Welcome to the official Sysdig Plugin for Backstage. This plugin will show you the latest Vulnerabilities and Posture reports of your services using Sysdig Secure.

For this plugin to work, you will access to Sysdig Secure.

You must provide:

• Your Sysdig Secure API Key.
• Your Sysdig Secure Endpoint (region for SaS).

Please refer to the official documentation for more details.

# From your Backstage root directory
yarn --cwd packages/app add @sysdig/backstage-plugin-sysdig

# From your Backstage root directory
git clone https://github.com/sysdiglabs/backstage-plugin-sysdig plugins/sysdig
yarn install

Add the Sysdig page to the Entity routes in packages/app/src/components/catalog/EntityPage.tsx:

+ import { SysdigPage } from '@sysdig/backstage-plugin-sysdig';

...


const serviceEntityPage = (
  <EntityLayoutWrapper>

  ...

+    <EntityLayout.Route path="/sysdig" title="Sysdig">
+      <SysdigPage />
+    </EntityLayout.Route>

  ...

  </EntityPageLayout>
)

Edit app-config.yaml and add to the API endpoints the following details:

proxy:
  endpoints:
+     '/sysdig':
+       target: ${SYSDIG_SECURE_ENDPOINT}
+       changeOrigin: true
+       allowedMethods: ['GET']
+       headers:
+         "Authorization": "Bearer ${SYSDIG_SECURE_TOKEN}"
+         "Content-Type": "application/json"
+         "Accept": "application/json"
+         "X-Sysdig-Product": "SDS"

...

+ sysdig:
+   endpoint: ${SYSDIG_SECURE_ENDPOINT}

• Set the environment variable SYSDIG_SECURE_ENDPOINT to your Sysdig Secure Endpoint.
• Likewise, set SYSDIG_SECURE_TOKEN to your Sysdig Secure API Token.

All added annotations are available and documented in the source file.

Be aware that not all annotations are needed, the different reports may or may not work depending on which information is provided. For example, to get Registry scanning results, you will need to annotate the corresponding services with registry data.

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: sock-shop-carts
  annotations:
    # VM Runtime
    sysdigcloud.com/kubernetes-cluster-name: sock-shop-cluster
    sysdigcloud.com/kubernetes-namespace-name: sock-shop
    sysdigcloud.com/kubernetes-workload-name: sock-shop-carts
    sysdigcloud.com/kubernetes-workload-type: deployment

    # VM Registry
    sysdigcloud.com/registry-vendor: harbor
    sysdigcloud.com/registry-name: registry-harbor-registry.registry.svc.cluster.local:5443

    # VM Pipeline
    sysdigcloud.com/image-freetext: ghcr.io/sysdiglabs
    
    # Posture
    sysdigcloud.com/resource-name: sock-shop-carts
    sysdigcloud.com/resource-type: "Deployment"
  description: |
    This is the Sock shop service that keeps track of socks pairs to be purchased.
spec:
  type: service
  lifecycle: experimental
  owner: team-c
  system: sock-shop
  dependsOn:
    - component:default/sock-shop-carts-db

In most cases, no. It cannot be guaranteed that values for other plugins, such as the Kubernetes one, will match those in Sysdig. For example, when you install the Sysdig Agent, you can set data to whatever you want (such as the cluster name), so it may differ from what other plugins have.

If you can guarantee that values for certain annotations will always match across plugins, you can edit the source file and set those to the desired annotations.