Image profiling in Sysdig enhances the data collection capabilities of the agent and is a building block for several other Sysdig features.

Profiling enables:

Availability and Enablement

Some features are still under Controlled Availability and require enablement from Sysdig support, as noted.

Enabling Profiling triggers a feature on the agent that will increase its resource demand, both in memory and CPU. Note that if the agent starts using too many resources, it will automatically and temporarily disable this feature, to avoid impacting its basic functionality.

Enable for Machine Learning

To use machine learning policies:

  1. Log in to Sysdig Secure as Admin and navigate to Settings > User Profile.

  2. Toggle the Profiling switch in the Sysdig Labs section.

  3. Select Policies > Runtime Policies and create a new policy of the type Machine Learning.

Enable for Risk Spotlight Integrations or for the In Use Column

NOTE: Risk Spotlight and In Use are still in Controlled Availability, so you must contact Support to set backend flags.

Prerequisite: Have the new Vulnerability Management engine enabled in Sysdig Secure SaaS.

The In Use column is displayed in the Vulnerabilities module of Sysdig Secure and requires one additional parameter for the Sysdig Agent.

Risk Spotlight can be used to enrich the vulnerability findings of external platforms with Sysdig’s Runtime Insights. For this use, two parameters are required for the Sysdig Agent.

To enable:

  1. Contact Sysdig support and ask to have the feature enabled in the backend. (This step is required during Controlled Availability.) The flags are:

    • Secure: Scanning v2 EVE
    • Secure: Scanning v2 EVE Integration
  2. Enable parameters to the Node Analyzer of your Sysdig agents, e.g., using the sysdig-deploy Helm chart.

    For In Use:


    For Risk Spotlight, in order to integrate with Snyk, Docker Scout, etc.:

    -- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true
    -- set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true
  3. Toggle the Profiling switch in the Sysdig Labs section.

  4. After 15-30 minutes, check Vulnerabilities > Runtime. The runtime scanner will gather information against this policy and display results in the Vulnerabilities Runtime scan results.

    You should see the In Use column populated.

  5. If you also want to export these results to third-party software, follow the instructions in Risk Spotlight Integrations to create a Risk Spotlight Token and add it to the external platform.

    (Note: If the third-party software is Snyk, the instructions are slightly different.)

How Image Profiles Work

With image profiling enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the profiler will collect and combine system activity into an image profile.

Internal algorithms determine two aspects of behavior:

  • Length of time observed: Related to the image being in a learning/done learning state

  • Consistency of behavior: Related to the confidence level of the observed behavior

Profile Contents

A container image profile is a collection of data points related to:

  • Network activity

    • TCP ports (in/out)

    • UDP ports (in/out)

  • Processes detected

  • File system (informational only)

    • Files (read/write)

    • Directories (read/write)

  • System calls detected