This feature is not Generally Available yet. You can refer to this document only if your Aqua environment is enabled with the feature, Suppression of image vulnerabilities. If you are interested to experience this, please contact Aqua Support for enabling the feature.


Introduction

As explained in Reactive Risk Management, you can:

  • Suppress any kind of security issue: vulnerability, sensitive data, or malware
  • Set an expiration period for the suppressions
  • Change the expiration period of the existing suppressions or cancel the expiration
  • Unsuppress a security issue


Suppression applicability

When you suppress a security issue, you should select the applicability of the suppression. The choices are:

  1. Only the image you have selected
  2. All images from the repository of the selected image
  3. All images known to Aqua (provided that they are of the same exact OS version and the same exact resource name and version)


Once you set the applicability, Aqua retains it as a rule for future use. This means, for each of the cases above:

  1. Aqua will apply the suppression to all updates of the selected image.
  2. Aqua will apply the suppression to all new or updated images in the repository of the selected image.
  3. Aqua will apply the suppression to all new or updated images (of the same OS, resource name and version) registered with Aqua.


Suppression expiration

When you suppress a security issue manually, you can optionally set an expiration (between 1 and 999 days from the present time) for the suppression. The "rule", as described above, will be deleted at the end of this period, and an audit event will be generated for the rule deletion.


Suppression expiration can give image developers a "grace period" for providing a more durable solution for mitigating the risk of the security issue.


UI locations

The following actions can be initiated from different pages and tabs of the UI as part of applying and managing manual suppressions, as explained in the previous topics. This is a summary.


From the Images screen

  1. Select the image of interest.
  2. Select the tab corresponding to the kind of security issue you want to manage.
  3. Do the following to access the suppression-related actions:
  • Vulnerabilities: Click the entry in the Suppression column.
  • Sensitive Data: Click the three vertical dots that appear at the end of the applicable table entry.
  • Malware: Click the three vertical dots that appear at the end of the applicable table entry.

       4. You can then:

  • Suppress the security issue
  • Set, update, or cancel the expiration of an existing suppression (for vulnerabilities only)
  • Unsuppress (remove) an existing suppression


From the Vulnerabilities screen

Select the vulnerability of interest and click the entry in the Suppression column. You can then:

  • Suppress the vulnerability
  • Set, update, or cancel the expiration of an existing suppression
  •  Unsuppress (remove) an existing suppression


From the Suppressions tab of the Images screen

Select the suppression of interest. From the panel containing details of the suppression, you can:

  • Set, update, or cancel the expiration of the suppression
  • Unsuppress (remove) an existing suppression


Proceed as described below.


Suppress a security issue

When you suppress a security issue, you will see a dialog like the one shown below for a vulnerability (the dialogs for sensitive data and malware are quite similar).



  1. Select the applicability of the suppression as explained above.
  2. Enter the reason for the suppression (required) and click Suppress.


Once a security issue is suppressed, it will be added to the Suppressions tab of the Images screen.


Once the vulnerability is suppressed, it will be removed from the list(s) of vulnerabilities.


Suppression of a security issue is recorded as an audit event, visible in both the Audit tab of the Image screen (shown) as well as in the Audit section of the UI:



Set the suppression expiration

When you select a suppression that has no expiration period, you will see a panel like this:



Click Set Expiry and fill in the next dialog:



Update or cancel the suppression expiration

When you select a suppression that does have an expiration period, you will see a panel like the previous one. If the expiration period is already set, you will see the Update Expiry button. Click it, and fill out the dialog:



Unsuppress (remove) an existing suppression

When you select a suppression, the dialog will have a Unsuppress button. Click it, and fill out the dialog: