{"id":90054,"date":"2024-02-06T07:00:00","date_gmt":"2024-02-06T12:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=90054"},"modified":"2025-06-09T11:53:40","modified_gmt":"2025-06-09T09:53:40","slug":"container-runtime-insights-to-prioritize-what-matters-most","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/container-runtime-insights-to-prioritize-what-matters-most\/","title":{"rendered":"Container runtime insights to prioritize what matters most\u00a0\u00a0"},"content":{"rendered":"

Through an integration with Sysdig, Checkmarx One users can now leverage runtime container insights to prioritize vulnerabilities associated with running container packages that pose the most risk.<\/em>   <\/p>\n\n\n\n

Prefer not to read? You can watch a replay of our joint webinar<\/a> where we go into more depth about the capabilities and demonstrate live within the Checkmarx One and Sysdig Secure products. <\/em>Watch now -><\/em><\/a><\/p>\n\n\n\n

In the past several years containers have emerged as a favorable choice for deploying applications, due to their architecture they allow developers to overlook concerns about dependencies and environments. Everything essential for running an application is neatly encapsulated within the container, encompassing code, runtime, system tools, libraries, and dependencies.<\/p>\n\n\n\n

In cloud-native environments, containers, when coupled with best practices and the appropriate tools, offer seamless scalability, ensuring optimal application performance and availability. This flexibility not only caters to peak demands but also frees processing power for various application components.<\/p>\n\n\n\n

However, the challenge arises when cloud and application security functions operate in silos, creating fragmentation. This scenario leaves AppSec teams without the correlation or context to understand which container packages are running, which are not and prioritize associated risks effectively.<\/p>\n\n\n\n

Imagine a scenario where developers, prompted by security alerts and new work items, invest their valuable time in remediation efforts, only to discover that the identified low-priority vulnerability pertains to an unused container package. Without the correlation between vulnerability and runtime data, frustration sets in for developers, and may cause alert fatigue, while AppSec teams find themselves handicapped without a comprehensive view of the critical vulnerabilities that truly matter.<\/p>\n\n\n\n

The challenge for AppSec teams is not merely identifying vulnerabilities but prioritizing, and remediating the ones that pose the most risk. Establishing a connection between vulnerabilities and the running containers becomes crucial, enabling teams to prioritize critical vulnerabilities and remediating them effectively. This correlation goes beyond technical nuances; it forms the backbone for fostering trust and collaboration between developers and AppSec teams. <\/p>\n\n\n\n

Checkmarx & Sysdig; connecting the dots between pre-production and runtime<\/strong><\/h2>\n\n\n\n

Sysdig enhances Checkmarx Container Security by providing vital runtime insights into container Open-Source Software (OSS) running within cloud-native environments. While Checkmarx excels in securing container images by detecting vulnerabilities during development, Sysdig’s real-time profiling enriches this process by analyzing containerized applications during runtime. Checkmarx crossmatches the list of OSS packages used at runtime with known vulnerable packages, enhancing the identification of security risks. By integrating with Sysdig, Checkmarx extends its container security capabilities beyond static image analysis, ensuring a comprehensive approach throughout the container lifecycle. <\/p>\n\n\n\n

The collaboration between Sysdig and Checkmarx streamlines overall security management by offering continuous runtime monitoring and analysis. Sysdig’s integration enhances Checkmarx’s ability to prioritize and address vulnerabilities effectively, delivering a unified solution covering static analysis and real-time package insights. This partnership strengthens the capability to identify and remediate security threats, fostering a resilient cloud-native environment while empowering security teams and developers with a more proactive security posture.<\/p>\n\n\n\n

See the integration in action<\/strong><\/h2>\n\n\n\n

Beginning in Checkmarx Container security, we look at the completed scans under the \u201cContainer\u201d tab. <\/p>\n\n\n\n

Runtime insights for container packages are available at the container level and at the vulnerability level. <\/p>\n\n\n\n

Within the container level<\/strong> under the \u201cContainer Packages\u201d tab, container scan results are sorted by default by the packages used at runtime, and by the packages with the most vulnerabilities.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

In this view, you can easily see how easy it is to quickly jump in and tackle the container packages with the most vulnerabilities. But when users quickly cross reference the \u201cRuntime Usage\u201d column alongside the number of vulnerabilities found, it becomes clear which vulnerabilities should be prioritized.  <\/p>\n\n\n\n

Users can also filter this view to only see the packages used at runtime. <\/p>\n\n\n\n

Runtime insights are also available at the vulnerability level<\/strong>. The \u2018Container Vulnerabilities\u2019 view displays vulnerabilities associated with containers and their criticality, bubbling up those vulnerabilities associated with containers found in runtime at the top of the list.  <\/p>\n\n\n\n


<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n


In this view, you\u2019ll see that the \u201cRisk Factor\u201d column highlights whether the vulnerability is associated with a package that is used at runtime. The results show 9 CVEs that are associated with a package used in runtime, and the last CVE was not within a package used in runtime. The risk factor of whether the vulnerability was associated with a package found in runtime is just the start; additional risk factors are coming soon. <\/p>\n\n\n\n

When users want to better understand a given vulnerability found, they can click into the CVE for more information, including the severity, CVSS Score, and attack vector. <\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n


When users click into a given CVE, they\u2019ll now see a new \u201cRisk Factors\u201d box, where they can quickly see that the vulnerability is associated with a package used in runtime.<\/p>\n\n\n\n

Prioritize what’s running and reduce noise by up to 90%<\/strong><\/h2>\n\n\n\n

Using runtime insights from Sysdig Secure, Checkmarx One or SCA standalone customers gain several benefits. <\/p>\n\n\n\n