Reordered all the content

README.md

@@ -1,6 +1,21 @@
-# Sysdig Secure Inline Scan Examples
+<div align="center">
 
-This repository contains examples and information about **how to use** [Sysdig Secure inline scan](https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html) in different integrations and use case scenarios.
+# Sysdig Vulnerability Scan Examples
+
+<p align="center">
+  <img alt="Sysdig Logo" src="https://avatars.githubusercontent.com/u/5068817" height="140" />
+  <h3 align="center">Sysdig Vulnerability Scan Examples</h3>
+</p>
+
+| :warning: **As of April 20, 2022, Sysdig offers both a Legacy Scanner engine and the newer Vulnerability Management engine. See the [official documentation](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/new-scanning-engine/#which-engine-is-enabled-now) to understand which engine is enabled into your account.** |
+| --- |
+
+</div>
+
+This repository contains examples and information about using in different integrations and use case scenarios both the:
+
+* [Sysdig Secure inline scan](https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html) - Refered as `old-scan-engine`
+* [Sysdig Pipeline Vulnerability Management engine](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/) - Refered as `new-scan-engine`
 
 Continue reading the public webpage content of this repository here:
 
@@ -15,6 +30,6 @@ If you find a related topic that lacks enough information or some problem with a
 ## More information
 
 * [Sysdig.com](https://sysdig.com)
-* [Sysdig Documentation website - Image Scanning](https://docs.sysdig.com/en/scanning.html)
-* [Image Scanning - Integrate with CI/CD Tools](https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html)
-
+* [Running the CLI scanner](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/#running-the-cli-scanner)
+* [Legacy Scanning engine](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)
+* [Legacy Scanning engine - Integrate with CI/CD Tools](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/integrate-with-cicd-tools/)

docs/index.md

@@ -1,11 +1,117 @@
 ---
-title: Sysdig Secure Inline Scan Examples
+title: Sysdig Vulnerability Scan Examples
 summary: >
   This is not a comprehensive catalog of examples for all integrations available, but a live document where we continually publish more information as we see users need it.
   We do try to keep a list of links to all integrations and other related websites that you may find useful.
 ---
 
-# Common scenarios & recipes
+# Legacy Scanner engine vs Vulnerability Management engine
+
+**As of April 20, 2022, Sysdig offers both a Legacy Scanner engine and the newer Vulnerability Management engine. See the [official documentation](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/new-scanning-engine/#which-engine-is-enabled-now) to understand which engine is enabled into your account.**
+
+- [Vulnerability Management engine common scenarios & recipes](#vulnerability-management-engine-common-scenarios---recipes)
+  * [Download the `sysdig-cli-scanner`](#download-the--sysdig-cli-scanner-)
+  * [Scan local image, built using docker](#scan-local-image--built-using-docker)
+  * [Local image (provided docker archive)](#local-image--provided-docker-archive-)
+  * [Public registry image](#public-registry-image)
+  * [Private registry image](#private-registry-image)
+  * [Containers-storage (cri-o, podman, buildah and others)](#containers-storage--cri-o--podman--buildah-and-others-)
+- [Legacy Scanner engine common scenarios & recipes](#legacy-scanner-engine-common-scenarios---recipes)
+  * [Scan local image, built using docker](#scan-local-image--built-using-docker-1)
+  * [Local image (provided docker archive)](#local-image--provided-docker-archive--1)
+  * [Public registry image](#public-registry-image-1)
+  * [Private registry image](#private-registry-image-1)
+  * [Containers-storage (cri-o, podman, buildah and others)](#containers-storage--cri-o--podman--buildah-and-others--1)
+  * [Using a proxy](#using-a-proxy)
+- [Other integrations and examples](#other-integrations-and-examples)
+  * [Vulneratbility Management Engine (new scan engine)](#vulneratbility-management-engine--new-scan-engine-)
+  * [Legacy Scanner Engine (old scan engine)](#legacy-scanner-engine--old-scan-engine-)
+- [Other sources of information](#other-sources-of-information)
+  * [Integrations](#integrations)
+  * [Documentation pages](#documentation-pages)
+  * [Blog articles](#blog-articles)
+- [Contributing](#contributing)
+
+# Vulnerability Management engine common scenarios & recipes
+
+## Download the `sysdig-cli-scanner`
+
+Linux or MacOS:
+
+```
+curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/$(uname -s | tr '[:upper:]' '[:lower:]')/amd64/sysdig-cli-scanner"
+```
+
+Set the executable flag on the file:
+
+```
+chmod +x ./sysdig-cli-scanner
+```
+
+You only need to download and set executable once. Then you can scan images by running the `sysdig-cli-scanner` command:
+
+```
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> <image-name>
+```
+
+## Scan local image, built using docker
+
+```
+# Build the image locally
+docker build -t <image-name> .
+
+# Scan the image, available on local docker
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> docker://<image-name>
+```
+
+## Local image (provided docker archive)
+
+Assuming the image `<image-name>` is available as an image tarball at `image.tar`.
+
+For example, the command `docker save <image-name> -o image.tar` creates a tarball for `<image-name>`.
+
+```
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> file://tmp/image.tar
+```
+
+## Public registry image
+
+Example: scan `alpine` image from public registry. The scanner will pull and scan it.
+
+```
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> pull://alpine
+```
+
+## Private registry image
+
+To scan images from private registries, you might need to provide credentials:
+
+```
+$ REGISTRY_USER=<YOUR_REGISTRY_USERNAME> REGISTRY_PASSWORD=<YOUR_REGISTRY_PASSWORD> SECURE_API_TOKEN=<YOUR_API_TOKEN> ./sysdig-cli-scanner --apiurl https://secure.sysdig.com ${REPO_NAME}/${IMAGE_NAME}
+```
+
+## Containers-storage (cri-o, podman, buildah and others)
+
+Scan images from container runtimes using containers-storage format:
+
+```
+# Build an image using buildah from a Dockerfile
+buildah build-using-dockerfile -t myimage:latest
+
+# Scan the image
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> crio://localhost/myimage:latest
+```
+
+Example for an image pulled with podman
+
+```
+podman pull docker.io/library/alpine
+
+#Scan the image
+SECURE_API_TOKEN=<your-api-token> ./sysdig-cli-scanner --apiurl <sysdig-api-url> podman://docker.io/library/alpine
+```
+
+# Legacy Scanner engine common scenarios & recipes
 
