Configuring Sysdig Image scans
To scan container images in icr.io and report on the vulnerabilities that are present in those images, you can use the Sysdig cli scanner. This scan is run as part of the scan-artifact stage of CI and CC pipelines. This scan runs
for each container image in icr.io you have saved to the pipeline by using the save_artifact method. For more
information, see save_artifact.
The following keys are required for save_artifact to scan each image with sysdig scanner:
type: must be set to the imagename: A fully qualified name for the container image. For example, names used for pulling the docker.digest: The sha256 digest for the container image
The Sysdig script runs the Sysdig cli scanner in your DevSecOps pipeline and collects evidence that is based on the scan results.
The Sysdig cli scanner scan runs for each image in the saved artifacts list_artifacts method. For more information, see list_artifacts. This scan is
run as a part of scan-artifact stage of CI and CC pipelines.
The script runs the Sysdig cli scanner image scan on the image and uploads the results to the given Sysdig URL instance.
To create an instance of IBM Cloud® Security and Compliance Center Workload Protection in IBM Cloud®, see Provisioning an instance of Workload Protection.
Required Sysdig scan parameters
| Parameter name | Description |
|---|---|
sysdig-scan |
Set this parameter to an enum value 0 or 1. If the value is set to 1, the sysdig scan is called. |
sysdig-api-token |
Set this parameter to a secret value that needs to be set to the Sysdig API token. The token is visible from the Sysdig instance's User Profile page. |
Optional Sysdig scan parameters
| Parameter name | Default value | Description |
|---|---|---|
sysdig-url |
https://us-south.security-compliance-secure.cloud.ibm.com (property is not set) |
The URL of the Sysdig instance to be used for the scan. This value needs to be provided if any other Sysdig instance is being used. |
cr-ibmcloud-api-key |
Overrides ibmcloud-api-key if provided, for pulling the image from container registry for the Sysdig scan. |
The various sysdig-url values to be used, while using IBM Cloud Workload Protection service are provided here.
External Sysdig secure instances also can be used, such as https://secure.sysdig.com. Appropriate sysdig-url value needs to be provided.
Evidence and attachments
The created evidence is based on the values in table 3. The DevSecOps pipeline uploads evidence to the locker and includes the evidence in the evidence summary for change requests.
| Field | Value |
|---|---|
| tool type | sysdig |
| evidence type | com.ibm.code_vulnerability_scan |
| asset type | artifact |
| attachments | scan report generated by the sysdig cli scanner in JSON |
| attachments | processed scan report containing an array of vulnerabilities filtering out the ignored vulnerailities - in JSON |
Debugging and logging
| Parameter name | Default value | Description |
|---|---|---|
| pipeline-debug | 0 | Debug flag 0 off; 1 on |
Accessing your scan results
You can access your scan results by using any of the following methods:
- Viewing them on the Sysdig dashboard. Open the Sysdig Secure dashboard and look for the image just scanned in
Image Results. - Using the DevSecOps CLI to download your scan results from the evidence locker by using the information that is printed in the stage log. For more information, see the following resources: