Image vulnerability scanning is a critical first line of defense for security with containers and Kubernetes. Today, Red Hat recognized Sysdig as a certified Red Hat security partner based on our work to standardize on Red Hat’s published security data with Sysdig Secure.
With this Red Hat Vulnerability Scanner Certification, achieved through collaboration with the team at Red Hat, Sysdig can provide more consistency for container vulnerability scanning results with Red Hat-published images and related packages. As a result, mutual customers benefit from a higher level of accuracy, transparency, and trust in detecting Common Vulnerabilities and Exposures (CVEs).
Driving consistency for scan results
Modern application development, built on CI/CD pipelines, containers, and open source, moves at a fast pace. There is an inherent security risk as organizations assemble code to save time, instead of writing from scratch. Finding ways to automate security scanning for images is top of mind for DevOps teams. Image scanning helps to secure the developer build pipeline and automates analysis of image contents and container configurations to identify and classify known security issues, vulnerabilities, and bad practices.
Red Hat recognized that vulnerability risk assessments for customers were often inconsistent due to different and varying security data sources and practices across partner offerings. We know this challenge! Sysdig Secure taps into vulnerability feeds from 15+ trusted sources like Red Hat. Each of these CVE feeds is unique – yet valuable to the extent that correlating the contents of an image with a broader set of CVE data ensures a greater level of insight into vulnerable packages, files, etc. Standardization is a great move – Red Hat has the right idea. Consistency helps eliminate mis-interpretations and saves time for teams building and running containers.
How it works
At a high level, here’s how this collaboration and standardization works.
- Sysdig Secure consumes the publicly available Red Hat OVAL v2 security data feed.
- With this information, Sysdig image scanning will understand what vulnerabilities affect Red Hat supported packages and whether a fix (patch) is available.
- Sysdig Secure displays the appropriate severity ratings for CVEs in scan results.
Securing build pipelines
More and more DevOps teams are moving to “shift left” security practices, with the goal of applying a security lens earlier in the development lifecycle. In fact, the fourth annual Sysdig 2021 Container Security and Usage Report found that 74% of Sysdig customers are scanning images pre-deployment.
Considering security implications for container images earlier in the development lifecycle helps close the door to attackers and reduce the possibility of unexpected and unwanted activity impacting your running containers.
Conclusion:
By driving consistency and standardization with this new Red Hat Vulnerability Scanner Certification, Red Hat is helping customers that use Red Hat Certified security partner solutions have a more streamlined experience for assessing vulnerability risks of Red Hat products and packages. Aligning Sysdig Secure with Red Hat’s strategy and standard means Sysdig customers can gain improved clarity and accuracy for image scanning with CI/CD pipelines and registries.
For more on security with Red Hat and containers, read the Security on Red Hat OpenShift guide.