Risk Acceptance for Vulnerabilities

You can choose to accept the risk of a detected vulnerability or asset. Accept Risk is available for both Runtime and Pipeline, and for specific CVEs or specified hosts or images.

Prerequisites

Accept Risk requires Sysdig Secure to be installed with:

sysdig-deploy Helm chart version 1.5.0+
cluster-shield latest versions
sysdig-cli-scanner version 1.13.0+

Because Accept Risk is applied to both pipeline and runtime vulnerability results impartially, the required versions of both components are required.

If the minimum enablement requirements are not met, the Accept Risk button and panel will show in your interface, but will not activate. The created Acceptance will appear in Pending status for 20 minutes, then disappear as if you had never created it.

Check Your Versions

Check sysdig-deploy Helm Chart: Must be 1.5.0+

helm list -n <namespace> (default namespace is sysdig-agent)

Example:

$ helm list -n sysdig-agent
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
sysdig-agent    sysdig-agent    5               2022-11-11 17:57:54.109917081 +0100 CET deployed        sysdig-deploy-1.5.0

Upgrade Helm Chart.

Check Cli Scanner: must be 1.3.0+.

./sysdig-cli-scanner --version

Upgrade CLI Scanner

Access Risk Acceptance for Vulnerabilities

To access Risk Acceptance for vulnerabilities:

Log in to Sysdig Secure.
Select Vulnerabilities > Accepted Risk.
Alternatively, select Risk > Accepted Risk, and switch to the Vulnerabilities tab.

The Vulnerabilities tab on the Accepted Risk page appears.

Filter Accepted Vulnerability Risks

You can search and filter accepted risks for vulnerabilities in the Vulnerabilities tab on the Accepted Risk page.

You can filter:

By entity:
- Vulnerabilities
- Image name
- Host name
- Policy rule
By acceptance reason:
- Risk Avoided
- Risk Mitigated
- Risk Not Relevant
- Risk Owned
- Risk Transferred
- Custom
By expired or active.

Edit or Revoke an Accepted Risk

From the Vulnerabilities tab on the Accepted Risk page, you can edit or revoke an accepted risk:

Select an accepted risk.
The Risk Acceptance Details drawer appears.
Here, you can see when, and why the risk was accepted, as well as by whom, and the general context of the vulnerability.
To revoke the accepted risk, select Revoke Acceptance.
To edit the accepted risk, select the edit (pencil) icon.

When to Use

When faced with a large number of reported vulnerabilities, organizations need to know which are the most relevant for their security posture. Sysdig already highlights critical vulnerability with a fix available, and vulnerabilities that occur in images actually in use.

An additional feature is the targeted ability to accept the risk of a vulnerability and not count it towards a policy violation, for example, when:

An internal security team has analyzed the vulnerability and declared it a false positive
The preconditions of the vulnerability don’t apply
Deployment in production is required and it is reasonable to postpone the fix

What Types of Risk

You can accept risk for different entities:

Individual CVE IDs
Assets
- Container images
- Hosts

Accepting Risk in the context of vulnerability management applies an exception to the Vulnerability policy. Adding an accept to a CVE doesn’t make the CVE disappear. It still shows in the list, but voids the policy violation associated with that CVE.

When accepting risks it is important to:

Be careful with the accept scope or context; overly broad exceptions can create false negatives.
- Sysdig offers several scoping options for the accepts created.
Remain aware of what is accepted so it doesn’t become a visibility gap.
The Sysdig UI presents clear indications of what is accepted and why.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.