- Checkmarx Documentation
- Checkmarx One
- Checkmarx One Integrations
- Checkmarx One Sysdig Integration - Runtime Usage
Checkmarx One Sysdig Integration - Runtime Usage
Notice
This document is intended for users who consume SCA through the Checkmarx One platform. Users of the SCA standalone product should refer to Checkmarx SCA Sysdig Integration - Runtime Usage to learn how to implement the Sysdig integration.
Overview
We have implemented a new integration with Sysdig Risk Spotlight, which identifies runtime usage of container packages. Once the integration is configured, the runtime usage data that was identified by Sysdig is shown as part of the Checkmarx scan results. This provides important insights for prioritizing remediation activities based on actual risk of exploitation.
Prerequisites
You need to have a Sysdig license and you need to obtain a Sysdig Risk Spotlight Token for your account.
Make sure that your Sysdig agents are configured to cover all images that you will be scanning in Checkmarx.
Limitations
Sysdig doesn't provide runtime data for base-images.
Setting up the Integration
The integration needs to be configured by Checkmarx personnel. Please contact your Checkmarx account agent and provide them with:
The base URL for your Sysdig region (e.g., https://us2.app.sysdig.com)
Your Sysdig Risk Spotlight token
Cluster name (optional)
Preparing the Tools
In order to get results for runtime usage you need to scan the built image created from the docker file in your local environment. This is done using the SCA Resolver tool. The SCA Resolver is called via the Checkmarx One CLI tool.
Download and install the SCA Resolver tool as described here.
Notice
Make sure that all relevant package managers are installed on your local environment, see Installing Supported Package Managers for Resolver.
Download and install the Checkmarx One CLI. Configure it for use with your Checkmarx One account, as described here.
Warning
It is generally preferable to install all of the above tools in the same folder. Make sure that the user running the scans has write privileges to all of the folders in which these tools are located.
Scanning Images Using the Checkmarx One CLI Tool
You need to have the name and tag for each of the images that you would like to scan.
If you are using a private repo, you need to be authenticated for your registry.
Notice
Authentication can be done via Docker or Podman.
Alternatively, you can use the syft login command, as follows:
syft login <private_registry_domain> -u <your_username> -p <your_password>
Before running the scan, it is recommended to verify that you are able to access the image on your local machine.
In the Checkmarx One CLI, run the scan create
command, specifying the use of SCA Resolver for scanning your container images.
The command should have the following components:
The
scan create
command with all required parameters, and specifying the--scan-types
assca
. The-s
parameter should specify the location of the docker files that you would like to scan../cx scan create --project-name <Project Name> -s <Repository URL of Docker files> --branch <branch name> --scan-types sca
Add the
--sca-resolver
flag, specifying the path to the resolver binary (executable).--sca-resolver <path-to-resolver>
Add the
--sca-resolver-params
flag with the following parameters:Add the
--scan-containers
flag.Add the
--images
flag followed by a comma separated list of images. Specify each image using the following syntax {image_name}:{image_tag}.Add
--containers-result-path
, with the path set as follows:<base_folder_path>/.cxsca-container-results.json
.<base_folder_path> must be identical to the value given for
-s
.The precise file name
.cxsca-container-results.json
must be used.
--sca-resolver-params "--scan-containers --images {image_name}:{image_tag} --containers-result-path <base_folder_path>/.cxsca-container-results.json"
The following is an example of a command for scanning containers in the project folder as well as specific images.
./cx scan create --project-name DemoContainerProject -s . --branch main --scan-types sca --debug --async --sca-resolver './ScaResolver' --sca-resolver-params "--log-level Debug --scan-containers --images manuelbcd/vulnapp:latest,debian:10 --containers-result-path ./.cxsca-container-results.json"
Viewing Runtime Data
Once the integration has been configured for your account, whenever you run a scan on an image that is covered by your Sysdig deployment, the Checkmarx scan results will be supplemented with the runtime data.
Container Packages Tab
In the Container Packages tab, there is a column Runtime Usage which indicates which packages are used in runtime.
Possible values for Runtime Usage are:
Used - Runtime usage of this package was identified.
Not Used - No runtime usage of this package was identified.
Not Eligible - Runtime analysis isn’t supported for this package (for example, base-images aren't scanned by Sysdig).
Not Found - We couldn’t identify runtime usage because this package isn’t covered by your runtime security integration. Try adjusting the configuration of your runtime security integration so that all relevant clusters are covered.
Container Vulnerabilities Tab
In the Containers Vulnerabilities tab, runtime usage is shown as a Risk Factor for vulnerabilities that are associated with used packages.
Also, when you drill-down to open the details page for a specific vulnerability, runtime usage is shown as a Risk Factor.