

May 11, 2020

Optimized Runtime Page

We’ve released a new Runtime page for the Image Scanning module within Sysdig Secure. Improvements include:

  • Filtering based on pass/fail/unscanned

  • The ability to search results for a specific image

  • Optimized queries to improve response times


For more information, see Review Scan Results.

April 20, 2020

Added Automatic Image Scanning using Node Analyzer

The node image analyzer provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agent container.

This component was introduced to reduce dependencies on analyzing images within the Sysdig backend (SaaS or On-prem). Some advantages include:

  • Sharing credentials with the Sysdig backend in order to pull images is not required

  • Sharing the image content and potentially code with the Sysdig backend is not required; only metadata will be sent out

  • Opening a network route to allow the Sysdig backend to reach the user's registries is not required


If you have run the single line agent install with the --image-analyzer flag, then this component is already running in your infrastructure.

The feature is available for Kubernetes environments.

For more information, see Scan Running Images.

April 13, 2020

Added Image Scanning Integration Options

Two new scanning integrations are available for CI/CD pipelines. Sysdig provides:

  • A reference implementation with Tekton Pipelines (prototype)

  • A fully supported integration with Amazon Elastic Container Registry (ECR) for triggering auto-scans from the registry

Integrating Secure Image Scanning with Tekton Pipelines

Tekton Pipelines allow you to implement CI/CD workflows using a highly modular, cloud-native approach that:

  • Uses containers as the building blocks for individual tasks

  • Runs directly on Kubernetes/OpenShift without requiring a dedicated infrastructure

  • Uses tasks that are purely declarative and described using their own CRD, making them easily composable and reusable

Sysdig's reference implementation details the prototype task to invoke Sysdig Secure image scanning as a pluggable step in your CI/CD pipeline with just a YAML file:


Leveraging Tekton integration with the orchestration layer, you can retrieve the image scanning policy evaluation and state (pass/fail) directly from the logs of the task pod.

Read the “Securing Tekton pipelines in OpenShift with Sysdig” blog post for additional details

Integrating Secure Image Scanning with Amazon ECR

Automatically scan images pushed to your Amazon Elastic Container Registry (ECR) using AWS-native technologies and Sysdig Secure.

Sysdig image scanner integration is deployed as a CloudFormation template that listens to ECR registry events and uses AWS resources to streamline the image scanning process.

  • ECR itself will trigger the scan, no need for your CI/CD pipelines to actively pull from the registry

  • Deployed in a few clicks, you just provide basic configuration parameters such as the Sysdig API token or the Sysdig backend URL

  • No need to configure registry scanning credentials on the Sysdig Secure side


This integration offers two different operation modes

Inline scanning:

  • Scanning will be performed inside an AWS CodeBuild pipeline allocating ephemeral resources

  • No need to configure any registry credentials for Sysdig Secure

  • No need to expose your ECR registry to the Sysdig Secure backend

  • Sysdig Secure will not retrieve the image contents, only the metadata that is required to perform the policy evaluation

Backend scanning:

  • Sysdig Secure will retrieve the full image contents in order to perform the scan

  • Your ECR registry must be reachable by the Sysdig Secure backend

  • Registry credentials are required, but they are pushed automatically by a lambda function, no need for manual configuration

See also: Amazon ECR Integration.

April 9, 2020

Updates to Default Rules and Policies

The following changes have been made to default Policies in Sysdig Secure, and to default Falco rules:

  • New rule tags added that map Falco rules to PCI and NIST controls

  • New default policies added specifically for PIC/NIST compliance

  • Tuning modifications for:

    • Write below etc

    • Write below root

    • Change thread namespace

    • Run shell untrusted

    • Detect outbound connections to common miner pool ports

For more information, see also Falco Rules Changelog.

April 7, 2020

Updated Inline Scan Script

  • Added header values for import API for better supportability.

  • Upgraded to Anchore engine v0.6.1.

  • Use docker:dind instead of ubuntu for the base image. This reduces the image size and speeds up downloading.

Sysdig Secure SaaS: The latest version of the inline script will always be available at

Sysdig Secure On-prem: Users need to specify the backend version they are running, following a versioned download format:

Sysdig Secure 3.2 -

Link to repo for script source code:

March 12, 2020

New Get Started Page

The Get Started page provides the key steps to ensure users are getting the most value out of Sysdig Secure. We’ll update this page with new steps as we add new features to Sysdig Secure. 


The Get Started page also serves as a linking page for:

  • Documentation

  • Release Notes

  • The Sysdig Blog

  • Self-Paced Training

  • Support

Users can access the page at any time by clicking the rocketship in the side menu.

Linux CIS Benchmark

Sysdig Agents can run the Independent Linux benchmark against the underlying host where the agent is installed. The Linux benchmark can be scheduled to run at a chosen interval in your environment and emits results and metrics about the status of the tests.


Openshift Hardening Guide

The Openshift hardening guide implements configuration checks run by the agent against Openshift environments.


Note: This is supported for 3.x versions of Openshift. When Openshift releases a hardening guide for 4.x versions, we will update the configuration checks.


Captures can be Routed to Specific Storage Locations

As a user, you may have different S3 buckets where you’d like to store Sysdig captures, based on the environment where the policy event was triggered. New options are available for deciding what storage option you’d like to use for each policy event.


Feeds Status

It’s useful to understand the last time the feeds were updated, especially in self-hosted environments. The Feeds Status page shows the different vulnerability feeds we integrate with, their feed group (often the distro version), the time of the last sync, and how many CVE records are present in the feed group.


March 5, 2020

Inline Scanning Reporting Improvements and Documentation

This script from SysdigLabs is useful for performing image analysis on locally built container images and posts. The only dependency for this script is access to docker-engine, Sysdig Secure endpoint (with the API token) and network connectivity to post image analysis results.

Here are examples of using the inline scanner in different pipelines:

PDF Reports from the Inline Scanner

A new option

-R  [optional] Download scan result pdf report

will generate a PDF artifact that is available for developers to consume in the pipeline.

February 6, 2020

Data Retention Limits for Scan Results

Use this feature to set limits on how long image scan metadata is stored, either by tags or days. This removes stale data and helps keep scan results easy to read.


See Set Data Retention Limits for details.

January 29, 2020

Enhanced Kubernetes Audit Log Integration

We’ve extended our test and documentation coverage for various Kubernetes audit log integrations. This integration enables Sysdig Secure to use Kubernetes audit log data for Falco rules, activity audit, and to test the impact of Pod Security Policies.

We now have examples for:

  • OpenShift

  • Minishift

  • Kops

  • GKE

  • EKS

  • RKE

  • IKS

  • Minikube

Read more here: Kubernetes Audit Logging.

Vulnerability Scan Results Comparison

In image scanning reports, the vulnerability comparison feature allows users to compare two different tags within the same repo to see which vulnerabilities are new or have been fixed in version X compared to version Y.

This allows developers easily to compare the latest image to a previous version to easily report on which vulnerabilities have been addressed and which are new.


See Review Vulnerability Summaries for details.

January 28, 2020

File Data Source Support for Activity Audit

Sysdig Secure’s Activity Audit now supports a new data source element: File activity.


Sysdig agent version 9.5.0+ is required to enable this new data source.

  • You can now filter the audit trail by file type or specific file attributes:

    • File name

    • Directory

    • Command (used to access the file)

    • Access mode

  • File activity is also visible in the time-series graph at the top (pink color):

  • Activity Audit will capture non-read file operations executed by interactive commands

January 27, 2020

RBAC Capability Available in Sysdig Secure

The new role-based access control (RBAC) model available in Sysdig Secure allows you to define the access privileges granted to each user in a Sysdig Secure team.

Besides the Admin role, which has full access and belongs to every team, there are four roles that can be assigned when adding a user to a team. (Note that the role names are the same in Monitor and Secure, but the privileges differ slightly. Users must be assigned Monitor team roles and Secure team roles separately.)

  • View Only: Read access to every Secure feature within the team scope. A View Only user cannot modify runtime policies, image scanning policies, or any other content.

  • Standard User: Can push container images to the scanning queue and view the image scanning reports. Standard Users can also display the runtime security events within the team scope. They cannot access the Benchmarks, Activity Audit. or Policy definition sections of the product.

  • Advanced User: Can access every Sysdig Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage other users.

  • Team Manager: Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.


    Team Managers only have user administration rights within the specific team(s) for which they are designated Managers.


See User and Team Administration for details.

January 16, 2020

Redesigned Captures Page

The Captures function in Sysdig Secure has a new look and the following usability improvements:

  • Bulk deletion of capture files

  • Ability to see whether a capture was triggered manually or by a policy

  • Search across all capture files


November 13, 2019

Activity Audit (Beta)

The Activity Audit in Sysdig Secure allows you to browse a live stream of activity from your Kubernetes containers and nodes. Audit takes the highly detailed data from syscalls and Kubernetes audit logs captured at the agent level, and makes it always-on, searchable, and indexed against your cloud-native assets.

