Scan Running Images
This doc applies only to the Legacy Scanning engine. Make sure you are using the correct documentation: Which Scanning Engine to Use
To automatically trigger scans of running images, install a node-based image analyzer alongside the agent. Alternatively, you can scan individual images manually from the UI.
Auto-Scan with the Image Analyzer
What is the Image Analyzer?
The (node) image analyzer (NIA) provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agent container.
On container start-up, the analyzer scans all pre-existing running images present in the node. Additionally, it will scan any new image that enters a running state in the node. It will scan each image once, then forward the results to the Sysdig Secure scanning backend. Image metadata and the full scan report is then available in the Sysdig Secure UI.
The analyzer performs the image analysis directly on the local host. This poses several benefits:
Automation: Every image executed on your environments will be automatically scanned and checked against the vulnerability databases and configured scanning policies, without requiring any manual intervention
Privacy: Using local analysis, only image metadata is sent to the Sysdig backend, as opposed to pulling the entire image to be evaluated with backend scanning, which provides improved privacy
Improved registry security: Since the Sysdig backend will not pull the image from a registry, there is no need to configure registry credentials on the Sysdig-side, nor open up the registry endpoints to be accessed over public networks
If the node image analyzer is installed, there is no longer any need to manually trigger running image scans.
Installing the Image Analyzer
If you have run the single line agent install with the
--image-analyzer flag, then this component is already running in your
The feature is available for Kubernetes environments in Sysdig Secure SaaS and in On-Premises version 3.5.1+.
Otherwise, the Image Analyzer is now deployed as a part of the Node Analyzer: Multi-Feature Installation.
Manually Scan an Image
If the node image analyzer is not installed, then when a new image is
added to a running environment it may need to be scanned manually. This
can be done from either the
Runtime tab, or the
Scan Results tab.
From the Runtime Tab
To manually scan an image from the
Scanningmodule, choose the
Unscannedand select an image from the list of unscanned images.
Scan Nowif the option is displayed. You may be prompted to install the Image Analyzer if the digest could not be detected.
From the Image Results Tab
Scanningmodule, choose the
Define the path to the image, and click
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.