Skip to main content

Checkmarx One Sysdig Integration - Runtime Usage


This document is intended for users who consume SCA through the Checkmarx One platform. Users of the SCA standalone product should refer to Checkmarx SCA Sysdig Integration - Runtime Usage to learn how to implement the Sysdig integration.


We have implemented a new integration with Sysdig Risk Spotlight, which identifies runtime usage of container packages. Once the integration is configured, the runtime usage data that was identified by Sysdig is shown as part of the Checkmarx scan results. This provides important insights for prioritizing remediation activities based on actual risk of exploitation.


  • You need to have a Sysdig license and you need to obtain a Sysdig Risk Spotlight Token for your account.

  • Make sure that your Sysdig agents are configured to cover all images that you will be scanning in Checkmarx.


Sysdig doesn't provide runtime data for base-images.

Setting up the Integration

The integration needs to be configured by Checkmarx personnel. Please contact your Checkmarx account agent and provide them with:

  • The base URL for your Sysdig region (e.g.,

  • Your Sysdig Risk Spotlight token

  • Cluster name (optional)

Preparing the Tools

In order to get results for runtime usage you need to scan the built image created from the docker file in your local environment. This is done using the SCA Resolver tool. The SCA Resolver is called via the Checkmarx One CLI tool.

  1. Download and install the SCA Resolver tool as described here.


    Make sure that all relevant package managers are installed on your local environment, see Installing Supported Package Managers for Resolver.

  2. Download and install Syft version 0.83.1 from here.

  3. Download and install the Checkmarx One CLI. Configure it for use with your Checkmarx One account, as described here.


It is generally preferable to install all of the above tools in the same folder. Make sure that the user running the scans has write privileges to all of the folders in which these tools are located.

Scanning Images Using the Checkmarx One CLI Tool

In the Checkmarx One CLI, run the scan create command, specifying the use of SCA Resolver for scanning your container images.

The command should have the following components:

  1. The scan create command with all required parameters, and specifying the --scan-types as sca. The -s parameter should specify the location of the docker files that you would like to scan.

    ./cx scan create --project-name <Project Name> -s <Repository URL of Docker files> --branch <branch name> --scan-types sca
  2. Add the --sca-resolver flag, specifying the path to the resolver binary (executable).

    --sca-resolver <path-to-resolver>
  3. Add the --sca-resolver-params flag with the following parameters:

    1. Add the --scan-containers flag.

    2. Add the --images flag followed by a comma separated list of images. Specify each image using the following syntax {image_name}:{image_tag}.

    3. Add --containers-result-path, with the path set as follows:


      • <base_folder_path> must be identical to the value given for -s.

      • The precise file name .cxsca-container-results.json must be used.

    --sca-resolver-params "--scan-containers --images {image_name}:{image_tag} --containers-result-path <base_folder_path>/.cxsca-container-results.json"

    The following is an example of a command for scanning containers in the project folder as well as specific images.

    ./cx scan create --project-name DemoContainerProject -s . --branch main --scan-types sca --debug --async --sca-resolver './ScaResolver' --sca-resolver-params "--log-level Debug --scan-containers --images manuelbcd/vulnapp:latest,debian:10 --containers-result-path ./.cxsca-container-results.json"

Viewing Runtime Data

Once the integration has been configured for your account, whenever you run a scan on an image that is covered by your Sysdig deployment, the Checkmarx scan results will be supplemented with the runtime data.

Container Packages Tab

In the Container Packages tab, there is a column Runtime Usage which indicates which packages are used in runtime.


Possible values for Runtime Usage are:

  • Used - Runtime usage of this package was identified.

  • Not Used - No runtime usage of this package was identified.

  • Not Eligible - Runtime analysis isn’t supported for this package (for example, base-images aren't scanned by Sysdig).

  • Not Found - We couldn’t identify runtime usage because this package isn’t covered by your runtime security integration. Try adjusting the configuration of your runtime security integration so that all relevant clusters are covered.

Container Vulnerabilities Tab

In the Containers Vulnerabilities tab, runtime usage is shown as a Risk Factor for vulnerabilities that are associated with used packages.


Also, when you drill-down to open the details page for a specific vulnerability, runtime usage is shown as a Risk Factor.