Deployment Task

This article explains how to prevent a specific vulnerability that Aqua has detected from being included in Aqua's Image Assurance evaluation. For example, if I have a specific vulnerability that is failing the image scan, which exists in a package that I cannot update, or if there is another mitigating factor that makes the risk acceptable (for example, if a vulnerability is only exploitable remotely and the container does not expose any ports so remote access is impossible).  If this vulnerability is resulting in a failed result, how can I exclude it so that the scan result will pass?

Deployment Steps

Specific vulnerabilities can be Acknowledged from the image's vulnerabilities view in the Aqua Console.  This acknowledgement can be either for the specific image, or for all images registered in the Aqua console.  A justification is required and there will be an audit event generated for the acknowledgement.  

To do this, browse to the Images view, expand a repo for a specific image, and click on the image.  In the resulting screen, click to the Vulnerabilities tab.  The list of vulnerabilities in the image will be displayed.  For each vulnerability row, if you look to the right side of the page, there will be three dots.  Click the three dots, and a selection menu to Acknowledge the vulnerability appears:

In the resulting modal view, select whether the acknowledgement applies to all images or just the selected image,  provide a reason for the acknowledgement, and click Confirm.  From this point,  the vulnerability will no longer contribute towards the Image Assurance authorization result when an image is scanned.

You can view all acknowledged vulnerabilities by browsing in the Aqua Console to Compliance -> Vulnerabilities page and selecting the Acknowledged Security Issues tab: