Introduction to Sysdig Secure

Sysdig Secure is a container security platform that provides runtime security, vulnerability management, and compliance monitoring. This guide covers integrating Sysdig Secure into Java applications for comprehensive container security.

System Architecture Overview

Sysdig Secure Integration Pipeline
├── Runtime Security
│   ├ - Falco Rule Engine
│   ├ - System Call Monitoring
│   ├ - Network Security
│   └ - File Integrity Monitoring
├── Vulnerability Management
│   ├ - Image Scanning
│   ├ - Registry Integration
│   ├ - CI/CD Pipeline Scanning
│   └ - Runtime Vulnerability Detection
├── Compliance & Audit
│   ├ - Policy Enforcement
│   ├ - Compliance Frameworks
│   ├ - Audit Logging
│   └ - Reporting
└── Incident Response
├ - Alert Management
├ - Forensics Analysis
├ - Container Drift Detection
└ - Automated Response

Core Implementation

1. Maven Dependencies

<properties>
<sysdig.java.version>1.0.0</sysdig.java.version>
<okhttp.version>4.11.0</okhttp.version>
<jackson.version>2.15.2</jackson.version>
<spring.boot.version>2.7.0</spring.boot.version>
<docker.java.version>3.3.0</docker.java.version>
</properties>
<dependencies>
<!-- Sysdig Java Client -->
<dependency>
<groupId>com.sysdig</groupId>
<artifactId>sysdig-secure-java-client</artifactId>
<version>${sysdig.java.version}</version>
</dependency>
<!-- HTTP Client -->
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
<version>${okhttp.version}</version>
</dependency>
<!-- JSON Processing -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<!-- Spring Boot -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${spring.boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>${spring.boot.version}</version>
</dependency>
<!-- Docker Java API -->
<dependency>
<groupId>com.github.docker-java</groupId>
<artifactId>docker-java</artifactId>
<version>${docker.java.version}</version>
</dependency>
<!-- Kubernetes Client -->
<dependency>
<groupId>io.kubernetes</groupId>
<artifactId>client-java</artifactId>
<version>17.0.0</version>
</dependency>
<!-- Metrics & Monitoring -->
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-core</artifactId>
<version>1.10.0</version>
</dependency>
<!-- Security -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>${spring.boot.version}</version>
</dependency>
</dependencies>

2. Configuration Classes

package com.example.sysdig.config;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
import java.util.Arrays;
import java.util.List;
@Component
@ConfigurationProperties(prefix = "sysdig.secure")
public class SysdigConfig {
private boolean enabled = true;
private String apiUrl = "https://secure.sysdig.com";
private String apiToken;
private String agentHost = "localhost";
private int agentPort = 7760;
// Scanning configuration
private boolean imageScanningEnabled = true;
private boolean runtimeSecurityEnabled = true;
private boolean complianceMonitoringEnabled = true;
private boolean vulnerabilityScanningEnabled = true;
// Scanning policies
private List<String> scanPolicies = Arrays.asList("default");
private String failOnSeverity = "high"; // none, low, medium, high, critical
private boolean failOnFixable = false;
private int scanTimeout = 300; // seconds
// Runtime security
private boolean falcoEnabled = true;
private String falcoRulesFile = "/etc/falco/falco_rules.yaml";
private List<String> customFalcoRules = Arrays.asList();
private boolean networkSecurityEnabled = true;
private boolean fileIntegrityMonitoring = true;
// Alerting
private boolean slackEnabled = false;
private String slackWebhookUrl;
private boolean emailEnabled = false;
private String emailRecipients;
private boolean pagerDutyEnabled = false;
private String pagerDutyIntegrationKey;
// Compliance
private List<String> complianceFrameworks = Arrays.asList("PCI-DSS", "HIPAA", "NIST-800-53");
private boolean autoRemediation = false;
// Logging
private boolean auditLogging = true;
private String logLevel = "INFO";
private String logFormat = "json";
// Getters and setters
public boolean isEnabled() { return enabled; }
public void setEnabled(boolean enabled) { this.enabled = enabled; }
public String getApiUrl() { return apiUrl; }
public void setApiUrl(String apiUrl) { this.apiUrl = apiUrl; }
public String getApiToken() { return apiToken; }
public void setApiToken(String apiToken) { this.apiToken = apiToken; }
public String getAgentHost() { return agentHost; }
public void setAgentHost(String agentHost) { this.agentHost = agentHost; }
public int getAgentPort() { return agentPort; }
public void setAgentPort(int agentPort) { this.agentPort = agentPort; }
public boolean isImageScanningEnabled() { return imageScanningEnabled; }
public void setImageScanningEnabled(boolean imageScanningEnabled) { this.imageScanningEnabled = imageScanningEnabled; }
public boolean isRuntimeSecurityEnabled() { return runtimeSecurityEnabled; }
public void setRuntimeSecurityEnabled(boolean runtimeSecurityEnabled) { this.runtimeSecurityEnabled = runtimeSecurityEnabled; }
public boolean isComplianceMonitoringEnabled() { return complianceMonitoringEnabled; }
public void setComplianceMonitoringEnabled(boolean complianceMonitoringEnabled) { this.complianceMonitoringEnabled = complianceMonitoringEnabled; }
public boolean isVulnerabilityScanningEnabled() { return vulnerabilityScanningEnabled; }
public void setVulnerabilityScanningEnabled(boolean vulnerabilityScanningEnabled) { this.vulnerabilityScanningEnabled = vulnerabilityScanningEnabled; }
public List<String> getScanPolicies() { return scanPolicies; }
public void setScanPolicies(List<String> scanPolicies) { this.scanPolicies = scanPolicies; }
public String getFailOnSeverity() { return failOnSeverity; }
public void setFailOnSeverity(String failOnSeverity) { this.failOnSeverity = failOnSeverity; }
public boolean isFailOnFixable() { return failOnFixable; }
public void setFailOnFixable(boolean failOnFixable) { this.failOnFixable = failOnFixable; }
public int getScanTimeout() { return scanTimeout; }
public void setScanTimeout(int scanTimeout) { this.scanTimeout = scanTimeout; }
public boolean isFalcoEnabled() { return falcoEnabled; }
public void setFalcoEnabled(boolean falcoEnabled) { this.falcoEnabled = falcoEnabled; }
public String getFalcoRulesFile() { return falcoRulesFile; }
public void setFalcoRulesFile(String falcoRulesFile) { this.falcoRulesFile = falcoRulesFile; }
public List<String> getCustomFalcoRules() { return customFalcoRules; }
public void setCustomFalcoRules(List<String> customFalcoRules) { this.customFalcoRules = customFalcoRules; }
public boolean isNetworkSecurityEnabled() { return networkSecurityEnabled; }
public void setNetworkSecurityEnabled(boolean networkSecurityEnabled) { this.networkSecurityEnabled = networkSecurityEnabled; }
public boolean isFileIntegrityMonitoring() { return fileIntegrityMonitoring; }
public void setFileIntegrityMonitoring(boolean fileIntegrityMonitoring) { this.fileIntegrityMonitoring = fileIntegrityMonitoring; }
public boolean isSlackEnabled() { return slackEnabled; }
public void setSlackEnabled(boolean slackEnabled) { this.slackEnabled = slackEnabled; }
public String getSlackWebhookUrl() { return slackWebhookUrl; }
public void setSlackWebhookUrl(String slackWebhookUrl) { this.slackWebhookUrl = slackWebhookUrl; }
public boolean isEmailEnabled() { return emailEnabled; }
public void setEmailEnabled(boolean emailEnabled) { this.emailEnabled = emailEnabled; }
public String getEmailRecipients() { return emailRecipients; }
public void setEmailRecipients(String emailRecipients) { this.emailRecipients = emailRecipients; }
public boolean isPagerDutyEnabled() { return pagerDutyEnabled; }
public void setPagerDutyEnabled(boolean pagerDutyEnabled) { this.pagerDutyEnabled = pagerDutyEnabled; }
public String getPagerDutyIntegrationKey() { return pagerDutyIntegrationKey; }
public void setPagerDutyIntegrationKey(String pagerDutyIntegrationKey) { this.pagerDutyIntegrationKey = pagerDutyIntegrationKey; }
public List<String> getComplianceFrameworks() { return complianceFrameworks; }
public void setComplianceFrameworks(List<String> complianceFrameworks) { this.complianceFrameworks = complianceFrameworks; }
public boolean isAutoRemediation() { return autoRemediation; }
public void setAutoRemediation(boolean autoRemediation) { this.autoRemediation = autoRemediation; }
public boolean isAuditLogging() { return auditLogging; }
public void setAuditLogging(boolean auditLogging) { this.auditLogging = auditLogging; }
public String getLogLevel() { return logLevel; }
public void setLogLevel(String logLevel) { this.logLevel = logLevel; }
public String getLogFormat() { return logFormat; }
public void setLogFormat(String logFormat) { this.logFormat = logFormat; }
}

