WARNING: This repository contains the deprecated inline-scan script V1
Sysdig Inline Scan V2 is the recommended version for this old engine.
Check https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html for more information about the old engine (2022)
Check https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline for more about the new engine (2023)
Sysdig inline scan V1 is still available, but not supported. V1 version runs as a script, and requires a working Docker environment (binaries and daemon), or can run as a container, mounting the docker socket inside the container.
If running the inline-scan via container:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock sysdiglabs/secure-inline-scan analyze ... <image-to-scan>
migration to the new version requires changing the image name to quay.io/sysdig/secure-inline-scan:2 and adding the --storage-type=docker-daemon parameter, and removing the analyze option:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock quay.io/sysdig/secure-inline-scan:2 ... <image-to-scan> --storage-type=docker-daemon
depending on the docker.sockpermissions you might need to run as root (adding -u to the docker run command) or adjusting the permissions in the docker socket.
If you are executing the script as:
inline_scan.sh ... <image-to-scan>
then you will need to execute the inline-scanner as a container instead, as described previously.
-
Execution mode: The inline scan is now executed in a different way. You need to directly run the container instead of using the old
inline_scan.shwrapper script. This means that you might need to adapt your automations or pipelines to migrate to inline-scan v2 -
TLS verification: starting from version 2, you'll need to explicitly pass
--sysdig-skip-tlsif targeting an on-prem with non verifiable certificate.