This stream includes executed commands, network activity, and kubectl exec requests to the Kubernetes API. The Activity Audit allows users to view different data sources in-depth for monitoring, troubleshooting, diagnostics, or to meet regulatory controls (SOC2, NIST, PCI, etc).


Flexible filtering and scoping to help you focus on what’s relevant: Filters allow you to search, sort, and surface meaningful data and connections as they are needed. You can filter by data source type, data source attributes (like command name or Kubernetes user) and dynamic Kubernetes scope


Automatically trace a kubectl exec session : The built-in trace functionality allows you to isolate and trace a kubectl exec access to a pod, automatically correlating the original Kubernetes user and IP that accessed the pod with the activity that was performed during the interactive session, including commands and network connections.


Kubernetes Policy Advisor (Beta)

With the Kubernetes Policy Advisor, Sysdig Secure auto-generates Pod Security Policies (PSPs) to significantly decrease the time spent configuring Kubernetes Policies. Strict security policies reduce risk, but can also break applications. Sysdig tests the impact of pod security policies through simulations, enabling teams to adjust misconfigurations before shifting to production. There are three main features that comprise the Kubernetes Policy Advisor:

Auto generation: Sysdig Secure can parse any Kubernetes yaml file that includes a pod spec to generate a tailor-made PSP based on the configuration.


Simulations: Start a simulation of the auto-generated PSP or any user-inputted PSP to see what pods would have been blocked from running if this PSP had been actively applied to the cluster.


Events and tuning: Each pod/activity that would have violated the PSP will generate an event. Within the event details, users can see information about potential modifications they may need to make to the policy or the pod configuration.


Image Scanning Improvement

Support for images based on Google distro-less OS, including detection of base OS/version and installed OS dpkg packages.

November 4, 2019

Scanning Improvements

New Scanning Rules

File attributes can now be verified as part of the image scan analysis. A specific file can be validated against a node or sha256 hash.


Scale Improvements to Scanning Reporting

No query conditions are required as part of the Package and Policy Queries.

October 10, 2019

In-Line Scanning

Images can now be analyzed locally before they are pushed to a registry. This has a couple key benefits to users.

  • Images can be analyzed before they’re pushed to a registry and reduce registry cost

  • Customers using the Sysdig Secure SaaS offering don’t need to expose their registry to our SaaS for images to be scanned

  • For openshift customers the in-lince scan option can be integrated into the S2I process to scan images without needing to expose a local cluster registry via a route

Learn more and access the script here:

Sysdig CLI

The Sysdig CLI provides an easy way to interact with the cli via the command line. Read more here.


Run it without parameters to get a list of all the commands.

$ sdc-cli
Usage: sdc-cli [OPTIONS] COMMAND [ARGS]...

  You can provide the monitor/secure tokens by the SDC_MONITOR_TOKEN and
  SDC_SECURE_TOKEN environment variables.

  -c, --config TEXT  Uses the provided file as a config file. If the config
                     file is not provided, it will be searched at
                     ~/.config/sdc-cli/config.yml and /etc/sdc-cli/config.yml.
  -e, --env TEXT     Uses a preconfigured environment in the config file. If
                     it's not provided, it will use the 'main' environment or
                     retrieve it from the env var SDC_ENV.
  --json             Output raw API JSON
  --version          Show the version and exit.
  --help             Show this message and exit.

  alert       Sysdig Monitor alert operations
  backup      Backup operations
  capture     Sysdig capture operations
  command     Sysdig Secure commands audit operations
  compliance  Sysdig Secure compliance operations
  dashboard   Sysdig Monitor dashboard operations
  event       Sysdig Monitor events operations
  policy      Sysdig Secure policy operations
  scanning    Scanning operations
  settings    Settings operations
  profile     Profile operations

New Package Reports

Package name/version are now grouped together to provide easy parsing of all CVE’s associated with a package and the images using that package.


Sept 24, 2019

New Trigger Parameters for CVSS Score

Image Vulnerabilities can now be evaluated against their CVSS (Common Vulnerabilities Scoring System) score. If a vulnerability is =, <;>, <=, or >= to a specific score, then the rule can trigger a warn/stop action.


