Rule Bundles

Rule bundles are flexible, reusable building blocks designed to simplify Software Bill of Materials (SBOM) and Image Configuration management across your environments. Each bundle can be referenced by multiple vulnerability management policies, allowing you to define security controls once and apply them wherever needed. Rule bundles can include checks for vulnerabilities, image configurations, and image content, giving you fine-grained control and visibility across the entire lifecycle of your resources.

Rule Bundle Guidelines

  • Default Sysdig rule bundles (indicated by the Sysdig shovel icon) cannot be deleted.

    • You can duplicate these default bundles to use as templates for new rule bundles.

  • A single rule bundle can be assigned to multiple policies.

  • The order of rules within a bundle does not impact how they are evaluated. You may reorder rules for clarity or personal preference in the UI.

  • Multiple instances of the same rule type are allowed in a single rule bundle.

    • For example, you can add several rules of the type Vulnerabilities: Severities and Threats within one bundle.

  • Conditions within a single rule are evaluated using AND logic.

    • A vulnerability must meet all specified conditions in a rule to be considered a violation.

  • Rules within a rule bundle are evaluated using OR logic:

    • If any rule in the bundle is violated, the entire rule bundle is considered in violation.
    • If any rule bundle is in violation, the associated policy is considered failed.

Create a Rule Bundle

When creating a Rule Bundle, follow these steps to ensure all required items and options are addressed before being allowed to save the bundle.

  1. Log in to Sysdig Secure.

  2. Navigate to Policies > Vulnerabilities | Rule Bundles.

  3. Select Add Rule Bundle.

  4. Fill in the required fields:

    • Name: Specify a unique name to identify the rule bundle.
    • Description: Enter a brief description detailing the purpose or scope of the rule bundle.
    • Rules: Add one or more scanning rules to the bundle. Each rule is displayed as a “card” in the UI and can be created or configured using the visual editor.

  5. Select Save.

    The rule bundle is now defined.

Attach a Rule Bundle to a VM Policy

To attach a rule bundle to Sysdig Vulnerability Management Policies:

  1. Log in to Sysdig Secure.

  2. Select Policies > Vulnerabilities | Policies.

  3. Select an existing policy or create a new policy.

    The policy configuration page appears.

  4. In the Rules section, select a rule bundle from the drop-down.

  5. Complete the policy configuration and select Save.

Learn More

For available rules and configuration checks, see Vulnerability, Image Configuration and Image Content Rules.