Install Sysdig CLI Scanner for Pipeline Scanning

The Sysdig Vulnerability CLI Scanner, sysdig-cli-scanner, is a versatile tool designed to manually scan container images and directories, whether they are located locally or remotely. Depending on your specific use case, you have the flexibility to execute sysdig-cli-scanner in Vulnerability Management (VM) mode for image scanning or Infrastructure as Code (IaC) mode for scanning directories

Deployment

The sysdig-cli-scanner is a binary you can download and execute locally on your computer or environment.

  1. Download latest version of sysdig-cli-scanner with:

  • Linux:

    Intel Processor (AMD64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner"

    ARM Processor (ARM64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner"

  • MacOS:

    Intel Processor (AMD64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/darwin/amd64/sysdig-cli-scanner"

    Apple Silicon (M1, M2) Processor (ARM64)

    curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/darwin/arm64/sysdig-cli-scanner"

Optionally, you can check the sha256sum as:

  • Linux:

    Intel Processor (AMD64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner.sha256")

    ARM Processor (ARM64)

    sha256sum -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/arm64/sysdig-cli-scanner.sha256")

  • MacOS:

    Intel Processor (AMD64)

    shasum -a 256 -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/darwin/amd64/sysdig-cli-scanner.sha256")

    Apple Silicon (M1, M2) Processor (ARM64)

    shasum -a 256 -c <(curl -sL "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/darwin/arm64/sysdig-cli-scanner.sha256")

  1. Set the executable flag on the file:

    chmod +x ./sysdig-cli-scanner

    You only need to download and set executable once. Then:

  2. You can scan images or IaC resources by running the sysdig-cli-scanner command:

    For VM mode:

    SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> <image-name>

    For IaC mode:

    SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --iac --apiurl <sysdig-api-url> <PathsToScan>

Next Steps

Continue with one of the following: