Risk Acceptance for Vulnerabilities
Prerequisites
Accept Risk requires Sysdig Secure to be installed with:
sysdig-deploy
Helm chart version 1.5.0+cluster-shield
latest versionssysdig-cli-scanner
version 1.13.0+
Because Accept Risk is applied to both pipeline and runtime vulnerability results impartially, the required versions of both components are required.
If the minimum enablement requirements are not met, the Accept Risk button and panel will show in your interface, but will not activate. The created Acceptance will appear in Pending status for 20 minutes, then disappear as if you had never created it.
Check Your Versions
Check sysdig-deploy
Helm Chart: Must be 1.5.0+
helm list -n <namespace>
(default namespace is sysdig-agent)
Example:
$ helm list -n sysdig-agent
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
sysdig-agent sysdig-agent 5 2022-11-11 17:57:54.109917081 +0100 CET deployed sysdig-deploy-1.5.0
Check Cli Scanner: must be 1.3.0+.
./sysdig-cli-scanner --version
Access Risk Acceptance for Vulnerabilities
To access Risk Acceptance for vulnerabilities:
Log in to Sysdig Secure.
Select Vulnerabilities > Accepted Risk.
Alternatively, select Risk > Accepted Risk, and switch to the Vulnerabilities tab.
The Vulnerabilities tab on the Accepted Risk page appears.
Filter Accepted Vulnerability Risks
You can search and filter accepted risks for vulnerabilities in the Vulnerabilities tab on the Accepted Risk page.
You can filter:
- By entity:
- Vulnerabilities
- Image name
- Host name
- Policy rule
- By acceptance reason:
- Risk Avoided
- Risk Mitigated
- Risk Not Relevant
- Risk Owned
- Risk Transferred
- Custom
- By expired or active.
Edit or Revoke an Accepted Risk
From the Vulnerabilities tab on the Accepted Risk page, you can edit or revoke an accepted risk:
Select an accepted risk.
The Risk Acceptance Details drawer appears.
Here, you can see when, and why the risk was accepted, as well as by whom, and the general context of the vulnerability.
To revoke the accepted risk, select Revoke Acceptance.
To edit the accepted risk, select the edit (pencil) icon.
When to Use
When faced with a large number of reported vulnerabilities, organizations need to know which are the most relevant for their security posture. Sysdig already highlights critical vulnerability with a fix available, and vulnerabilities that occur in images actually in use.
An additional feature is the targeted ability to accept the risk of a vulnerability and not count it towards a policy violation, for example, when:
- An internal security team has analyzed the vulnerability and declared it a false positive
- The preconditions of the vulnerability don’t apply
- Deployment in production is required and it is reasonable to postpone the fix
What Types of Risk
You can accept risk for different entities:
- Individual CVE IDs
- Assets
- Container images
- Hosts
Accepting Risk in the context of vulnerability management applies an exception to the Vulnerability policy. Adding an accept to a CVE doesn’t make the CVE disappear. It still shows in the list, but voids the policy violation associated with that CVE.
When accepting risks it is important to:
- Be careful with the accept scope or context; overly broad exceptions can create false negatives.
- Sysdig offers several scoping options for the accepts created.
- Remain aware of what is accepted so it doesn’t become a visibility gap.
- The Sysdig UI presents clear indications of what is accepted and why.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.