3. Sysdig API Client

package com.example.sysdig.client;
import com.fasterxml.jackson.databind.ObjectMapper;
import okhttp3.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import java.io.IOException;
import java.util.List;
import java.util.concurrent.TimeUnit;
@Component
public class SysdigApiClient {
private static final Logger logger = LoggerFactory.getLogger(SysdigApiClient.class);
private final OkHttpClient client;
private final ObjectMapper objectMapper;
@Value("${sysdig.secure.api-url}")
private String apiUrl;
@Value("${sysdig.secure.api-token}")
private String apiToken;
public SysdigApiClient() {
this.client = new OkHttpClient.Builder()
.connectTimeout(30, TimeUnit.SECONDS)
.readTimeout(60, TimeUnit.SECONDS)
.writeTimeout(30, TimeUnit.SECONDS)
.build();
this.objectMapper = new ObjectMapper();
}
/**
* Scan container image for vulnerabilities
*/
public ImageScanResult scanImage(String imageName, ScanOptions options) throws IOException {
String url = apiUrl + "/api/scanning/v1/images/" + encodeImageName(imageName);
Request request = new Request.Builder()
.url(url)
.addHeader("Authorization", "Bearer " + apiToken)
.addHeader("Content-Type", "application/json")
.post(RequestBody.create(
objectMapper.writeValueAsString(options), 
MediaType.get("application/json")
))
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Scan failed: " + response.code() + " - " + response.message());
}
return objectMapper.readValue(response.body().string(), ImageScanResult.class);
}
}
/**
* Get vulnerability assessment for image
*/
public VulnerabilityReport getVulnerabilityReport(String imageDigest) throws IOException {
String url = apiUrl + "/api/scanning/v1/images/" + imageDigest + "/vuln";
Request request = new Request.Builder()
.url(url)
.addHeader("Authorization", "Bearer " + apiToken)
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Failed to get vulnerability report: " + response.code());
}
return objectMapper.readValue(response.body().string(), VulnerabilityReport.class);
}
}
/**
* Get runtime security events
*/
public List<SecurityEvent> getSecurityEvents(EventFilter filter) throws IOException {
HttpUrl.Builder urlBuilder = HttpUrl.parse(apiUrl + "/api/secure/v1/events").newBuilder();
if (filter != null) {
if (filter.getFrom() != null) {
urlBuilder.addQueryParameter("from", filter.getFrom().toString());
}
if (filter.getTo() != null) {
urlBuilder.addQueryParameter("to", filter.getTo().toString());
}
if (filter.getSeverity() != null) {
urlBuilder.addQueryParameter("severity", filter.getSeverity());
}
}
Request request = new Request.Builder()
.url(urlBuilder.build())
.addHeader("Authorization", "Bearer " + apiToken)
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Failed to get security events: " + response.code());
}
return objectMapper.readValue(
response.body().string(),
objectMapper.getTypeFactory().constructCollectionType(List.class, SecurityEvent.class)
);
}
}
/**
* Create custom Falco rule
*/
public void createCustomRule(FalcoRule rule) throws IOException {
Request request = new Request.Builder()
.url(apiUrl + "/api/secure/v1/rules")
.addHeader("Authorization", "Bearer " + apiToken)
.addHeader("Content-Type", "application/json")
.post(RequestBody.create(
objectMapper.writeValueAsString(rule),
MediaType.get("application/json")
))
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Failed to create rule: " + response.code());
}
}
}
/**
* Get compliance status
*/
public ComplianceReport getComplianceReport(String framework) throws IOException {
String url = apiUrl + "/api/secure/v1/compliance/" + framework;
Request request = new Request.Builder()
.url(url)
.addHeader("Authorization", "Bearer " + apiToken)
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Failed to get compliance report: " + response.code());
}
return objectMapper.readValue(response.body().string(), ComplianceReport.class);
}
}
/**
* Get container runtime information
*/
public ContainerInfo getContainerInfo(String containerId) throws IOException {
String url = apiUrl + "/api/secure/v1/containers/" + containerId;
Request request = new Request.Builder()
.url(url)
.addHeader("Authorization", "Bearer " + apiToken)
.build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new IOException("Failed to get container info: " + response.code());
}
return objectMapper.readValue(response.body().string(), ContainerInfo.class);
}
}
private String encodeImageName(String imageName) {
return imageName.replace("/", "%2F").replace(":", "%3A");
}
// Data models
public static class ImageScanResult {
private String imageId;
private String digest;
private ScanStatus status;
private List<Vulnerability> vulnerabilities;
private ComplianceCheck compliance;
private Date scanDate;
// Getters and setters
public String getImageId() { return imageId; }
public void setImageId(String imageId) { this.imageId = imageId; }
public String getDigest() { return digest; }
public void setDigest(String digest) { this.digest = digest; }
public ScanStatus getStatus() { return status; }
public void setStatus(ScanStatus status) { this.status = status; }
public List<Vulnerability> getVulnerabilities() { return vulnerabilities; }
public void setVulnerabilities(List<Vulnerability> vulnerabilities) { this.vulnerabilities = vulnerabilities; }
public ComplianceCheck getCompliance() { return compliance; }
public void setCompliance(ComplianceCheck compliance) { this.compliance = compliance; }
public Date getScanDate() { return scanDate; }
public void setScanDate(Date scanDate) { this.scanDate = scanDate; }
}
public static class VulnerabilityReport {
private String imageDigest;
private int totalVulnerabilities;
private Map<String, Integer> severityCounts;
private List<Vulnerability> vulnerabilities;
private List<Fix> availableFixes;
// Getters and setters
public String getImageDigest() { return imageDigest; }
public void setImageDigest(String imageDigest) { this.imageDigest = imageDigest; }
public int getTotalVulnerabilities() { return totalVulnerabilities; }
public void setTotalVulnerabilities(int totalVulnerabilities) { this.totalVulnerabilities = totalVulnerabilities; }
public Map<String, Integer> getSeverityCounts() { return severityCounts; }
