Sysdig Secure Connector
The Sysdig connector ingests container-image vulnerability data from Sysdig Secure into the Context Catalog. It runs through the ibdm binary in one of two modes:
- Sync — pull-based: queries the Sysdig SysQL API for all image vulnerabilities and exits.
- Run — push-based: exposes a webhook endpoint that receives pipeline scan failure notifications, calls the Sysdig Vulnerability API to retrieve the full result, and forwards each vulnerability to the Catalog.
Commands
ibdm sync sysdig --mapping-file <path to mapping file or folder>
ibdm run sysdig --mapping-file <path to mapping file or folder>
Configuration
| Variable | Required | Default | Description |
|---|---|---|---|
SYSDIG_URL | Sync | (empty) | Base URL of the Sysdig Secure instance (e.g. https://secure.sysdig.com). |
SYSDIG_API_TOKEN | Sync | (empty) | API bearer token for the SysQL API. |
SYSDIG_HTTP_TIMEOUT | No | 30s | HTTP request timeout (Go duration). |
SYSDIG_PAGE_SIZE | No | 1000 | Items per SysQL query page (1–1000). |
SYSDIG_BASE_URL | Run | (empty) | Base URL of the Sysdig Vulnerability API for the account's region (see below). |
SYSDIG_BEARER_TOKEN | Run | (empty) | Bearer token for the Vulnerability API. |
SYSDIG_WEBHOOK_URL | No | /sysdig/webhook | HTTP path for inbound webhook events. |
Region base URLs
SYSDIG_BASE_URL must match the region of your Sysdig account:
| Region | Base URL |
|---|---|
| US East | https://app.sysdigcloud.com |
| US West | https://us2.app.sysdig.com |
| EU | https://eu1.app.sysdig.com |
| AP (Australia) | https://app.au1.sysdig.com |
Authentication
- Sync — authenticates with the SysQL API via
Authorization: Bearer <SYSDIG_API_TOKEN>. - Run — authenticates with the Vulnerability API via
Authorization: Bearer <SYSDIG_BEARER_TOKEN>on every enrichment request.
Inbound webhooks from Sysdig carry no signature, so no shared secret is required on the listener.
Supported data types
| Type | Sync | Webhook |
|---|---|---|
vulnerability | ✅ | ✅ |
Webhook events
ibdm processes Sysdig webhook notifications whose event.id or event.eventData.name is Pipeline Failure Alerts. All other events are silently ignored.
| Event | Produces |
|---|---|
Pipeline Failure Alerts | one vulnerability upsert per vulnerability in the scan |
When a matching notification arrives, the source:
- Extracts the result ID from the
event.urlfield (the segment betweenresults/and/overview). - Calls
GET /secure/vulnerability/v1beta1/results/{resultId}onSYSDIG_BASE_URLto retrieve the full scan result. - Skips the result if
result.typeis notdockerImageorresult.policyEvaluationsResultis notfailed. - Emits one
vulnerabilityupsert per vulnerability entry, with the structure:
{
"vuln": { "<full vulnerability object>": "..." },
"img": { "imageReference": "<pullString>" }
}
The event timestamp is derived from the notification's timestamp field (microseconds, converted to milliseconds).
Data structure
Each vulnerability item — emitted by both modes — exposes the same fields in the mapping context:
.vuln— full vulnerability object (name, severity, CVSS score, dates, exploitability, …)..img.imageReference— container image pull string (e.g.registry.example.com/app:v1.0.0).