Legacy Scanner engine vs Vulnerability Management engine
As of April 20, 2022, Sysdig offers both a Legacy Scanner engine and the newer Vulnerability Management engine. See the official documentation to understand which engine is enabled into your account.
- Vulnerability Management engine common scenarios & recipes
- Legacy Scanner engine common scenarios & recipes
- Other integrations and examples
- Other sources of information
- Contributing
Vulnerability Management engine common scenarios & recipes
Download the sysdig-cli-scanner
Linux or MacOS:
curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/$(uname -s | tr '[:upper:]' '[:lower:]')/amd64/sysdig-cli-scanner"
Set the executable flag on the file:
chmod +x ./sysdig-cli-scanner
You only need to download and set executable once. Then you can scan images by running the sysdig-cli-scanner command:
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> <image-name>
Scan local image, built using docker
# Build the image locally
docker build -t <image-name> .
# Scan the image, available on local docker
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> docker://<image-name>
Local image (provided docker archive)
Assuming the image <image-name> is available as an image tarball at image.tar.
For example, the command docker save <image-name> -o image.tar creates a tarball for <image-name>.
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> file://tmp/image.tar
Public registry image
Example: scan alpine image from public registry. The scanner will pull and scan it.
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> pull://alpine
Private registry image
To scan images from private registries, you might need to provide credentials:
$ REGISTRY_USER=<YOUR_REGISTRY_USERNAME> REGISTRY_PASSWORD=<YOUR_REGISTRY_PASSWORD> SECURE_API_TOKEN=<YOUR_API_TOKEN> ./sysdig-cli-scanner --apiurl https://secure.sysdig.com ${REPO_NAME}/${IMAGE_NAME}
Containers-storage (cri-o, podman, buildah and others)
Scan images from container runtimes using containers-storage format:
# Build an image using buildah from a Dockerfile
buildah build-using-dockerfile -t myimage:latest
# Scan the image
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> crio://localhost/myimage:latest
Example for an image pulled with podman
podman pull docker.io/library/alpine
#Scan the image
SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> podman://docker.io/library/alpine
Legacy Scanner engine common scenarios & recipes
Scan local image, built using docker
#Build the image locally
docker build -t <image-name> .
#Scan the image, available on local docker. Mounting docker socket is required
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-url <omitted> \
--sysdig-token <omitted> \
--storage-type docker-daemon \
--storage-path /var/run/docker.sock \
<image-name>
Local image (provided docker archive)
Assuming the image <image-name> is available as an image tarball at image.tar.
For example, the command docker save <image-name> -o image.tar creates a tarball for <image-name>.
docker run --rm \
-v ${PWD}/image.tar:/tmp/image.tar \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-url <omitted> \
--sysdig-token <omitted> \
--storage-type docker-archive \
--storage-path /tmp/image.tar \
<image-name>
Public registry image
Example: scan alpine image from public registry. The scanner will pull and scan it.
docker run --rm \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-url <omitted> \
--sysdig-token <omitted> \
alpine
Private registry image
To scan images from private registries, you might need to provide credentials:
docker run --rm \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-url <omitted> \
--sysdig-token <omitted> \
--registry-auth-basic <user:passw> \
<image-name>
Authentication methods available are:
--registry-auth-basicfor authenticating via http basic auth--registry-auth-filefor authenticating via docker/skopeo credentials file--registry-auth-tokenfor authenticating via registry token
Containers-storage (cri-o, podman, buildah and others)
Scan images from container runtimes using containers-storage format:
#Build an image using buildah from a Dockerfile
buildah build-using-dockerfile -t myimage:latest
#Scan the image. Options '-u root' and '--privileged' might be needed depending
#on the access permissions for /var/lib/containers
docker run \
-u root --privileged \
-v /var/lib/containers:/var/lib/containers \
quay.io/sysdig/secure-inline-scan:2 \
--storage-type cri-o \
--sysdig-token <omitted> \
localhost/myimage:latest
Example for an image pulled with podman
podman pull docker.io/library/alpine
#Scan the image. Options '-u root' and '--privileged' might be needed depending
#on the access permissions for /var/lib/containers
docker run \
-u root --privileged \
-v /var/lib/containers:/var/lib/containers \
quay.io/sysdig/secure-inline-scan:2 \
--storage-type cri-o \
--sysdig-token <omitted> \
docker.io/library/alpine
Using a proxy
To use a proxy, set the standard http_proxy and https_proxy variables when running the container.
Example:
docker run --rm \
-e http_proxy="http://my-proxy:3128" \
-e https_proxy="http://my-proxy:3128" \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-url <omitted> \
--sysdig-token <omitted> \
alpine
Both http_proxy and https_proxy variables are required, as some tools will use per-scheme proxy.
The no_proxy variable can be used to define a list of hosts that donβt use the proxy.
Other integrations and examples
In this repository you can find the following examples in alphabetical order:
Vulneratbility Management Engine (new scan engine)
Legacy Scanner Engine (old scan engine)
Other sources of information
Integrations
These integrations have a specific entry in their respective CI/CD catalogs:
Documentation pages
Blog articles
Blog articles contain detailed step by step information, but may be out of date respect their current implementations:
- Image scanning for Google Cloud Build
π 2020-10-06 - Automate Fargate image scanning
π 2020-09-29 - Automate registry scanning with Harbor & Sysdig
π 2020-08-11 - 12 Container image scanning best practices to adopt in production
π 2020-07-21 - Shielding your Kubernetes runtime with image scanning on admission controller
π 2021-02-18 - Securing Tekton pipelines in OpenShift with Sysdig
π 2020-04-09 - Image scanning for CircleCI
π 2020-02-20 - Image scanning for Gitlab CI/CD
π 2022-10-12 - Image Scanning with Github Actions
π 2022-09-26 - AWS ECR Scanning with Sysdig Secure
π 2021-11-23 - Inline Image Scanning for AWS CodePipeline and AWS CodeBuild
π 2019-11-26 - Image scanning for Azure Pipelines
π 2022-09-19 - Container Image Scanning on Jenkins with Sysdig
π 2022-10-26
Contributing
If you find a related topic lacks enough information, or some problem with any of the existing examples, please file a issue in this repository. Pull requests to ammend any existing information or examples are also welcomed.