CI/CD and Registry Scanning with Runtime Vulnerability Reporting

Automate scanning within CI/CD pipelines and registries and implement registry scanning inline. Block vulnerabilities pre-production and monitor for new CVEs at runtime. Map a critical vulnerability back to an application and dev team.


Get K8s Security Checklist

Identify Vulnerabilities Pre-Production and at Runtime

Sysdig Icon - Image Scanning

Automate image scanning
within CI/CD

Detect OS and non-OS vulnerabilities early by embedding image scanning (docker security scanning) into CI/CD and registry scanning before deploying to production.

Sysdig Icon - Security Policy

Leverage out-of-the-box checks for Dockerfile best practices

Save time using pre-built or custom image scanning policies to quickly catch vulnerabilities, misconfigurations, and security bad practices.

dashboard icon

Implement vulnerability monitoring at runtime

Gain confidence by continuously monitoring for new vulnerabilities at runtime without rescanning images, and alert the right teams immediately.

ImageVision
Jenkins Gitlab CircleCI Bamboo

Automate image scanning within the CI/CD pipeline

Embed image scanning, aka docker security scanning, directly in your CI/CD pipeline of choice, including Jenkins, Bamboo, GitLab, CircleCI, Azure Pipelines, etc. Catch OS and non-OS vulnerabilities, misconfigurations, credential exposures, and bad security practices.

Implement registry scanning within any Docker v2 compatible registry, including CoreOS Quay, Amazon ECR, DockerHub Private Registries, Google Container Registry, or JFrog Artifactory, Microsoft ACR, SuSE Portus, and VMWare Harbor.

Quay JFrog Docker

Maintain complete control of your images by adopting Sysdig’s inline scanning. Scan within your CI/CD pipeline, registry, or at runtime while only shipping the scan results back to Sysdig.

Scan serverless containers with Sysdig Secure. Automatically scan AWS Fargate containers directly in ECR by listening for Fargate task start events. Scan serverless containers on Google Cloud Run via a GCR integration.

Fargate Cloud Run
Kubernetes vulnerability management

Using a Kubernetes admission controller, you can block unscanned or vulnerable images from being deployed onto the cluster.

Leverage Out-of-the-box Dockerfile Best Practices

Detect vulnerabilities quickly with out-of-the-box Dockerfile best practices. For example, identify a critical CVE in an OS package, or detect a vulnerable image that is running longer than 30 days with a fix available.

Sysdig Secure Image Scanning Single Workflow

Misconfigurations, such as exposing port 22 in a Dockerfile, can create an entry point for attackers. Set custom container scanning and registry scanning policies to detect mistakes and bad security practices early.

Continuously validate container compliance with out-of-the-box policies for NIST SP 800-190, PCI DSS. In addition, check if developers are following security best practices, such as:

  • Limiting image size
  • Blacklisting GPlv2 licenses
  • Ensuring containers use trusted base images and only necessary packages

Implement container scanning at runtime

Assess the risk impact of new CVEs quickly by embedding image scanning (docker security scanning) at runtime. Continuously monitor for these vulnerabilities without rescanning images, map the vulnerabilities back to specific applications, and identify the team that needs to fix it.

Query for vulnerabilities in production based on CVE ID, severity, fix, and age, and then scope it to a specific Kubernetes cluster, namespace, deployment, or pod.

Automatically alert the right team when a new CVE is discovered in your environment. Reach your developer quickly through multiple channels (e.g., Slack, PagerDuty, SNS, etc.).

“We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.”

Global Travel company, Sysdig customer

Start Free Trial

Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial,
no credit card required.