public void setSeverityCounts(Map<String, Integer> severityCounts) { this.severityCounts = severityCounts; }
public List<Vulnerability> getVulnerabilities() { return vulnerabilities; }
public void setVulnerabilities(List<Vulnerability> vulnerabilities) { this.vulnerabilities = vulnerabilities; }
public List<Fix> getAvailableFixes() { return availableFixes; }
public void setAvailableFixes(List<Fix> availableFixes) { this.availableFixes = availableFixes; }
}
public static class SecurityEvent {
private String id;
private String name;
private String severity;
private Date timestamp;
private String containerId;
private String imageName;
private String rule;
private Map<String, String> outputFields;
// Getters and setters
public String getId() { return id; }
public void setId(String id) { this.id = id; }
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public Date getTimestamp() { return timestamp; }
public void setTimestamp(Date timestamp) { this.timestamp = timestamp; }
public String getContainerId() { return containerId; }
public void setContainerId(String containerId) { this.containerId = containerId; }
public String getImageName() { return imageName; }
public void setImageName(String imageName) { this.imageName = imageName; }
public String getRule() { return rule; }
public void setRule(String rule) { this.rule = rule; }
public Map<String, String> getOutputFields() { return outputFields; }
public void setOutputFields(Map<String, String> outputFields) { this.outputFields = outputFields; }
}
public static class FalcoRule {
private String name;
private String description;
private String condition;
private String output;
private String priority;
private List<String> tags;
// Getters and setters
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getDescription() { return description; }
public void setDescription(String description) { this.description = description; }
public String getCondition() { return condition; }
public void setCondition(String condition) { this.condition = condition; }
public String getOutput() { return output; }
public void setOutput(String output) { this.output = output; }
public String getPriority() { return priority; }
public void setPriority(String priority) { this.priority = priority; }
public List<String> getTags() { return tags; }
public void setTags(List<String> tags) { this.tags = tags; }
}
public static class ComplianceReport {
private String framework;
private Date assessmentDate;
private double complianceScore;
private List<ComplianceControl> passedControls;
private List<ComplianceControl> failedControls;
private List<ComplianceControl> skippedControls;
// Getters and setters
public String getFramework() { return framework; }
public void setFramework(String framework) { this.framework = framework; }
public Date getAssessmentDate() { return assessmentDate; }
public void setAssessmentDate(Date assessmentDate) { this.assessmentDate = assessmentDate; }
public double getComplianceScore() { return complianceScore; }
public void setComplianceScore(double complianceScore) { this.complianceScore = complianceScore; }
public List<ComplianceControl> getPassedControls() { return passedControls; }
public void setPassedControls(List<ComplianceControl> passedControls) { this.passedControls = passedControls; }
public List<ComplianceControl> getFailedControls() { return failedControls; }
public void setFailedControls(List<ComplianceControl> failedControls) { this.failedControls = failedControls; }
public List<ComplianceControl> getSkippedControls() { return skippedControls; }
public void setSkippedControls(List<ComplianceControl> skippedControls) { this.skippedControls = skippedControls; }
}
public static class ContainerInfo {
private String id;
private String name;
private String image;
private String status;
private Date startTime;
private List<PortMapping> ports;
private List<VolumeMount> volumes;
private Map<String, String> labels;
// Getters and setters
public String getId() { return id; }
public void setId(String id) { this.id = id; }
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getImage() { return image; }
public void setImage(String image) { this.image = image; }
public String getStatus() { return status; }
public void setStatus(String status) { this.status = status; }
public Date getStartTime() { return startTime; }
public void setStartTime(Date startTime) { this.startTime = startTime; }
public List<PortMapping> getPorts() { return ports; }
public void setPorts(List<PortMapping> ports) { this.ports = ports; }
public List<VolumeMount> getVolumes() { return volumes; }
public void setVolumes(List<VolumeMount> volumes) { this.volumes = volumes; }
public Map<String, String> getLabels() { return labels; }
public void setLabels(Map<String, String> labels) { this.labels = labels; }
}
public enum ScanStatus {
PENDING, SCANNING, COMPLETED, FAILED
}
public static class ScanOptions {
private boolean forceScan = false;
private List<String> policies;
private String failOnSeverity;
private boolean includeFixable;
// Getters and setters
public boolean isForceScan() { return forceScan; }
public void setForceScan(boolean forceScan) { this.forceScan = forceScan; }
public List<String> getPolicies() { return policies; }
public void setPolicies(List<String> policies) { this.policies = policies; }
public String getFailOnSeverity() { return failOnSeverity; }
public void setFailOnSeverity(String failOnSeverity) { this.failOnSeverity = failOnSeverity; }
public boolean isIncludeFixable() { return includeFixable; }
public void setIncludeFixable(boolean includeFixable) { this.includeFixable = includeFixable; }
}
public static class EventFilter {
private Date from;
private Date to;
private String severity;
private String containerId;
private String ruleName;
// Getters and setters
public Date getFrom() { return from; }
public void setFrom(Date from) { this.from = from; }
public Date getTo() { return to; }
public void setTo(Date to) { this.to = to; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public String getContainerId() { return containerId; }
public void setContainerId(String containerId) { this.containerId = containerId; }
public String getRuleName() { return ruleName; }
public void setRuleName(String ruleName) { this.ruleName = ruleName; }
}
}

