Scan Running Images

It is possible to trigger scans of running images from the Sysdig UI or to install a node-based image analyzer alongside the agent to auto-scan every image.

Auto-Scan with Node Image Analyzer

The node image analyzer (NIA) provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agent container.

On container start-up, the analyzer scans all pre-existing running images present in the node. Additionally, it will scan any new image that enters a running state in the node. It will scan each image once, then forward the results to the Sysdig Secure scanning backend. Image metadata and the full scan report is then available in the Sysdig Secure UI.

The analyzer performs the image analysis directly on the local host. This poses several benefits:

  • Automation: Every image executed on your environments will be automatically scanned and checked against the vulnerability databases and configured scanning policies, without requiring any manual intervention

  • Privacy: Using local analysis, only image metadata is sent to the Sysdig backend, as opposed to pulling the entire image to be evaluated with backend scanning, which provides improved privacy

  • Improved registry security: Since the Sysdig backend will not pull the image from a registry, there is no need to configure registry credentials on the Sysdig-side, nor open up the registry endpoints to be accessed over public networks

If the node image analyzer is installed, there is no longer any need to manually trigger running image scans.

Installing the Node Image Analyzer

Note

If you have run the single line agent install with the --image-analyzer flag, then this component is already running in your infrastructure.

The feature is available for Kubernetes environments in Sysdig Secure SaaS and in On-Premises version 3.5.1+.

Single-Line Install (Recommended)

The analyzer is included by default in the Connect Your Data Sources portion of the Sysdig Secure Get Started page. This script installs the node image analyzer alongside the agent.

For Sysdig Secure SaaS: Go to https://secure.sysdig.com/#/onboarding to get the script.

For Sysdig Secure On-prem: Choose the Get Started page from the Rocket icon in the navigation bar.

Daemonset Install

To deploy the node image analyzer using Kubernetes daemonsets, download the following configuration files, edit them as annotated within the files, and deploy them.

To deploy the image analyzer concurrently with the Sysdig agent, you would also download the sysdig-agent-clusterrole.yaml, sysdig-agent-daemonset-v2.yaml, and sysdig-agent-configmap.yaml and deploy them as described in Agent Install: Kubernetes.

You need to deploy these YAMLs after installing the Sysdig agent in the same nodes, and also in the same namespace (sysdig-agent by default).

Alternate Cases

The installation instructions above should be sufficient for the majority of users; the options below allow for customizations and special cases.

On-Premises and Alternate Sysdig SaaS Regions

If you want the Node Image Analyzer to report to an On-Prem Sysdig backend or to a SaaS region other than us-east, you must pass an additional parameter to the script, which you can obtain on the “Get Started” page. For example:

Default

curl -s https://download.sysdig.com/stable/install-agent-kubernetes | sudo bash -s -- --access_key <your_access_key> --collector collector-static.sysdigcloud.com --collector_port 6443 --imageanalyzer 

SaaS in eu1 region, append:

--analysismanager https://eu1.app.sysdig.com/internal/scanning/scanning-analysis-collector 

On-Prem, append:

--analysismanager https://sysdig.my.company.com/internal/scanning/scanning-analysis-collector

I.e., setting the parameter to your base url + /internal/scanning/scanning-analysis-collector.

On-Prem with self-signed cert:

If you are running an On-Prem Sysdig backend that exposes a self-signed certificate, add -cc false to the command line so the node image analyzer will accept it.

Kubernetes Requiring Custom Socket Path

By default, the node image analyzer will automatically detect the socket to mount from:

  • Docker socket from /var/run/docker/docker.sock

  • CRI-O socket from/var/run/crio/crio.sock

  • CRI-containerd socket from/var/run/containerd/containerd.sock

Some setups require the analyzer to use custom socket paths.

If the socket is located outside /var/run, the corresponding volume must be mounted as well. You can configure it via the single line installer script or by manually editing the daemonset and configmap variables.

When using the installer, use the-cv option to mount an additional volume and add -ds -cs or -cd to specify a Docker, CRI, or CRI-containerd socket respectively.

See the script -help command for additional information.

Examples:

For K3S, which uses containerd, add:

-cd unix:///run/k3s/containerd/containerd.sock -cv /run/k3s/containerd 

For Pivotal, which uses a custom path for the Docker socket, use:

-ds unix:///var/vcap/data/sys/run/docker/docker.sock -cv /var/vcap/data/sys/run/docker 

Running Node Image Analyzer Behind a Proxy

Depending on your organization's network design, you may require the HTTP NIA requests to pass through a proxy in order to reach the Sysdig Secure backend. To do so, you must edit the sysdig-image-analyzer configmap (which is in the sysdig-agent namespace by default) and configure the following variables:

  • http_proxy/https_proxy Use with the relevant proxy URL, e.g. http://my_proxy_address:8080.

    In most cases, it is enough to specify http_proxy. as it applies to HTTPS connections as well.

  • no_proxy Use this parameter to exclude certain subnets from using the proxy, adding a comma-separated exclusion list, e.g. 127.0.0.1,localhost,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8

Node Image Analyzer Configmap Options

For special cases, the node image analyzer can be configured by editing the sysdig-image-analyzer configmap in the sysdig-agent namespace with the following options:

Option

Description

docker_socket_path

The Docker socket path, defaulting to unix:///var/run/docker/docker.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

cri_socket_path

The socket path to a CRI compatible runtime, such as CRI-O, defaulting to unix:///var/run/crio/crio.sock.

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

containerd_socket_path

The socket path to a CRI-Containerd daemon, defaulting to unix:///var/run/containerd/containerd.sock

If a custom path is specified, ensure it is correctly mounted from the host inside the container.

collector_endpoint

The endpoint to the Scanning Analysis collector, specified in the following format: https://<API_ENDPOINT>/internal/scanning/scanning-analysis-collector

ssl_verify_certificate

Can be set to "false" to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified.

debug

Can be set to "true" to show debug logging, useful for troubleshooting.

http_proxy

Proxy configuration variables.

https_proxy

no_proxy

Manually Scan an Image

If the node image analyzer is not installed, then when a new image is added to a running environment it may need to be scanned manually. This can be done from either the Runtime tab, or the Scan Results tab.

From the Runtime Tab

To manually scan an image from the Runtime tab:

  1. From the Image Scanning module, choose the Runtime tab.

    NewRuntime3.png
  2. Select an image from the list of unscanned images.

    374670616.png
  3. Click Scan Now.

From the Scan Results Tab

  1. From the Image Scanning module, choose the Scan Results tab.

  2. Click Scan Image

    scan_results.png
  3. Define the path to the image, and click Scan.