Sysdig Cloud Scanning leverages Cloud Audit log like AWS CloudTrail to detect container images that are being pushed to your registries or used in cloud workloads. When a new image is detected, a scanning process can be started to analyze the image and report vulnerabilities directly to Sysdig Secure.
The CloudScanning component can be configured by setting the following environment variables:
- SECURE_URL: must be set to a secure API endpoint.
- SECURE_API_TOKEN: must be set to a valid API token.
- LOG_LEVEL: Sets the log level to
error. It defaults to
infoif not specified.
- VERIFY_SSL: Set to
falseto skip TLS verification from the Secure backend (i.e. On-Prem with invalid TLS certificate).
- CODEBUILD_PROJECT: Name of the CodeBuild project that executes the inline scan
- ECR_DEPLOYED: Set to
trueto enable ECR scanning.
- ECS_DEPLOYED: Set to
trueto enable ECS scanning.
AWS Single-account mode
When running CloudScanning in a single account. The role executing the task has required permissions in the account.
- SQS_QUEUE_URL: URL of the SQS queue where the CloudTrail notifications are published.
When running CloudScanning in multi-account mode. Each of the child accounts has a SQS queue following the naming convention
SQS_QUEUE_NAME and there is a role
ACCOUNT_ROLE on each child account that the executing task can assume,
providing all the required permissions.
- ACCOUNTS_AND_REGIONS: List of child accounts and regions, in format
- ACCOUNT_ROLE: Role to assume on each child account, providing the required permissions.
- SQS_QUEUE_NAME: Use instead of SQS_QUEUE_URL to provide the name of the SQS which must exist on every child account.
Google Cloud Platform
- GCP_PROJECT: Name of the GCP project
- GCR_DEPLOYED: Set to
trueto enable scanning of images pushed to Google Container Registry.
- GCR_PUBSUB_SUBSCRIPTION: Consume messages from this PubSub subscription. Subscription needs to be subscribed to topic
- CLOUDRUN_DEPLOYED: Set to
trueto enable scanning of images running in Google Cloud Run.
- AUDITLOG_INTERVAL: Auditlog check interval. CloudRun events are received from the AuditLog. Must be a valid go interval expression. Defaults to
- SECURE_API_TOKEN_SECRET: name of the secret from SecretManager that stores the API Token.
- CLOUDBUILD_SERVICE_ACCOUNT: Name of the Service Account executing the CloudBuild project for performing the scanning.
- CLOUDBUILD_BUCKET: Name of the bucket to store CloudBuild execution logs