4. Sysdig Security Service

package com.example.sysdig.service;
import com.example.sysdig.client.SysdigApiClient;
import com.example.sysdig.config.SysdigConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import java.util.*;
import java.util.concurrent.CompletableFuture;
import java.util.stream.Collectors;
@Service
public class SysdigSecurityService {
private static final Logger logger = LoggerFactory.getLogger(SysdigSecurityService.class);
private final SysdigApiClient sysdigClient;
private final SysdigConfig config;
private final AlertService alertService;
private final ComplianceService complianceService;
public SysdigSecurityService(SysdigApiClient sysdigClient,
SysdigConfig config,
AlertService alertService,
ComplianceService complianceService) {
this.sysdigClient = sysdigClient;
this.config = config;
this.alertService = alertService;
this.complianceService = complianceService;
}
/**
* Scan container image for vulnerabilities
*/
public ImageSecurityReport scanContainerImage(String imageName) {
logger.info("Scanning container image: {}", imageName);
try {
SysdigApiClient.ScanOptions options = new SysdigApiClient.ScanOptions();
options.setPolicies(config.getScanPolicies());
options.setFailOnSeverity(config.getFailOnSeverity());
options.setIncludeFixable(config.isFailOnFixable());
SysdigApiClient.ImageScanResult scanResult = sysdigClient.scanImage(imageName, options);
ImageSecurityReport report = new ImageSecurityReport();
report.setImageName(imageName);
report.setScanResult(scanResult);
report.setVulnerabilitySummary(createVulnerabilitySummary(scanResult.getVulnerabilities()));
report.setComplianceStatus(assessCompliance(scanResult.getCompliance()));
report.setRiskScore(calculateRiskScore(scanResult));
// Send alerts if vulnerabilities found
if (!scanResult.getVulnerabilities().isEmpty()) {
alertService.sendVulnerabilityAlert(report);
}
return report;
} catch (Exception e) {
logger.error("Failed to scan image: {}", imageName, e);
throw new RuntimeException("Image scan failed", e);
}
}
/**
* Monitor runtime security events
*/
public RuntimeSecurityReport monitorRuntimeSecurity(MonitoringOptions options) {
logger.info("Monitoring runtime security");
try {
SysdigApiClient.EventFilter filter = new SysdigApiClient.EventFilter();
filter.setFrom(options.getStartTime());
filter.setTo(options.getEndTime());
filter.setSeverity(options.getMinSeverity());
List<SysdigApiClient.SecurityEvent> events = sysdigClient.getSecurityEvents(filter);
RuntimeSecurityReport report = new RuntimeSecurityReport();
report.setMonitoringPeriod(options.getStartTime(), options.getEndTime());
report.setSecurityEvents(events);
report.setEventStatistics(calculateEventStatistics(events));
report.setThreatLevel(assessThreatLevel(events));
// Process critical events
List<SysdigApiClient.SecurityEvent> criticalEvents = filterCriticalEvents(events);
if (!criticalEvents.isEmpty()) {
alertService.sendSecurityAlert(criticalEvents);
triggerIncidentResponse(criticalEvents);
}
return report;
} catch (Exception e) {
logger.error("Runtime security monitoring failed", e);
throw new RuntimeException("Runtime monitoring failed", e);
}
}
/**
* Assess compliance against frameworks
*/
public ComplianceAssessment assessCompliance(List<String> frameworks) {
logger.info("Assessing compliance for frameworks: {}", frameworks);
ComplianceAssessment assessment = new ComplianceAssessment();
assessment.setAssessmentDate(new Date());
assessment.setFrameworks(frameworks);
for (String framework : frameworks) {
try {
SysdigApiClient.ComplianceReport report = sysdigClient.getComplianceReport(framework);
assessment.addFrameworkResult(framework, report);
} catch (Exception e) {
logger.warn("Failed to assess compliance for framework: {}", framework, e);
assessment.addFrameworkError(framework, e.getMessage());
}
}
assessment.setOverallScore(calculateOverallComplianceScore(assessment));
// Generate compliance report
complianceService.generateComplianceReport(assessment);
return assessment;
}
/**
* Create custom security rule
*/
public void createSecurityRule(CustomRule rule) {
logger.info("Creating custom security rule: {}", rule.getName());
try {
SysdigApiClient.FalcoRule falcoRule = convertToFalcoRule(rule);
sysdigClient.createCustomRule(falcoRule);
logger.info("Custom rule created successfully: {}", rule.getName());
} catch (Exception e) {
logger.error("Failed to create custom rule: {}", rule.getName(), e);
throw new RuntimeException("Rule creation failed", e);
}
}
/**
* Perform container forensics analysis
*/
public ForensicsReport analyzeContainerForensics(String containerId) {
logger.info("Performing forensics analysis for container: {}", containerId);
try {
SysdigApiClient.ContainerInfo containerInfo = sysdigClient.getContainerInfo(containerId);
List<SysdigApiClient.SecurityEvent> containerEvents = getContainerSecurityEvents(containerId);
ForensicsReport report = new ForensicsReport();
report.setContainerInfo(containerInfo);
report.setSecurityEvents(containerEvents);
report.setTimeline(reconstructTimeline(containerEvents));
report.setSuspiciousActivities(identifySuspiciousActivities(containerEvents));
report.setRecommendations(generateForensicsRecommendations(report));
return report;
} catch (Exception e) {
logger.error("Forensics analysis failed for container: {}", containerId, e);
throw new RuntimeException("Forensics analysis failed", e);
}
}
/**
* Scan Kubernetes cluster
*/
public ClusterSecurityReport scanKubernetesCluster(String clusterName) {
logger.info("Scanning Kubernetes cluster: {}", clusterName);
ClusterSecurityReport report = new ClusterSecurityReport();
report.setClusterName(clusterName);
report.setScanDate(new Date());
try {
// Scan cluster nodes
report.setNodeSecurity(scanClusterNodes());
// Scan workloads
report.setWorkloadSecurity(scanWorkloads());
// Scan network policies
report.setNetworkSecurity(scanNetworkPolicies());
// Scan RBAC configurations
report.setRbacSecurity(scanRBAC());
report.setOverallScore(calculateClusterSecurityScore(report));
} catch (Exception e) {
logger.error("Kubernetes cluster scan failed: {}", clusterName, e);
report.setError(e.getMessage());
}
return report;
}
/**
* Automated vulnerability remediation
*/
public RemediationReport performAutomatedRemediation(RemediationOptions options) {
if (!config.isAutoRemediation()) {
throw new IllegalStateException("Auto-remediation is disabled");
}
logger.info("Performing automated remediation");
RemediationReport report = new RemediationReport();
report.setStartTime(new Date());
try {
// Identify vulnerable images
List<VulnerableImage> vulnerableImages = identifyVulnerableImages(options);
report.setVulnerableImages(vulnerableImages);
// Apply remediation strategies
for (VulnerableImage image : vulnerableImages) {
RemediationResult result = remediateImage(image, options.getStrategy());
report.addRemediationResult(result);
}
report.setEndTime(new Date());
report.setSuccess(report.getRemediationResults().stream()
.allMatch(RemediationResult::isSuccess));
} catch (Exception e) {
logger.error("Automated remediation failed", e);
report.setError(e.getMessage());
report.setSuccess(false);
}
return report;
}
/**
* Real-time security monitoring
*/
public void startRealTimeMonitoring() {
if (!config.isRuntimeSecurityEnabled()) {
logger.warn("Runtime security monitoring is disabled");
return;
}
logger.info("Starting real-time security monitoring");
CompletableFuture.runAsync(() -> {
while (true) {
try {
MonitoringOptions options = new MonitoringOptions();
options.setStartTime(new Date(System.currentTimeMillis() - 60000)); // Last minute
options.setEndTime(new Date());
