Deployment Task

This article explains how to set a stronger, more secure Image Assurance policy for base images than regular application images.


Deployment Steps

The Aqua console allows you to create multiple Image Assurance profiles.  The default policy will apply to all images, but all additional policies will be scoped to a subset of images.  In order to apply a separate policy with stronger security controls against only base images, ensure that the scoping policy for this policy will identify the base images.  The scoping section of Image Assurance policy is only in non-default policies, and looks like this:

The Image Assurance policies will allow you to scope based on the image name. If your images include a common prefix, you can specify this in the scoping rules via Container → Image, and then in the Attribute field, specify the image name.  You can specify multiple images here, but you should click the 'ADVANCED' button if this is the case, and change the operator from AND to OR, so that either criterion will take effect instead of both.  For example, if you have repo1/image:tag and repo2/image:tag then an AND rule here, it will match only images that match both criteria (which is not possible).  An OR operator here will match both images.  For example: 

This does not need to use specific image names, however.  You could use an Aqua label in the policy, or you could specify all images from a configured Aqua registry definition.  If you do use the Registry option, you should disable the auto-pull mechanism, or at least use a repo pull pattern in the registry config, to avoid accidentally pulling in images that are not base images.