Package: Invicti AppSec Enterprise (on-premise, on-demand)
Sysdig CSPM Integration
Sysdig provides cloud security posture management with continuous compliance monitoring, vulnerability detection, and risk assessment across cloud environments. In Invicti AppSec, the Sysdig CSPM integration connects to your Sysdig account to import cloud security findings into your projects.
Prerequisites
| Field | Description |
|---|---|
| Token | Sysdig API token |
| Region | Sysdig SaaS region (if not using a custom URL) |
| URL | Custom Sysdig API endpoint (if using a self-hosted or custom instance) |
Get API Credentials (on Sysdig Side)
- Log in to the Sysdig console.
- Navigate to Settings > User Profile or API Tokens.
- Generate or copy your API Token.
- Note your Sysdig region (e.g.,
us1,eu1) or the custom URL for your instance.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CSPM Tab
On the Integrations > Scanners page, click on the CSPM tab.
Step 3: Find and Activate Sysdig CSPM
Scroll through the list of CSPM scanners to find Sysdig CSPM.
- If Sysdig CSPM is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Sysdig CSPM card to open the settings panel.
If you have multiple Sysdig instances, select the instance you want to configure from the instance selector.
Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Token | Sysdig API token | Yes |
| Use Custom URL | Toggle to enter a custom API endpoint instead of selecting a region | No |
| Region | Sysdig SaaS region (visible when Use Custom URL is off) | Yes (if not using custom URL) |
| URL | Custom API endpoint URL (visible when Use Custom URL is on) | Yes (if using custom URL) |
| Insecure | Skip TLS certificate verification (not recommended for production) | No |
Available regions:
| Region (displayed as) | Description |
|---|---|
secure.sysdig.com | United States (US1) |
us2.app.sysdig.com | United States (US2) |
app.us3.sysdig.com | United States (US3) |
app.us4.sysdig.com | United States (US4) |
eu1.app.sysdig.com | Europe (EU1) |
app.au1.sysdig.com | Australia (AU1) |
app.me2.sysdig.com | Middle East (ME2) |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Sysdig API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CSPM tab |
| 3 | Activate Sysdig CSPM |
| 4 | Enter Token and select Region (or provide a custom URL) |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Sysdig CSPM Scanner
- Select CSPM as the scanner type.
- Choose Sysdig CSPM from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Associate the scan with a feature environment | No |
| Branch | The branch to associate cloud findings with | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Cloud Filter | Filter imported findings by Asset Name, Image, Region, Platform, Asset Type, Severity, or IP Address | No |
-
Invicti AppSec automatically syncs Sysdig CSPM vulnerabilities on a daily basis — no manual trigger is required after the initial scan is configured.
-
Cloud Filter lets you narrow which findings are imported into this project. You can filter by Asset Name, Image, Region, Cloud Platform, Asset Type, Severity, and IP Address. If no filter is set, all findings accessible via the API token are imported.
Scheduler
Enable the Scheduler toggle to automatically re-run the Sysdig CSPM scan on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t sysdigcspm -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid token | Verify the API token in the Sysdig console under Settings > User Profile or API Tokens. |
| Incorrect region | Ensure the selected region matches your Sysdig SaaS account region. Check your Sysdig account settings or the URL you use to access the console. |
| Custom URL unreachable | Verify the custom URL is correct and that the Sysdig instance is accessible from your network. |
| TLS errors | If using a self-signed certificate, enable Insecure mode. Do not use this in production. |
Scan Issues
| Issue | Resolution |
|---|---|
| No findings imported | Verify that Sysdig has completed posture assessments for your cloud accounts. Check the Cloud Filter — overly restrictive filters may exclude all findings. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API token for Invicti AppSec with read-only access — do not use admin tokens.
- Rotate the API token periodically and update the integration settings in Invicti AppSec accordingly.
- Select the correct region matching your Sysdig SaaS instance to avoid authentication failures.
- Use Cloud Filters to associate each project with the specific asset types, regions, or cloud platforms it covers, ensuring findings are relevant to that project.
- Use the Scheduler to keep cloud security findings aligned with Sysdig's assessment schedule.
- Disable the Insecure option in production environments to ensure encrypted communication.
Limitations
- Sysdig CSPM in Invicti AppSec imports cloud security posture findings — it does not trigger new Sysdig assessments.
- Only findings accessible via the provided API token are available for import.
- Vulnerability sync occurs daily automatically; manual on-demand sync is not supported outside of scheduled scans.
- Requires an active Sysdig subscription with CSPM capabilities enabled.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center