Sysdig has an integrated solution for both (Linux) host as well as container vulnerabilities which scans for known CVEs in your pipelines, your registries as well as at runtime. And, when when we do it at runtime, the added context we bring to it really can help you to route and prioritise things!
To explore Sysdig's runtime vulnerability scanning:
- Go to the Sysdig browser tab and go to Vulnerabilities on the left and then Runtime under Findings.
- This is a list of all of the running containers in your environment within the last 15 minutes as well as all the hosts/Nodes that our agent is installed on
- It is automatically sorted by severity for you - so the container image on top is the most important to fix (based on the quantity and severity of the In Use vulnerabilities)
- Click on the top container/vulnerability and then examine the top you'll see:
- The image and tag in question - we know this is running now
- The runtime context including the deployment, namespace and cluster it is running on - this is often useful in routing the remediation work to the right team(s)
- Click the Vulnerabilities tab - this is a list of all of the Vulnerabilities we found in the image
- Click on one of the CVEs and note all of our details on where we learned about this vulnerability and any fixes or known exploits we know for it
- Close that vulnerability detail pane
- Click on the In Use filter button - this excludes all the vulnerabilities that we have never seen run (and therefore are much less likely to be exploitable).
- Click on the Has fix button - this excludes those vulnerabilities that do not yet have a new version with a fix available (and therefore your team can't patch them yet)
- What we are left with is those vulnerabilities that are actually running (not just in the image) and for which there is a fix. This is a more reasonable and prioritized patching task to give somebody!
- What we are left with is those vulnerabilities that are actually running (not just in the image) and for which there is a fix. This is a more reasonable and prioritized patching task to give somebody!
To scan container images for vulnerabilities before they hit a registry, much less a running environment, we have our command-line scanning tool. This can be run anywhere from a developer laptop to a pipeline. If a scan fails (and it is configurable by granular policies under what conditions it'll pass vs. fail) our return code will be non-zero so your pipeline can, in turn, fail that stage until it is fixed.
Here are the instructions for how to install and run our vulnerability CLI scanner - https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-vulnerability-cli-scanner/.
We have already installed it on your jumpbox for you. You can run a scan of the image logstash:7.16.1 which is an image that has Log4J in it by running the following command:
sudo bash; cd ~
~/sysdig-cli-scanner -a $SYSDIG_SECURE_URL logstash:7.16.1Not only do you get that output into your build logs for the pipeline stage, but you can also explore the results the Sysdig SaaS UI by following that link listed in the output or going to Vulnerabilities -> Pipeline in the UI. Note that this is missing the runtime context (as, since it was scanned in a pipeline, and we don't yet know that runtime context).
We also have the capability to scan images in your registries - but we won't explore that in this workshop.