Sept 18, 2019

Time Ranges Updated

The default time range options have been updated in Sysdig Secure.

The default time ranges are now set to:

  • 10 Minutes 

  • 30 Minutes

  • 1 HR

  • 6 HRs

  • 1 Day

  • 3 Days

To look at a custom window of time, use the manual time window.

Sysdig Secure Summary Dashboard in Sysdig Monitor

Sysdig Monitor includes default dashboards that provide metrics about number of agents installed, active policies, events that have occurred, and the policies that have triggered them. Use these dashboards to identify trends, report on coverage, or facilitate the tuning process.


Aug 12, 2019

Policy Editor

*Please upgrade to an agent version 0.92.0 or greater

This UX overhaul brings three major improvements for every Sysdig Secure user:

  • Runtime policies can import any number of security rules. You can scope the security policy using container, cloud and Kubernetes metadata.

  • Tighter Falco integration, directly from the web UI. You will be able to define a new trigger condition or append to the list of forbidden external IPs just clicking on the rule.

  • A more structured way to group, classify and lookup rules, following the standard Cloud native procedure: tags and labels.

Rules Library

Visualize your runtime rules properties in just a glance:

  • Where this rule comes from (Published By). The security team can instantly recognize whether a rule came from a specific Sysdig update, from a custom rules file created within the organization or from an external rules source (like the Falco community rules).

  • When was the last time it was updated (Last Updated). You can use this information to audit your rules or if you schedule periodic updates, to confirm when last happened.

  • Rule tags: An effective method for organizing your rules. You can use these tags to describe the targeted entity (host, k8s, process), the compliance standard it belongs to (MITRE, PCI, CIS Kubernetes) or any other criteria you want to use to annotate your rules.


Falco Lists

Easily browse, append, and re-use lists to create new rules. Lists can also be updated directly via API if users want to add existing feeds of malicious domains, or IPs.


Falco Macros

Easily browse, append, and re-use macros to create new rules.


Image Scanning - View Scan Results

Scan Results Page - The existing repositories page has been renamed "Scan Results" this page also includes new capabilities to filter based on where the images are deployed, and to easily browse/expand the different repositories to see the image:tag's that were evaluated and their results


Whitelist labels available in vulnerabilities view - If a vulnerability has been added to a whitelist then that status is reflected in the Vulnerability report within the scan results.


Image Scanning Reports


Please contact Sysdig Support to enable this feature

The reports feature allows users to query the contents of a scan against a static or run-time scope to generate a report that shows the risk, exposure, or components of an image.

Use cases could include:

  • A new CVE has been announced, let me find all the running images in my US East Cluster that are exposed to that CVE

  • Show me all images within my Google Container registry that have the tag prod and have a vulnerability with a fix that's more than 30 days old

  • Show me all images with a high severity vulnerability with a fix that are running in my billing namespace

Types of Scanning Reports

There are three types of queries in the image scanning Reports:

Vulnerability Query Type

This report returns rows of vulnerabilities mapped to packages within images in a static or run-time scope. In the example above we can see the two images that are actively running in my environment now that have the CVE - CVE-2017-8831

Package Query Type

This report shows all images actively running in my environment that have a version of the bash package. It also shows if multiple images are running the same package name & version and if there are any CVE's associated.

Policy Reports

Policy reports show all the policy evaluations that have occured, whether or not they passed or failed, and the reason why an image may have passed or failed. Reasons for passing or failing could be because of, whitelists, blacklists, or just a standard policy evaluation.

July 12, 2019

Minor Improvements

  • Compliance Dashboards in MonitorLink from Sysdig Secure now defaults to a 90-day view, to give users better visibility into how their posture is changing over time.

  • Image ScanningNegligible vulnerabilities are now also shown as part of the scan results summary.

June 27, 2019

Image Scanning: New Trigger Options

  • New Image Analyzed - Send notifications to different channels when images with a particular registry, repo, tag are scanned.

    • Some users implement these type of alerts for implementing workflows for image promotion, i.e.

      "Push an image from staging to prod registry after a webhook is sent that the image was scanned and it passed."

  • CVE Update - Be notified whenever a vulnerability is added, updated, or removed from an image within a registry.

Repository Alerts

Receive alerts about activity and changes that occur within your registry. See Manage Scanning Alerts.


Slack Notifications

Sample output of a CVE alert:


Sample output of an image-analyzed alert:



For earlier releases, please see Sysdig Secure SaaS Release Notes, here.