What's new in the Grafana Image Renderer: higher-quality results, security enhancements, and more

Whether it’s for an email or that upcoming presentation, many Grafana users like to share their favorite dashboards or panels outside of Grafana itself. The Grafana Image Renderer is a backend service for Grafana that helps you do just that by rendering panels and dashboards as images, such as PNGs and PDFs, via a headless browser. It’s commonly used to support Grafana features like exporting dashboards, generating images for alert notifications, and creating PDF reports.

Earlier this year, we started working towards improving the Grafana Image Renderer, with the overall goal of enhancing the service’s performance, reliability, and security. Recently, these efforts resulted in the v5.0 release, which involved a whole rewrite of the service and included significant security improvements for our Grafana Cloud users.

What is the Grafana Image Renderer?

As a backend service for Grafana OSS, Grafana Enterprise, and Grafana Cloud, the Grafana Image Renderer enables various use cases related to generating and sharing images from Grafana. These include:

• Exporting dashboards and panels as PDFs and PNG images
• Including images in alert notifications
• Sharing rendered images via direct links 
• Generating images for PDF exports and scheduled reports (available in Grafana Cloud and Grafana Enterprise)

For a long time, you could choose between installing the Image Renderer as a plugin for Grafana, or deploying it as a service. The plugin was deprecated in September 2025, and the Image Renderer now exists only as a service that you can deploy separately alongside Grafana; it is not bundled with Grafana out of the box. 

Recent updates to the Grafana Image Renderer

Heuristics for higher-quality results

If you’ve used the Grafana Image Renderer — or a feature that it enables, like Grafana reporting and images in alert notifications — you have possibly experienced the service returning a partially blank result. This could have been an entire blank page or a panel that wasn’t fully loaded, or, in some cases, a result that featured your login screen rather than your dashboards.

To address this, the service now uses more heuristics to determine when the rendered website has finished loading. It does this by tracking the number of Grafana queries, network requests, and whether the website keeps changing visually. This leads to higher-quality results in reports and similar. The details include:

• The service will wait for all ongoing network requests to finish, as this is generally an indicator that all API requests and data source queries are complete.
• The service will wait for Grafana to mark all data source queries as complete. Note: this capability requires the Grafana Scenes framework to be enabled.
• The service will wait for the website to complete its rendering process. For example, if there are changes to text or other components, it will wait until everything stabilizes fully. In the configuration options, we call this “DOM hashcode stabilization.”

Security improvements in Grafana Cloud

In the v5.0 release, we took the opportunity to tear down the old implementation and rebuild it to be faster and hardened.

The Grafana Image Renderer relies on Chromium, the upstream open source project behind Chrome, Brave, and Edge. Earlier this year, we reviewed the vulnerabilities that had occurred in the Image Renderer and found they came from one source: Chromium. When a new memory bug was fixed in Chromium every few months, we would rush to fix it in our service as well. While this approach generally worked, we knew we needed a better, more stable plan. 

To break this cycle of constantly patching vulnerabilities, we shifted gears and implemented a significantly enhanced sandbox for Chromium. While Chromium includes its own sandbox out of the box, it didn’t provide the level of isolation required for Grafana Cloud, so we built our own. It works by placing the Chromium browser inside a custom-built, highly restrictive sandbox, powered by Linux’s namespace feature. 

This new sandbox environment strengthens operational security by offering complete isolation from other services, eliminating the possibility of persistent files and terminating all processes once they are complete. If you’re interested in learning more about this, we recommend reading about nsjail and bubblewrap, which are solutions for similar problems.

As of writing, we’ve since seen 23 CVEs reported for Chromium, but our team did not have to rush to release a fix; our implementation was not impacted because of the way it’s now built.

Other noteworthy updates

In addition to the above changes related to heuristics and security, we’ve made the following updates to the Grafana Image Renderer:

• The service has been migrated to Go, meaning less memory usage at idle, and enabling us to implement lower-level security improvements.
• The service will adjust its rate-limit according to your available memory, meaning it will not take a new request if it can’t handle the load.
• There are now significant acceptance tests to the service: no changes can be implemented if they break the service or its interaction with Grafana.
• The service now has a lot of configuration options. You can now tweak every timeout and wait duration, disable heuristics, set various security features like mTLS for tracing, and much more. If you can’t find an option for something you need for your use case, please open an issue on our issue tracker.

Self-managed environments

Like always, if you are a Grafana Cloud user, you have already received all these updates, and don’t need to do anything at all. 

If you run the Grafana Image Renderer on premises, you will need to do a couple things to take advantage of these updates:

• If you use the Grafana Image Renderer as a plugin, you need to migrate to the service deployment instead. Our installation guide has details on how to do this.
• The entire configuration scheme has changed, so if you use :latest tags, please switch to pinned tags. We have kept the environment variable AUTH_TOKEN to keep :latest users functional until the configuration is changed to the new options.

Wrapping up

Overall, the v5.0 release of the Grafana Image Renderer delivers a more reliable and secure image rendering service. We can’t wait to hear what you think.

If you run into issues, please refer to our troubleshooting guide or open an issue and we’d be happy to help.

Grafana Cloud is the easiest way to get started with metrics, logs, traces, dashboards, and more. We have a generous forever-free tier and plans for every use case. Sign up for free now!