Scan Running Images

It is possible to trigger scans of running images from the Sysdig UI or to install a node-based image analyzer alongside the agent to auto-scan every image.

Auto-Scan with Node Image Analyzer

The node image analyzer provides the capability to scan images as soon as they start running on hosts where the analyzer is installed. It is typically installed alongside the Sysdig agent container.

This component was introduced to reduce dependencies on analyzing images within the Sysdig backend (SaaS or On-prem). Some advantages include:

  • Sharing credentials with the Sysdig backend in order to pull images is not required

  • Sharing the image content and potentially code with the Sysdig backend is not required; only metadata will be sent out

  • Opening a network route to allow the Sysdig backend to reach the user's registries is not required

If the node analyzer is installed, there is no longer any need to manually trigger running image scans.

Installing the Node Image Analyzer


If you have run the single line agent install with the --image-analyzer flag, then this component is already running in your infrastructure.

The feature is available for Kubernetes environments in Sysdig Secure SaaS. It will be available in the upcoming 3.5 on-prem release (the release after v3.2).

Single-Line Install (Recommended)

The analyzer is included by default in the Connect Your Data Sources portion of the Sysdig Secure Get Started page. This script installs the node image analyzer alongside the agent.

For Sysdig Secure SaaS: Go to to get the script.

For Sysdig Secure On-prem: Choose the Get Started page from the Rocket icon in the navigation bar.

Daemonset Install

To deploy the image analyzer using Kubernetes daemonsets, download the following configuration files, edit them as annotated within the files, and deploy them.

To deploy the image analyzer concurrently with the Sysdig agent, you would also download the sysdig-agent-clusterrole.yaml, sysdig-agent-daemonset-v2.yaml, and sysdig-agent-configmap.yaml and deploy them as described in Agent Install: Kubernetes.

Manually Scan an Image

If the node image analyzer is not installed, then when a new image is added to a running environment it may need to be scanned manually. This can be done from either the Runtime tab, or the Scan Results tab.

From the Runtime Tab

To manually scan an image from the Runtime tab:

  1. From the Image Scanning module, choose the Runtime tab.

  2. Select an image from the list of unscanned images.

  3. Click Scan Now.

From the Scan Results Tab

  1. From the Image Scanning module, choose the Scan Results tab.

  2. Click Scan Image

  3. Define the path to the image, and click Scan.