options.setMinSeverity("medium");
RuntimeSecurityReport report = monitorRuntimeSecurity(options);
// Log significant events
if (report.getThreatLevel() == ThreatLevel.HIGH || 
report.getThreatLevel() == ThreatLevel.CRITICAL) {
logger.warn("High threat level detected: {}", report.getThreatLevel());
}
Thread.sleep(30000); // Check every 30 seconds
} catch (InterruptedException e) {
Thread.currentThread().interrupt();
break;
} catch (Exception e) {
logger.error("Real-time monitoring error", e);
}
}
});
}
// Helper methods
private VulnerabilitySummary createVulnerabilitySummary(List<Vulnerability> vulnerabilities) {
VulnerabilitySummary summary = new VulnerabilitySummary();
Map<String, Long> severityCounts = vulnerabilities.stream()
.collect(Collectors.groupingBy(Vulnerability::getSeverity, Collectors.counting()));
summary.setCriticalCount(severityCounts.getOrDefault("critical", 0L).intValue());
summary.setHighCount(severityCounts.getOrDefault("high", 0L).intValue());
summary.setMediumCount(severityCounts.getOrDefault("medium", 0L).intValue());
summary.setLowCount(severityCounts.getOrDefault("low", 0L).intValue());
summary.setFixableCount(vulnerabilities.stream()
.filter(Vulnerability::isFixable)
.count());
return summary;
}
private ComplianceStatus assessCompliance(ComplianceCheck compliance) {
// Implementation for compliance assessment
return new ComplianceStatus();
}
private double calculateRiskScore(SysdigApiClient.ImageScanResult scanResult) {
// Implementation for risk score calculation
return 0.0;
}
private EventStatistics calculateEventStatistics(List<SysdigApiClient.SecurityEvent> events) {
EventStatistics stats = new EventStatistics();
stats.setTotalEvents(events.size());
Map<String, Long> severityCounts = events.stream()
.collect(Collectors.groupingBy(SysdigApiClient.SecurityEvent::getSeverity, Collectors.counting()));
stats.setCriticalCount(severityCounts.getOrDefault("critical", 0L).intValue());
stats.setHighCount(severityCounts.getOrDefault("high", 0L).intValue());
stats.setMediumCount(severityCounts.getOrDefault("medium", 0L).intValue());
return stats;
}
private ThreatLevel assessThreatLevel(List<SysdigApiClient.SecurityEvent> events) {
if (events.stream().anyMatch(e -> "critical".equals(e.getSeverity()))) {
return ThreatLevel.CRITICAL;
} else if (events.stream().anyMatch(e -> "high".equals(e.getSeverity()))) {
return ThreatLevel.HIGH;
} else if (events.stream().anyMatch(e -> "medium".equals(e.getSeverity()))) {
return ThreatLevel.MEDIUM;
} else {
return ThreatLevel.LOW;
}
}
private List<SysdigApiClient.SecurityEvent> filterCriticalEvents(List<SysdigApiClient.SecurityEvent> events) {
return events.stream()
.filter(e -> "critical".equals(e.getSeverity()) || "high".equals(e.getSeverity()))
.collect(Collectors.toList());
}
private void triggerIncidentResponse(List<SysdigApiClient.SecurityEvent> criticalEvents) {
// Implementation for incident response
logger.warn("Triggering incident response for {} critical events", criticalEvents.size());
}
private double calculateOverallComplianceScore(ComplianceAssessment assessment) {
// Implementation for compliance score calculation
return 0.0;
}
private SysdigApiClient.FalcoRule convertToFalcoRule(CustomRule rule) {
SysdigApiClient.FalcoRule falcoRule = new SysdigApiClient.FalcoRule();
falcoRule.setName(rule.getName());
falcoRule.setDescription(rule.getDescription());
falcoRule.setCondition(rule.getCondition());
falcoRule.setOutput(rule.getOutput());
falcoRule.setPriority(rule.getPriority().toString());
falcoRule.setTags(rule.getTags());
return falcoRule;
}
// Data models
public static class ImageSecurityReport {
private String imageName;
private SysdigApiClient.ImageScanResult scanResult;
private VulnerabilitySummary vulnerabilitySummary;
private ComplianceStatus complianceStatus;
private double riskScore;
private Date reportDate = new Date();
// Getters and setters
public String getImageName() { return imageName; }
public void setImageName(String imageName) { this.imageName = imageName; }
public SysdigApiClient.ImageScanResult getScanResult() { return scanResult; }
public void setScanResult(SysdigApiClient.ImageScanResult scanResult) { this.scanResult = scanResult; }
public VulnerabilitySummary getVulnerabilitySummary() { return vulnerabilitySummary; }
public void setVulnerabilitySummary(VulnerabilitySummary vulnerabilitySummary) { this.vulnerabilitySummary = vulnerabilitySummary; }
public ComplianceStatus getComplianceStatus() { return complianceStatus; }
public void setComplianceStatus(ComplianceStatus complianceStatus) { this.complianceStatus = complianceStatus; }
public double getRiskScore() { return riskScore; }
public void setRiskScore(double riskScore) { this.riskScore = riskScore; }
public Date getReportDate() { return reportDate; }
public void setReportDate(Date reportDate) { this.reportDate = reportDate; }
}
public static class RuntimeSecurityReport {
private Date startTime;
private Date endTime;
private List<SysdigApiClient.SecurityEvent> securityEvents;
private EventStatistics eventStatistics;
private ThreatLevel threatLevel;
// Getters and setters
public Date getStartTime() { return startTime; }
public void setStartTime(Date startTime) { this.startTime = startTime; }
public void setMonitoringPeriod(Date start, Date end) {
this.startTime = start;
this.endTime = end;
}
public Date getEndTime() { return endTime; }
public void setEndTime(Date endTime) { this.endTime = endTime; }
public List<SysdigApiClient.SecurityEvent> getSecurityEvents() { return securityEvents; }
public void setSecurityEvents(List<SysdigApiClient.SecurityEvent> securityEvents) { this.securityEvents = securityEvents; }
public EventStatistics getEventStatistics() { return eventStatistics; }
public void setEventStatistics(EventStatistics eventStatistics) { this.eventStatistics = eventStatistics; }
public ThreatLevel getThreatLevel() { return threatLevel; }
public void setThreatLevel(ThreatLevel threatLevel) { this.threatLevel = threatLevel; }
}
public static class ComplianceAssessment {
private Date assessmentDate;
private List<String> frameworks;
private Map<String, SysdigApiClient.ComplianceReport> frameworkResults;
private Map<String, String> frameworkErrors;
private double overallScore;
// Getters and setters
public Date getAssessmentDate() { return assessmentDate; }
public void setAssessmentDate(Date assessmentDate) { this.assessmentDate = assessmentDate; }
public List<String> getFrameworks() { return frameworks; }
public void setFrameworks(List<String> frameworks) { this.frameworks = frameworks; }
public Map<String, SysdigApiClient.ComplianceReport> getFrameworkResults() { return frameworkResults; }
public void setFrameworkResults(Map<String, SysdigApiClient.ComplianceReport> frameworkResults) { this.frameworkResults = frameworkResults; }
public void addFrameworkResult(String framework, SysdigApiClient.ComplianceReport report) {
if (frameworkResults == null) {
frameworkResults = new HashMap<>();
}
frameworkResults.put(framework, report);
}
public Map<String, String> getFrameworkErrors() { return frameworkErrors; }
public void setFrameworkErrors(Map<String, String> frameworkErrors) { this.frameworkErrors = frameworkErrors; }
public void addFrameworkError(String framework, String error) {
if (frameworkErrors == null) {
frameworkErrors = new HashMap<>();
}
frameworkErrors.put(framework, error);
}
public double getOverallScore() { return overallScore; }
public void setOverallScore(double overallScore) { this.overallScore = overallScore; }
}
public enum ThreatLevel {
LOW, MEDIUM, HIGH, CRITICAL
}
// Additional data models would be defined here...
}

