CI/CD and Registry Scanning with Runtime Vulnerability Reporting
Automate scanning within CI/CD pipelines and registries and implement registry scanning inline. Block vulnerabilities pre-production and monitor for new CVEs at runtime. Map a critical vulnerability back to an application and dev team.
Identify Vulnerabilities Pre-Production and at Runtime
Automate image scanning
within CI/CD
Detect OS and non-OS vulnerabilities early by embedding image scanning (docker security scanning) into CI/CD and registry scanning before deploying to production.
Leverage out-of-the-box checks for Dockerfile best practices
Save time using pre-built or custom image scanning policies to quickly catch vulnerabilities, misconfigurations, and security bad practices.
Implement vulnerability monitoring at runtime
Gain confidence by continuously monitoring for new vulnerabilities at runtime without rescanning images, and alert the right teams immediately.
Automate image scanning within the CI/CD pipeline
Embed image scanning, aka docker security scanning, directly in your CI/CD pipeline of choice, including Jenkins, Bamboo, GitLab, CircleCI, Azure Pipelines, etc. Catch OS and non-OS vulnerabilities, misconfigurations, credential exposures, and bad security practices.
Implement registry scanning within any Docker v2 compatible registry, including CoreOS Quay, Amazon ECR, DockerHub Private Registries, Google Container Registry, or JFrog Artifactory, Microsoft ACR, SuSE Portus, and VMWare Harbor.
Maintain complete control of your images by adopting Sysdig’s inline scanning. Scan within your CI/CD pipeline, registry, or at runtime while only shipping the scan results back to Sysdig.
Scan serverless containers with Sysdig Secure. Automatically scan AWS Fargate containers directly in ECR by listening for Fargate task start events. Scan serverless containers on Google Cloud Run via a GCR integration.
Using a Kubernetes admission controller, you can block unscanned or vulnerable images from being deployed onto the cluster.
Leverage Out-of-the-box Dockerfile Best Practices
Detect vulnerabilities quickly with out-of-the-box Dockerfile best practices. For example, identify a critical CVE in an OS package, or detect a vulnerable image that is running longer than 30 days with a fix available.
Misconfigurations, such as exposing port 22 in a Dockerfile, can create an entry point for attackers. Set custom container scanning and registry scanning policies to detect mistakes and bad security practices early.
Continuously validate container compliance with out-of-the-box policies for NIST SP 800-190, PCI DSS. In addition, check if developers are following security best practices, such as:
- Limiting image size
- Blacklisting GPlv2 licenses
- Ensuring containers use trusted base images and only necessary packages
Implement container scanning at runtime
Assess the risk impact of new CVEs quickly by embedding image scanning (docker security scanning) at runtime. Continuously monitor for these vulnerabilities without rescanning images, map the vulnerabilities back to specific applications, and identify the team that needs to fix it.
Query for vulnerabilities in production based on CVE ID, severity, fix, and age, and then scope it to a specific Kubernetes cluster, namespace, deployment, or pod.
Automatically alert the right team when a new CVE is discovered in your environment. Reach your developer quickly through multiple channels (e.g., Slack, PagerDuty, SNS, etc.).
“We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.”
Global Travel company, Sysdig customer
Start Free Trial
Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial,
no credit card required.