Skip to main content

Checkmarx SCA Sysdig Integration - Runtime Usage


This document relates to the SCA standalone platform. Users who consume SCA through Checkmarx One should refer to Checkmarx One Sysdig Integration - Runtime Usage.


We have implemented a new integration with Sysdig Risk Spotlight, which identifies runtime usage of container packages. Once the integration is configured, the runtime usage data that was identified by Sysdig is shown as part of the Checkmarx scan results. This provides important insights for prioritizing remediation activities based on actual risk of exploitation.


  • You need to have a Sysdig license and you need to obtain a Sysdig Risk Spotlight Token for your account.

  • Make sure that your Sysdig agents are configured to cover all images that you will be scanning in Checkmarx.


Sysdig doesn't provide runtime data for base-images.

Setting up the Integration

The integration needs to be configured by Checkmarx personnel. Please contact your Checkmarx account agent and provide them with:

  • The base URL for your Sysdig region (e.g.,

  • Your Sysdig Risk Spotlight token

  • Cluster name (optional)

Preparing the Tools

In order to get results for runtime usage you need to scan the built image created from the docker file in your local environment. This is done using the SCA Resolver tool.

  1. Download and install the SCA Resolver tool as described here.


    Make sure that all relevant package managers are installed on your local environment, see Installing Supported Package Managers for Resolver.

  2. Download and install Syft version 0.83.1 from here.


It is generally preferable to install both tools in the same folder. Make sure that the user running the scans has write privileges to the folder/s in which these tools are located.

Scanning Images Using the SCA Resolver

The following procedure explains the standard procedure for running a container scan using SCA Resolver in Online mode. To learn about running scans in Offline mode as well as other scanning options, see Running Scans Using Checkmarx SCA Resolver.

For more info about Checkmarx container scans, see Container Scans.

  1. Create a run command ScaResolver.exe (Windows) or ScaResolver (Linux) with the following mandatory arguments.

    -s : path to the folder to scan


    This must be the path to a local folder that contains the source code, not to a zip archive or a code repository.


    If you want to scan only specific images (not an entire project), do the following:

    1. Create a "dummy" folder in your project (for use in the -s parameter) and give it a name that indicates that it is used for scanning images, e.g., scan_ecr_image.

    2. In the Resolver scan command, for the -s parameter give the path to the "dummy" folder that you created, e.g., /Users/DemoUser/scan_ecr_image.

    -n : to scan an existing Project, enter the name of the Project. OR,

    to create a new Project, enter a new name to assign to the Project

    -a : your Checkmarx SCA account name

    -u : your username

    -p : your password


    If you authenticate via a SAML provider, then providing user credentials is not necessary. See SAML Authentication for Checkmarx SCA Resolver.

    The following example shows a run command using the mandatory arguments:

  2. You can add additional arguments to specify the desired scan configuration, see Checkmarx SCA Resolver Configuration Arguments.

  3. Add the --scan-containers flag to the SCA Resolver scan command.

  4. Add the --images flag followed by a comma separated list of images. Specify each image using the following syntax {image_name}:{image_tag}.

The following example shows a command to run a container scan on specific images.

Viewing Runtime Data

Once the integration has been configured for your account, whenever you run a scan on an image that is covered by your Sysdig deployment, the Checkmarx scan results will be supplemented with the runtime data.

Container Packages Tab

In the Container Packages tab, there is a column Runtime Usage which indicates which packages are used in runtime.


Possible values for Runtime Usage are:

  • Used - Runtime usage of this package was identified.

  • Not Used - No runtime usage of this package was identified.

  • Not Eligible - Runtime analysis isn’t supported for this package (for example, base-images aren't scanned by Sysdig).

  • Not Found - We couldn’t identify runtime usage because this package isn’t covered by your runtime security integration. Try adjusting the configuration of your runtime security integration so that all relevant clusters are covered.

Container Vulnerabilities Tab

In the Containers Vulnerabilities tab, runtime usage is shown as a Risk Factor for vulnerabilities that are associated with used packages.


Also, when you drill-down to open the details page for a specific vulnerability, runtime usage is shown as a Risk Factor.