5. Custom Falco Rules

package com.example.sysdig.rules;
import org.springframework.stereotype.Component;
import java.util.Arrays;
import java.util.List;
@Component
public class CustomFalcoRules {
/**
* Java-specific security rules
*/
public List<FalcoRule> getJavaSecurityRules() {
return Arrays.asList(
createJavaShellExecutionRule(),
createSuspiciousClassLoadingRule(),
createRuntimeExecRule(),
createReflectionAbuseRule(),
createDeserializationRule()
);
}
/**
* Container security rules
*/
public List<FalcoRule> getContainerSecurityRules() {
return Arrays.asList(
createPrivilegedContainerRule(),
createSensitiveMountRule(),
createDockerSocketAccessRule(),
createNetworkModeRule()
);
}
/**
* Kubernetes security rules
*/
public List<FalcoRule> getKubernetesSecurityRules() {
return Arrays.asList(
createPodCreationRule(),
createRoleBindingRule(),
createSecretAccessRule(),
createNamespaceCreationRule()
);
}
private FalcoRule createJavaShellExecutionRule() {
FalcoRule rule = new FalcoRule();
rule.setName("Java Shell Command Execution");
rule.setDescription("Detects shell command execution from Java applications");
rule.setCondition("""
proc.name = java and 
(spawned_process and 
(proc.cmdline contains "sh" or 
proc.cmdline contains "bash" or 
proc.cmdline contains "cmd.exe"))
""");
rule.setOutput("""
Shell command executed from Java process (user=%user.name 
command=%proc.cmdline container=%container.id image=%container.image.repository)
""");
rule.setPriority("WARNING");
rule.setTags(Arrays.asList("java", "shell", "execution"));
return rule;
}
private FalcoRule createSuspiciousClassLoadingRule() {
FalcoRule rule = new FalcoRule();
rule.setName("Suspicious Java Class Loading");
rule.setDescription("Detects loading of potentially malicious Java classes");
rule.setCondition("""
proc.name = java and 
evt.type = open and 
(evt.arg.path contains ".class" and 
(evt.arg.path contains "tomcat" or 
evt.arg.path contains "webapps" or
evt.arg.path contains "/tmp/"))
""");
rule.setOutput("""
Suspicious class loading detected (user=%user.name 
path=%evt.arg.path container=%container.id)
""");
rule.setPriority("ERROR");
rule.setTags(Arrays.asList("java", "classloading", "malicious"));
return rule;
}
private FalcoRule createRuntimeExecRule() {
FalcoRule rule = new FalcoRule();
rule.setName("Java Runtime.exec Detection");
rule.setDescription("Detects use of Runtime.exec in Java applications");
rule.setCondition("""
proc.name = java and 
evt.type = execve and 
proc.aname contains "java" and
not proc.cmdline contains "maven" and
not proc.cmdline contains "gradle"
""");
rule.setOutput("""
Runtime.exec detected in Java application (user=%user.name 
command=%proc.cmdline container=%container.id)
""");
rule.setPriority("NOTICE");
rule.setTags(Arrays.asList("java", "runtime", "exec"));
return rule;
}
private FalcoRule createReflectionAbuseRule() {
FalcoRule rule = new FalcoRule();
rule.setName("Java Reflection Abuse");
rule.setDescription("Detects potential reflection abuse in Java applications");
rule.setCondition("""
proc.name = java and 
evt.type = connect and 
evt.dir = < and 
(fd.name contains "Method.invoke" or 
fd.name contains "Field.setAccessible")
""");
rule.setOutput("""
Potential reflection abuse detected (user=%user.name 
operation=%fd.name container=%container.id)
""");
rule.setPriority("WARNING");
rule.setTags(Arrays.asList("java", "reflection", "security"));
return rule;
}
private FalcoRule createDeserializationRule() {
FalcoRule rule = new FalcoRule();
rule.setName("Java Deserialization Attack");
rule.setDescription("Detects potential Java deserialization attacks");
rule.setCondition("""
proc.name = java and 
evt.type = read and 
(evt.arg.data contains "rO0A" or 
evt.arg.data contains "ACED" or
evt.arg.data contains "java.util")
""");
rule.setOutput("""
Potential deserialization attack detected (user=%user.name 
container=%container.id image=%container.image.repository)
""");
rule.setPriority("ERROR");
rule.setTags(Arrays.asList("java", "deserialization", "exploit"));
return rule;
}
// Container and Kubernetes rules implementation...
public static class FalcoRule {
private String name;
private String description;
private String condition;
private String output;
private String priority;
private List<String> tags;
// Getters and setters
public String getName() { return name; }
public void setName(String name) { this.name = name; }
public String getDescription() { return description; }
public void setDescription(String description) { this.description = description; }
public String getCondition() { return condition; }
public void setCondition(String condition) { this.condition = condition; }
public String getOutput() { return output; }
public void setOutput(String output) { this.output = output; }
public String getPriority() { return priority; }
public void setPriority(String priority) { this.priority = priority; }
