CI/CD Tools
Sysdig Secure image scanning integrates directly into your CI/CD pipeline and prevents images with vulnerabilities or misconfigurations from being shipped.
Getting Started with Secure DevOps
Deploy faster by embedding visibility and security
Visibility into application health and security allows you to stay focused on shipping cloud apps. In reality, as teams set up development processes they often prioritize developing and deploying applications, leaving the details of managing application health, security, and compliance until later.
Reacting to performance and availability issues pulls your team away from development work. If security and compliance controls are not integrated into your workflow, they can slow you down. Issues may be identified as you release to production, adding churn.
Automating and integrating tools accelerates DevOps
Elite DevOps teams, based on software delivery and operational performance metrics, automate and integrate more tools into their toolchains. This concept is well recognized in the monitoring domain, but not as much in security. While 57% of elite teams have integration with production monitoring and observability tools, only 31% have automated security tests.[1]
Although integrating security lags monitoring today, regulatory and internal policies requirements eventually require teams to address security and compliance as part of their DevOps workflow.
Secure DevOps
Secure DevOps, also known as DevSecOps, brings security and monitoring throughout the application lifecycle, from development through production. This sets you up to deliver applications that are secure, stable, and high performing.
This workflow plugs into your existing tool chain and provides a single source of truth across DevOps, developer, and security teams to maximize efficiency. The SaaS-first foundation, simple user experience, and out-of-the-box workflows enable you to get started quickly with monitoring and security in containers and Kubernetes.
NEW!! Get the SaaS Advantage for Secure DevOps.
Five Essential Workflows for Secure Devops
Image Scanning
- Scan for known software vulnerabilities taking into account any third-party libraries developers might be pulling in.
- Embed scanning into CI/CD pipelines and registries. Leverage Kubernetes admission controllers to prevent risky image deployment.
- Integrate with Open Policy Agent (OPA) for advanced policy decisions.
- Validate the build configuration (Dockerfile instructions) and image attributes (like size, labels, etc.).
- Identify new vulnerabilities across large multi-cloud Kubernetes deployments and alert teams quickly.
- Adopt local scanning and maintain full control of your images.
Runtime Security
- Use a set of predefined policies to detect anomalous activity at runtime.
- Leverage an open-source runtime detection tool, like Falco, that provides community-driven rules for common security frameworks (MITRE ATT&CK, FIM, cryptomining, etc.)
- Use rich cloud/Kubernetes context to apply precise policies and reduce noise.
- Automatically remediate with response actions to pause or kill containers block threats.
Compliance
- Validate compliance using out-of-the-box rules mapped against common compliance frameworks including PCI, NIST, etc.
- Leverage CIS benchmarks for Docker and Kubernetes to ensure that you’re following security best practices (e.g., don’t run privileged containers, don’t run containers as root)
Application and Cloud Service Monitoring
- Use pre-built dashboard templates for your backend services.
- Get to root causes faster by correlating application performance to your Kubernetes infrastructure.
- Leverage your existing developer investment with full Prometheus compatibility.
- Save time with curated and supported Prometheus integrations to monitor applications and cloud services.
Kubernetes and Container Monitoring
- Auto-discover and explore your container, cloud, and Kubernetes environments.
- Use out-of-the-box dashboards to visualize the performances of your applications and containers.
- Easily configure alerting across nodes, namespaces, clusters, metrics, and tags.
- Reduce cost by optimizing resource usage and capacity.
Embed Advanced Workflows with Containers and Kubernetes
- Advanced Troubleshooting - Reduce MTTR by examining granular, system-level capture data, and detailed topology maps to troubleshoot hard-to-diagnose issues
- ML-based anomaly detection - Reduce the manual effort in creating runtime policies at scale with machine learning-based image profiling
- Threat prevention - Block threats using native controls in Kubernetes that do not impact performance
- Incident response and forensics - Conduct deep forensics, even after the container is gone, by using a snapshot of pre- and post-attack activity that includes system calls with Kubernetes and cloud context
- Extended compliance controls - Leverage 400+ out-of-the-box checks to help you continuously validate compliance against a broad range of controls
Pick a SaaS-first platform for efficiency and faster innovation
Choosing a SaaS-based solution over an on-prem solution has many benefits:
Scalable service: You can start with monitoring and securing a few images, and scale up as your container applications grow without worrying about backend data management.
Fast implementation: You can quickly plug into your DevOps tools (i.e. embed scanning into your CI/CD pipelines) and get up and running in minutes, unlike on-premises applications that require more time to install and setup.
Easy upgrades and maintenance: The SaaS provider handles patches and rolls out new feature updates that don’t require you to manually upgrade.
No infrastructure or staff costs: You avoid paying for in-house hardware and software licenses with perpetual ownership. You also don’t need staff on-site to maintain and support the application.
Sysdig Secure DevOps Platform
Build
Vulnerabilities
Configuration
1/2
Registry
Sysdig Secure container image scanning supports all Docker v2 compatible registries. It ensures an up to date risk posture and identifies images that need to be rebuilt if new vulnerabilities are introduced.
2/2
Run
Metrics
Events
Security Policies
Applications
Sysdig provides runtime security, infrastructure and application monitoring to help you ship cloud applications faster to production.
1/4
Cloud
Sysdig secures and monitors containers on multiple cloud platforms.
Sysdig ServiceVision enriches container data with the metadata from the cloud providers.
2/4
Orchestrator
Sysdig supports any orchestrator, multiple Kubernetes distributions, as well as managed platforms.
Sysdig ServiceVision enriches container data with the metadata from Kubernetes/orchestrators. Sysdig uses the native facilities of Kubernetes for policy enforcement and threat prevention.
3/4
Infrastructure
Sysdig ContainerVision provides deep visibility into all container activity via a lightweight instrumentation model that collects low level system call data.
4/4
Respond
Alerts
Audit
Logs
Logs
Events
Syscall
Captures
Captures
Alerts
Configure flexible alerts on image scanning failures, runtime anomalous activity, troubleshooting issues etc through channels you already use (e.g., Slack, PagerDuty, SNS, etc.).
1/2
SIEM and SOAR Integrations
Sysdig automatically forwards events to your SIEM tool giving SOC analysts deep visibility into container and Kubernetes incidents. It also integrates with SOAR platforms (Demisto, Phantom) as part of automated security playbooks.
2/2
SaaS
Self-hosted
Sysdig Secure DevOps Platform
Confidently run cloud-native workloads in production using the Sysdig Secure DevOps Platform. With Sysdig, you can embed security, validate compliance and maximize performance and availability. The Sysdig platform is open by design, with the scale, performance and usability enterprises demand.
Start Free Trial
Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial, no credit card required.
Footnotes