Build a Custom Container for Sysdig CLI Scanner

This topic helps you build a custom container image for the Sysdig CLI Scanner using a multistage Dockerfile. You set up the necessary dependencies, build the image using Docker Buildx, and run vulnerability scans in a CI/CD pipeline.

Build a Custom Container for Sysdig CLI Scanner

Prerequisites

Before building the custom container image, ensure you have the following:

Docker installed
An internet connection to download required dependencies
A valid Sysdig Secure API token

Dockerfile Example

Use the sample file given below to build your own custom container. You can use this container image with various CI/CD scenarios including Jenkins, AWS CodeBuild, and CircleCI. This multistage Dockerfile adds the most recent Inline Scanner CLI to a BusyBox base container image. The first stage involves the following operations:

Copies the required certificates needed for the inline scanner binary. The certificates are required to make HTTP requests to download the image vulnerability database.
Downloads the most recent binary to be copied to the final image layer.

FROM alpine as certs
RUN apk update && apk add ca-certificates curl

RUN curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" \
    && chmod +x ./sysdig-cli-scanner

FROM busybox
COPY --from=certs /etc/ssl/certs /etc/ssl/certs
COPY --from=certs /sysdig-cli-scanner /

ENTRYPOINT ["/sysdig-cli-scanner"]

You can use any Linux base image as long as it is available for Intel and AMD64 architectures.

Build the Image

Use the following command to build the Docker image using Docker Buildx:

docker buildx build --platform linux/amd64 -t sysdig-image-scanner .

For more information on Docker Buildx, see Docker Build.

Run the Image

You can run the built image using a command similar to the following:

SECURE_API_TOKEN="Your API Token here"
docker run -e SECURE_API_TOKEN="$SECURE_API_TOKEN" \
    sysdig-image-scanner:latest \
    --apiurl=<Sysdig URL> \
    birdyman/log4j2-demo:1.0.0-12

See Sysdig CLI Scanning for information on additional flags.

Additional Resources

For more details on Docker CI/CD pipeline integration, see Docker CI/CD documentation.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.