CI/CD and Registry Scanning with Runtime Vulnerability Reporting
Automate scanning within CI/CD pipelines and registries and implement registry scanning inline. Block vulnerabilities pre-production and monitor for new CVEs at runtime. Map a critical vulnerability back to an application and dev team.
Identify Vulnerabilities Pre-Production and at Runtime
Automate image scanning
Detect OS and non-OS vulnerabilities early by embedding image scanning (docker security scanning) into CI/CD and registry scanning before deploying to production.
Leverage out-of-the-box checks for Dockerfile best practices
Save time using pre-built or custom image scanning policies to quickly catch vulnerabilities, misconfigurations, and security bad practices.
Implement vulnerability monitoring at runtime
Gain confidence by continuously monitoring for new vulnerabilities at runtime without rescanning images, and alert the right teams immediately.
Automate image scanning within the CI/CD pipeline
Embed image scanning, aka docker security scanning, directly in your CI/CD pipeline of choice, including Jenkins, Bamboo, GitLab, CircleCI, GitHub Actions, Azure Pipelines, etc. Catch OS and non-OS vulnerabilities, misconfigurations, credential exposures, and bad security practices.
Scan serverless containers with Sysdig Secure. Automatically scan AWS Fargate containers directly in ECR by listening for Fargate task start events. Scan serverless containers on Google Cloud Run via a GCR integration.
Using a Kubernetes admission controller, you can block unscanned or vulnerable images from being deployed onto the cluster.
Leverage Out-of-the-box Dockerfile Best Practices
Detect vulnerabilities quickly with out-of-the-box Dockerfile best practices. For example, identify a critical CVE in an OS package, or detect a vulnerable image that is running longer than 30 days with a fix available.
- Limiting image size
- Blacklisting GPlv2 licenses
- Ensuring containers use trusted base images and only necessary packages
Implement container scanning at runtime
Assess the risk impact of new CVEs quickly by embedding image scanning (docker security scanning) at runtime. Continuously monitor for these vulnerabilities without rescanning images, map the vulnerabilities back to specific applications, and identify the team that needs to fix it.
“We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.”Global Travel company, Sysdig customer