 ## Scan local image, built using docker
 
@@ -130,41 +236,46 @@ The `no_proxy` variable can be used to define a list of hosts that don't use the
 
 In this [repository](https://github.com/sysdiglabs/secure-inline-scan-examples/) you can find the following examples in alphabetical order:
 
-* [AWS Codebuild](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/new-scan-engine/aws-codebuild)
-* [Azure Pipelines (New scan engine)](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/azure-pipelines)
-* [Google Cloud Build](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/google-cloud-build)
-* [Jenkins](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins)
-  * [Scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-scan-from-repo)
-  * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-and-scan)
-  * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-build-push-scan-from-repo)
-  * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/jenkins-openshift-internal-registry)
-* GitLab with the [new scan engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/new-scan-engine), or using the [legacy engine](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/old-scan-engine)
-* [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github)
-* [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton)
-  * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/alpha)
-  * [Tekton beta API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/beta)
-* Unprivileged Docker
-  * [Scan from local build](https://github.com/sysdiglabs/secure-inline-scan-examples/blob/main/unprivileged-docker/localbuild_scan.sh)
-  * [Scan from registry](https://github.com/sysdiglabs/secure-inline-scan-examples/blob/main/unprivileged-docker/registry_scan.sh)
+## Vulneratbility Management Engine (new scan engine)
+
+* [AWS Codebuild](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/aws-codebuild/new-scan-engine)
+* [Azure Pipelines](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/azure-pipelines/new-scan-engine)
+* [GitLab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/new-scan-engine)
+* [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github/new-scan-engine)
+* [Jenkins](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/new-scan-engine)
+
+
+## Legacy Scanner Engine (old scan engine)
+
+* [Azure Pipelines](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/azure-pipelines/old-scan-engine)
+* [GitLab](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/gitlab/old-scan-engine)
+* [GitHub](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/github/old-scan-engine)
+* [Google Cloud Build](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/google-cloud-build/old-scan-engine)
+* [Jenkins](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/old-scan-engine)
+  * [Scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/old-scan-engine/jenkins-scan-from-repo)
+  * [Build and scan](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/old-scan-engine/jenkins-build-and-scan)
+  * [Build, push and scan from repository](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/old-scan-engine/jenkins-build-push-scan-from-repo)
+  * [Build, push and scan using Openshift internal registry](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/jenkins/old-scan-engine/jenkins-openshift-internal-registry)
+* [Tekton](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/old-scan-engine)
+  * [Tekton alpha API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/old-scan-engine/alpha)
+  * [Tekton beta API](https://github.com/sysdiglabs/secure-inline-scan-examples/tree/main/tekton/old-scan-engine/beta)
+* [Unprivileged Docker](https://github.com/sysdiglabs/secure-inline-scan-examples/blob/main/unprivileged-docker/old-scan-engine)
+  * [Scan from local build](https://github.com/sysdiglabs/secure-inline-scan-examples/blob/main/unprivileged-docker/old-scan-engine/localbuild_scan.sh)
+  * [Scan from registry](https://github.com/sysdiglabs/secure-inline-scan-examples/blob/main/unprivileged-docker/old-scan-engine/registry_scan.sh)
 