public List<String> getTags() { return tags; }
public void setTags(List<String> tags) { this.tags = tags; }
}
}

6. REST API Controllers

package com.example.sysdig.controller;
import com.example.sysdig.service.SysdigSecurityService;
import com.example.sysdig.service.SysdigSecurityService.*;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;
import java.util.List;
@RestController
@RequestMapping("/api/security")
public class SecurityController {
private final SysdigSecurityService securityService;
private final CustomFalcoRules falcoRules;
public SecurityController(SysdigSecurityService securityService,
CustomFalcoRules falcoRules) {
this.securityService = securityService;
this.falcoRules = falcoRules;
}
@PostMapping("/scan/image")
public ResponseEntity<ImageSecurityReport> scanImage(@RequestParam String imageName) {
try {
ImageSecurityReport report = securityService.scanContainerImage(imageName);
return ResponseEntity.ok(report);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@GetMapping("/runtime/events")
public ResponseEntity<RuntimeSecurityReport> getRuntimeEvents(
@RequestParam(required = false) Long startTime,
@RequestParam(required = false) Long endTime,
@RequestParam(defaultValue = "medium") String minSeverity) {
try {
MonitoringOptions options = new MonitoringOptions();
if (startTime != null) options.setStartTime(new Date(startTime));
if (endTime != null) options.setEndTime(new Date(endTime));
options.setMinSeverity(minSeverity);
RuntimeSecurityReport report = securityService.monitorRuntimeSecurity(options);
return ResponseEntity.ok(report);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@PostMapping("/compliance/assess")
public ResponseEntity<ComplianceAssessment> assessCompliance(
@RequestBody List<String> frameworks) {
try {
ComplianceAssessment assessment = securityService.assessCompliance(frameworks);
return ResponseEntity.ok(assessment);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@PostMapping("/rules/custom")
public ResponseEntity<String> createCustomRule(@RequestBody CustomRule rule) {
try {
securityService.createSecurityRule(rule);
return ResponseEntity.ok("Custom rule created successfully");
} catch (Exception e) {
return ResponseEntity.badRequest().body("Failed to create rule: " + e.getMessage());
}
}
@GetMapping("/rules/java")
public ResponseEntity<List<CustomFalcoRules.FalcoRule>> getJavaSecurityRules() {
try {
List<CustomFalcoRules.FalcoRule> rules = falcoRules.getJavaSecurityRules();
return ResponseEntity.ok(rules);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@PostMapping("/forensics/container/{containerId}")
public ResponseEntity<ForensicsReport> analyzeContainerForensics(
@PathVariable String containerId) {
try {
ForensicsReport report = securityService.analyzeContainerForensics(containerId);
return ResponseEntity.ok(report);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@PostMapping("/cluster/scan")
public ResponseEntity<ClusterSecurityReport> scanKubernetesCluster(
@RequestParam String clusterName) {
try {
ClusterSecurityReport report = securityService.scanKubernetesCluster(clusterName);
return ResponseEntity.ok(report);
} catch (Exception e) {
return ResponseEntity.internalServerError().build();
}
}
@PostMapping("/remediate")
public ResponseEntity<RemediationReport> performRemediation(
@RequestBody RemediationOptions options) {
try {
RemediationReport report = securityService.performAutomatedRemediation(options);
return ResponseEntity.ok(report);
} catch (Exception e) {
return ResponseEntity.badRequest().body(null);
}
}
@PostMapping("/monitoring/start")
public ResponseEntity<String> startRealTimeMonitoring() {
try {
securityService.startRealTimeMonitoring();
return ResponseEntity.ok("Real-time monitoring started");
} catch (Exception e) {
return ResponseEntity.internalServerError().body("Failed to start monitoring");
}
}
@GetMapping("/health")
public ResponseEntity<HealthStatus> healthCheck() {
try {
// Implement health check logic
HealthStatus status = new HealthStatus();
status.setStatus("healthy");
status.setTimestamp(new Date());
return ResponseEntity.ok(status);
} catch (Exception e) {
return ResponseEntity.status(503)
.body(new HealthStatus("unhealthy", e.getMessage()));
}
}
public static class HealthStatus {
private String status;
private String message;
private Date timestamp;
public HealthStatus() {}
public HealthStatus(String status, String message) {
this.status = status;
this.message = message;
this.timestamp = new Date();
}
// Getters and setters
public String getStatus() { return status; }
public void setStatus(String status) { this.status = status; }
public String getMessage() { return message; }
public void setMessage(String message) { this.message = message; }
public Date getTimestamp() { return timestamp; }
public void setTimestamp(Date timestamp) { this.timestamp = timestamp; }
}
}

7. Application Configuration

# application.yml
sysdig:
secure:
enabled: true
api-url: https://secure.sysdig.com
api-token: ${SYSDIG_API_TOKEN}
agent-host: localhost
agent-port: 7760
# Scanning configuration
image-scanning-enabled: true
runtime-security-enabled: true
compliance-monitoring-enabled: true
vulnerability-scanning-enabled: true
# Scanning policies
scan-policies:
- "default"
fail-on-severity: "high"
fail-on-fixable: false
scan-timeout: 300
# Runtime security
falco-enabled: true
falco-rules-file: "/etc/falco/falco_rules.yaml"
custom-falco-rules: []
network-security-enabled: true
file-integrity-monitoring: true
# Alerting
slack-enabled: false
slack-webhook-url: ${SLACK_WEBHOOK_URL}
email-enabled: false
email-recipients: "[email protected]"
pager-duty-enabled: false
pager-duty-integration-key: ${PAGER_DUTY_KEY}
# Compliance
compliance-frameworks:
- "PCI-DSS"
- "HIPAA"
- "NIST-800-53"
auto-remediation: false
# Logging
audit-logging: true
log-level: "INFO"
log-format: "json"
management:
endpoints:
web:
exposure:
include: health,info,metrics,security
endpoint:
security:
enabled: true
logging:
level:
com.example.sysdig: DEBUG

8. CI/CD Integration

GitHub Actions Workflow

# .github/workflows/sysdig-security.yml
name: Sysdig Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
release:
types: [ published ]
jobs:
sysdig-security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: |
docker build -t myapp:${{ github.sha }} .
- name: Sysdig Image Scan
uses: sysdiglabs/scan-action@v2
with:
image-name: myapp:${{ github.sha }}
sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }}
fail-on-severity: high
fail-on-fixable: true
- name: Runtime Security Check
run: |
# Start container with security monitoring
docker run -d --name myapp myapp:${{ github.sha }}
# Run security tests
# Implementation depends on your security requirements
- name: Compliance Check
run: |
# Check compliance against frameworks
curl -X POST ${{ secrets.SECURITY_SERVICE_URL }}/api/security/compliance/assess \
-H "Authorization: Bearer ${{ secrets.API_TOKEN }}" \
-H "Content-Type: application/json" \
-d '["PCI-DSS", "HIPAA"]'

Jenkins Pipeline

// Jenkinsfile
pipeline {
agent any
environment {
SYSDIG_SECURE_TOKEN = credentials('sysdig-secure-token')
SECURITY_SERVICE_URL = 'https://security-service.company.com'
}
stages {
stage('Build') {
steps {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
}
}
stage('Security Scan') {
steps {
sh '''
# Scan image with Sysdig
docker run -v /var/run/docker.sock:/var/run/docker.sock \
sysdig/secure-inline-scan:latest \
--sysdig-url https://secure.sysdig.com \
--sysdig-token ${SYSDIG_SECURE_TOKEN} \
--image-name myapp:${BUILD_NUMBER}
# Check scan results
if [ $? -ne 0 ]; then
echo "Security scan failed!"
exit 1
fi
'''
}
}
stage('Runtime Security') {
steps {
sh '''
# Deploy with security monitoring
docker run -d \
--name myapp-${BUILD_NUMBER} \
--security-opt=no-new-privileges \
myapp:${BUILD_NUMBER}
# Run security tests
# Implementation depends on requirements
'''
}
}
stage('Compliance Check') {
steps {
sh '''
curl -X POST ${SECURITY_SERVICE_URL}/api/security/compliance/assess \
-H "Authorization: Bearer ${API_TOKEN}" \
-H "Content-Type: application/json" \
-d '["PCI-DSS", "NIST-800-53"]'
'''
}
}
}
post {
always {
sh 'docker rm -f myapp-${BUILD_NUMBER} || true'
publishHTML target: [
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'security-report.html',
reportName: 'Security Report'
]
}
failure {
emailext (
subject: "Security Scan Failed - ${env.JOB_NAME}",
body: "Security vulnerabilities detected in ${env.BUILD_URL}",
to: "[email protected]"
)
}
}
}

Best Practices

1. Security Monitoring

@Component
public class SecurityMonitoringService {
@EventListener
public void monitorSpringSecurityEvents(AbstractAuthenticationEvent event) {
// Monitor Spring Security events
SecurityEvent securityEvent = convertToSecurityEvent(event);
sysdigClient.logSecurityEvent(securityEvent);
}
public void monitorDatabaseOperations(String operation, String query) {
// Monitor sensitive database operations
if (isSensitiveOperation(operation, query)) {
SecurityEvent event = createDatabaseSecurityEvent(operation, query);
sysdigClient.logSecurityEvent(event);
}
}
}

2. Incident Response

@Component
public class IncidentResponseService {
public void handleSecurityIncident(SecurityEvent event) {
// Automated incident response
switch (event.getSeverity()) {
case "critical":
isolateContainer(event.getContainerId());
notifySecurityTeam(event);
triggerForensics(event);
break;
case "high":
restrictNetworkAccess(event.getContainerId());
notifySecurityTeam(event);
break;
case "medium":
logIncident(event);
break;
}
}
private void isolateContainer(String containerId) {
// Implementation to isolate container
}
}

Conclusion

This comprehensive Sysdig Secure integration provides:

• Container image scanning for vulnerabilities
• Runtime security monitoring with Falco rules
• Compliance assessment against multiple frameworks
• Custom security rules for Java applications
• Incident response automation
• Kubernetes cluster security scanning
• CI/CD integration with security gates

Key benefits:

• Comprehensive security across build and runtime
• Java-specific security monitoring
• Automated compliance checking
• Real-time threat detection
• Production-ready with proper error handling

This setup ensures robust security monitoring and compliance throughout the container lifecycle, helping organizations maintain secure cloud-native applications.