Container and Kubernetes Image Scanning
with Sysdig Secure

Manage cloud security risk by embedding security into your CI/CD pipeline. Sysdig Secure prevents vulnerabilities from entering into production and also reports on new vulnerabilities at runtime. Leverage out-of-the-box image scanning policies, runtime vulnerability reporting and alerting on new vulnerabilities.

Start Free Trial

Identify Vulnerabilities Pre-Production and at Runtime

Cloud Native vulnerability management
Sysdig Icon - Image Scanning

Embed image scanning into the CI/CD pipeline

Scan for vulnerabilities and misconfigurations early by automating security into your CI/CD pipelines and registries of choice

Sysdig Icon - Security Policy

Use a single workflow for vulnerability management

Leverage out-of-the-box and customizable image scanning policies to detect vulnerabilities, misconfigurations and security best practices from a single UI

dashboard icon

Leverage real-time vulnerability reporting and alerting

Bring traditional patch management processes to containers by immediately alerting on new vulnerabilities without rescanning images

Image scanning with Jenkins
Sysdig Icon - Image Scanning

Embed image scanning into the CI/CD pipeline

Sysdig Secure image scanning integrates directly into your CI/CD pipeline of choice, including Jenkins, Bamboo, GitLab, CircleCI, etc. Catch vulnerabilities and misconfigurations in 3rd party libraries, official/unofficial OS and packages, configuration checks, credential exposures and metadata. Using Sysdig’s inline scanning, you can detect issues before the images are even pushed to the registry.

Sysdig Secure container image scanning supports all Docker v2 compatible registries, including CoreOS Quay, Amazon ECR, DockerHub Private Registries, Google Container Registry, or JFrog Artifactory, Microsoft ACR, SuSE Portus and VMWare Harbor.

Container image registry scanning
Kubernetes vulnerability management

Using a Kubernetes admission controller, you can block unscanned or vulnerable images from being deployed onto the cluster.

Use a Single Workflow for Vulnerability Management

Sysdig Secure gives you a single workflow across DevOps and security teams for detecting and managing vulnerabilities in containers. With this workflow, you can track a new CVE in an OS package, or detect a vulnerable image that is running longer than 30 days with a fix available.

Sysdig Secure Image Scanning Single Workflow

NIST image scanning policy

Misconfigurations and mistakes, such as tokens embedded in images, can create an entry point for adversaries. With Sysdig Secure, you set custom vulnerability scanning policies to catch all vulnerabilities: CVEs, misconfigurations and inadequate development practices.

Sysdig Secure gives you the tools to implement container image security and compliance best practices, such as NIST SP 800-190, PCI DSS, Dockerfile and more. Using Sysdig Secure container image scanning policies, you can validate cloud compliance and enforce best practices, including:

  • Limiting image size
  • Blacklisting GPlv2 licenses
  • Ensuring containers use trusted base images and only necessary packages
Sysdig Secure Image Scanning Tools to Implement
Running images vulnerability scanning

Leverage real-time vulnerability reporting and alerting

When a new high/critical CVE is out you need to assess the exposure immediately. Sysdig Secure lets you quickly identify all the affected services and accountable teams. Developers or application owners are identified using Kubernetes or via cloud metadata, like service, deployment or application, and alerted to view their images and vulnerabilities.

With Sysdig Secure, you can set policies for vulnerability reporting on registries and runtime containers, including past build scan results. You may then query for specific vulnerabilities, by factors like CVE ID, severity, fix, age or any other criteria, without requiring DevOps or security to rescan the images.

Sysdig Secure Image Scanning Vulnerability Reporting
Sysdig Secure Image Scanning Alert Detail

With the Sysdig Secure, you can define automated alerts for a specific application or namespace that are triggered when a new CVE affects an image running in production. You can configure flexible alerts on container and Kubernetes image scanning failures through multiple channels (e.g., Slack, PagerDuty, SNS etc).

“We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.”

Global Travel company, Sysdig customer

You May Also Be Interested In

Start Free Trial

Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial,
no credit card required.