Run Sysdig CLI Scanner in IaC Mode
Prerequisites
To include sysdig-cli-scanner in your IaC pipeline, run the sysdig-cli-scanner command.
Make sure the
sysdig-cli-scannerbinary is available as part of worker or runner where the pipeline is executing.Define a secret containing the API Token and make it available in the pipeline using a
SECURE_API_TOKENenvironment variable.Ensure that you have the Role-Based Access Control (RBAC) CLI execution permission for the CLI IaC Scanner.
Parameters
Basic usage of the sysdig-cli-scanner:
sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>
Mandatory Parameters
| Option | Description |
|---|---|
--iac | The first parameter of sysdig-cli-scanner must be --iac to enable the IaC scanning functionality. |
SECURE_API_TOKEN | Provide the API token as environment variable SECURE_API_TOKEN . You can retrieve this from Settings > User Profile in Sysdig Secure. |
--apiurl=<endpoint> | Sysdig Secure Endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI. |
Usage
sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>
Replace <PathsToScan> with the path to the directory containing the source code to scan. It can be an absolute or a relative path.
If ./ .
For example:
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --iac -r -f H --apiurl <sysdig-api-url> /home/user/a-git-repository /home/user/another-git-repository
Additional Parameters
To display a list of all available command line parameters:
-h, --help Show this help message
Example output:
Usage:
sysdig-cli-scanner --iac [OPTIONS] <PathsToScan>
Common Options:
-a, --apiurl string Secure API base URL
--console-log Force logs to console, mutually exclusive with --logfile
-o, --logfile string File destination for logs, mutually exclusive with --console-log
-l, --loglevel string Log level [trace|debug|info|warn|err|fatal|panic|disabled] (default "info")
--output-json string Output path of the scan result report in json format
-s, --skiptlsverify Skip TLS certificate verification
Help Options:
-h, --help Show this help message
IaC Scan Options:
--list-unsupported-resources Toggle output of detailed list of unsupported resources
-r, --recursive Scan folders for manifests recursively
-f, --severity-threshold string The minimum severity that will fail a scan [low|l|medium|m|high|h|never|n] (default "h")
--version Show the version and exit
Exit codes:
0: Scan evaluation "pass"
1: Scan evaluation "fail"
2: Invalid parameters
3: Internal error
CLI Scanner Exit Codes
Access the container exit codes with -h
The codes are:
0: Scan success. No findings or all findings are below the fail threshold1:Scan failed. One or more findings are equal or above the fail threshold.2: Incorrect parameters. Implies no API token is given.3: Other execution errors.
Sample Result in Terminal
You can view scan results in the terminal window :
$ sysdig-cli-scanner --iac -r -f H --apiurl=https://us2.app.sysdig.com /home/user/a-git-repository /home/user/another-git-repository
Summary
β------
Detected 1 modules/manifests in 1 folders
2 resources scrapped
3 unsupported resources (use βlist-unsupported-resources for details)
Findings:
π΄ 13 High
π 17 Medium
π‘ 18 Low
Errors
------
- /.github/workflows/approve-test-run.yaml: Object 'Kind' is missing in '{"jobs":{"approve-test-run":{"if":"${{ github.event.issue.pull_request }}","permissions":{"pull-requests":"write"},"runs-on":"ubuntu-latest","steps":[{"name":"Slash Command Dispatch","uses":"peter-evans/slash-command-dispatch@v3","with":{"commands":"approve-test-run","issue-type":"pull-request","permission":"write","reaction-token":"${{ secrets.GITHUB_TOKEN }}","token":"${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}"}}]}},"name":"Approve Test Run","true":{"issue_comment":{"types":["created"]}}}'.
...
- <Path> - <Details>
Details
β------
Container permitting root | π‘ Low | 2 Occurrences
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
| RESOURCE | KIND | RESOURCE LOCATION | SOURCE |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | runAsNonRoot in container harbor-scanner-sysdig-secure | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge | Deployment | runAsNonRoot in container stackdriver-webhook-bridge | /charts/sysdig-stackdriver-bridge |
+-------------------------------------------+------------+--------------------------------------------------------+--------------------------------------+
Workload container default RunAsGroup root | π Medium | 2 Occurrences
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
| RESOURCE | KIND | RESOURCE LOCATION | SOURCE |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
| release-name-harbor-scanner-sysdig-secure | Deployment | `runAsGroup` in workload | /charts/harbor-scanner-sysdig-secure |
| release-name-sysdig-stackdriver-bridge | Deployment | `runAsGroup` in workload | /charts/sysdig-stackdriver-bridge |
+-------------------------------------------+------------+----------------------------------------------------+--------------------------------------+
Workload without ServiceAccount | π΄ High | 1 Occurrences
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
| RESOURCE | KIND | RESOURCE LOCATION | SOURCE |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
| release-name-sysdig-stackdriver-bridge | Deployment | `serviceAccountName` in workload | /charts/sysdig-stackdriver-bridge |
+----------------------------------------+------------+----------------------------------------------------+-----------------------------------+
...
IaC Scan SUCCESS at 2024-01-04 13:19:37.702567 -0500 EST m=+0.100174543
OK: scan complete
Scan errors
Errors that are not critical are the errors that are collected during the scan and are present in our existing scan summary model, defined per resource. They shouldn’t fail the scan execution or alter the Exit Code. Therefore, Exit Code will remain 0 or 1 in the presence of non-critical errors.
The non-critical errors are displayed in the output and as part of the JSON.
Integrations
Jenkins
You can integrate the Sysdig CLI Scanner as a Jenkins step. Once imported from the URL, you can add it to your project.
Create the Project or use an existing one:
Chose
Sysdig Secure Code Scanas the build step:
Configure the operation:
Option Description Sysdig Secure Engine URLThe Sysdig Secure endpoint. In SaaS, this value is region-dependent and is auto-completed on the Get Started page in the UI. SECURE_API_TOKENProvide your API token. You can retrieve this from Settings > User Profile in Sysdig Secure. PathThe path to the directory containing the source code to scan. It can be an absolute or a relative path. Configure the
Advancedparameters:Option Description List Unsupported ResourcesToggle output of detailed list of unsupported resources. RecursiveScan folders for manifests recursively. Choose Severity ThresholdThe minimum severity that will fail a scan: Low | Medium | High | Never. The default is High. VersionThe CLI Scanner version to use. The default is latest.Run your Project:
β Once you run the Project, the generated output will be identical to the output produced when running the CLI Scanner as a standalone application.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.