 # Other sources of information
 
-The following content is related to inline scanning, and lives outside this repository.
-
 ## Integrations
 
 These integrations have a specific entry in their respective CI/CD catalogs:
 
-  * [Jenkins plugin](https://plugins.jenkins.io/sysdig-secure/)
-  * [GitHub Action](https://github.com/marketplace/actions/sysdig-secure-inline-scan)
+  * [Jenkins plugin (both new and old scan engines)](https://plugins.jenkins.io/sysdig-secure/)
+  * [GitHub Action (old scan engine)](https://github.com/marketplace/actions/sysdig-secure-inline-scan)
 
 ## Documentation pages
 
-Official documentation pages must be current to the features provided by the inline scanner, but their explanations may be brief:
-
-* [CI/CD and Registry Scanning with Runtime Vulnerability Reporting](https://sysdig.com/products/secure/image-scanning/) (main Sysdig web page)
-* [Image Scanning](https://docs.sysdig.com/en/scanning.html) (Sysdig Documentation website)
-* [Image Scanning - Integrate with CI/CD Tools](https://docs.sysdig.com/en/integrate-with-ci-cd-tools.html)
+* [Sysdig - Vulnerability Management](https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/)
+* [Sysdig - Scanning (Legacy)](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)
 
 ## Blog articles
 
@@ -181,7 +292,7 @@ Blog articles contain detailed step by step information, but may be out of date
 * [Image Scanning with Github Actions](https://sysdig.com/blog/image-scanning-github-actions/) <nobr>📅 2020-01-14</nobr>
 * [AWS ECR Scanning with Sysdig Secure](https://sysdig.com/blog/aws-ecr-scanning/) <nobr>📅 2019-11-26</nobr>
 * [Inline Image Scanning for AWS CodePipeline and AWS CodeBuild](https://sysdig.com/blog/image-scanning-aws-codepipeline-codebuild/) <nobr>📅 2019-11-26</nobr>
-* [Image scanning for Azure Pipelines](https://sysdig.com/blog/image-scanning-azure-pipelines/) <nobr>📅 2019-10-29
+* [Image scanning for Azure Pipelines](https://sysdig.com/blog/image-scanning-azure-pipelines/) <nobr>📅 2022-09-19</nobr>
 * [Docker scanning for Jenkins CI/CD security with the Sysdig Secure plugin](https://sysdig.com/blog/docker-scanning-jenkins/) <nobr>📅 2018-09-05</nobr>
 
 # Contributing

github/old-scan-engine/README.md

@@ -0,0 +1,17 @@
+# GitHub CI Demo
+
+In this demo we will use GitHub actions to build, scan and push a container image.
+
+The workflow is based on the [sysdiglabs/dummy-vuln-app](https://github.com/sysdiglabs/dummy-vuln-app) application and and uses the [Sysdiglabs/scan-action](https://github.com/sysdiglabs/scan-action) GitHub action to scan it.
+
+The workflow is as follows:
+
+1. Build the container image and store it locally
+2. Perform the scan using the [Sysdiglabs/scan-action](https://github.com/sysdiglabs/scan-action)
+3. Upload a SARIF report
+
+## Setup
+
+It is required to create a repository secret to store the Sysdig Token:
+
+* `SYSDIG_SECURE_TOKEN`: Sysdig Token

github/old-scan-engine/sysdig_buildscan.yaml

@@ -0,0 +1,33 @@
+ame: Sysdig - Build, scan and push Docker Image
+
+on: [push, repository_dispatch]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag sysdiglabs/dummy-vuln-app:latest
+
+    - name: Sysdig Secure Inline Scan
+      id: scan
+      uses: sysdiglabs/scan-action@v3
+      with:
+        # Tag of the image to analyse
+        image-tag: "sysdiglabs/dummy-vuln-app:latest"
+        # API token for Sysdig Scanning auth
+        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
+        dockerfile-path: ./Dockerfile
+        input-type: docker-daemon
+        run-as-user: root
+        ignore-failed-scan: true
+
+    - uses: github/codeql-action/upload-sarif@v1
+      if: always()
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarifReport }}