Rule Bundles

Rule Bundle Guidelines

• Default Sysdig rule bundles (indicated by the Sysdig shovel icon) cannot be deleted.

  • You can duplicate these default bundles to use as templates for new rule bundles.

• A single rule bundle can be assigned to multiple policies.

• The order of rules within a bundle does not impact how they are evaluated. You may reorder rules for clarity or personal preference in the UI.

• Multiple instances of the same rule type are allowed in a single rule bundle.

  • For example, you can add several rules of the type Vulnerabilities: Severities and Threats within one bundle.

• Conditions within a single rule are evaluated using AND logic.

  • A vulnerability must meet all specified conditions in a rule to be considered a violation.

• Rules within a rule bundle are evaluated using OR logic:

  • If any rule in the bundle is violated, the entire rule bundle is considered in violation.
  • If any rule bundle is in violation, the associated policy is considered failed.

Create a Rule Bundle

When creating a Rule Bundle, follow these steps to ensure all required items and options are addressed before being allowed to save the bundle.

Required Fields

Name: Specify a unique name to identify the rule bundle.

Description: Enter a brief description detailing the purpose or scope of the rule bundle.

Rules: Add one or more scanning rules to the bundle. Each rule is displayed as a “card” in the UI and can be created or configured using the visual editor.

Once defined, you can attach the rule bundle to Sysdig Vulnerability Management Policies

For available rules and configuration checks, see Vulnerability, Image Configuration and Image Content Rules.