V. 3.0 - 3.2

Deployment Task 

The scanner-cli is a robust utility that has multiple functions that result in several arguments, as well as flags related to those arguments. This breaks down each of them for troubleshooting and deployment.

Deployment Steps

Cli Arguments 

The scanner-cli runs as a container in any orchestrator and requires the same parameters being passed regardless of the format, i.e., Docker command, Kubernetes/openshift YAML.

The format for this looks similar to the example below. Map it any YAML format for orchestrator deployment. 

Docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock aquasec/scanner-cli:3.X <argument> -H <aqua_server_url> -U <user> -P <password> <flags> imageName:tag

Required flags:

-H, --host string       Aqua management console address (required)
-P, --password string Aqua management console password (required)
-U, --user string       Aqua management console username (required)

daemonContinuous image scanner
helpHelp about any command  -h, --help                  help for scan
importImport scan results from a JSON file
licensePrint version information and exit
register-allContinuously scan and register local images
scanScan one image      --checkonly             Return 0 exit code, even if the image fails assurance policy
--full-output Show full scanner output (including non-vulnerable files and image metadata)
--collect-executables Collect non-package executables when scanning images (local scans only)
--collect-sensitive Find sensitive data in image
-h, --help help for scan
--hide-base Hide vulnerabilities in the base image
--html Show output in HTML format (the default is JSON)
--htmlfile string Save results in HTML format to the provided path
--jsonfile string Save results in JSON format to the provided path
--local Scan a local image
--register Register the image in the Aqua console
--registry string Registry to scan from
--scan-malware Collect malware files when scanning images
--show-negligible Show negligible/unknown severity vulnerabilities
--show-will-not-fix Show vulnerabilities that will not be fixed
--direct-cc Contact CyberCenter directly (rather than through the Aqua server)
--register-compliant Register the image in the Aqua console only if the scan reports compliance
versionPrint version information and exit.


Singular Scans

When attempting to run singular scans or ad-hoc scans, the appropriate argument is 'scan' with the appropriate flags for the scan logistics. This would include whether the image is local to the scanner (--local), or is presently hosted in a registry (--registry) that Aqua-web is aware of.  With the additional flags, you can specify different conditions for the scan results to be returned. This can include hiding vulnerabilities found in the base image (--hide-base) or showing certain scan information such as malware or sensitive data (--scan-malware & --collect-sensitive).


docker run --rm -ti -v /var/run/docker.sock:/var/run/docker.sock aquasec/scanner-cli:3.X scan -H <aqua_server_url> -U <user> -P <password> --local --collect-sensitive centos:latest

Daemon Scanner

The scanner-cli can also be deployed as an additional scanner for the Aqua console that can handle registration scans. This allows for the scan load to be pushed from the console to the scanners for more throughput. This can be seen in the console under Images > Scan Queue, and should list the registered scanners and their present scan jobs, if any. It will remain as a container in daemon mode and the Aqua console will route scans to it when it is available and when there are enough pending jobs.


docker run -d -v /var/run/docker.sock:/var/run/docker.sock aquasec/scanner-cli:3.2.0 daemon --user <user> --password <password> --host <aqua_server_url>


When deploying in an orchestrator, the scanner-cli will require the same parameters as when running on a Docker host. The only difference is that it will need to be deployed in a YAML file and the corresponding arguments/flags need to be mapped accordingly.


apiVersion: extensions/v1beta1
kind: Deployment
name: aqua-scanner
app: aqua-scanner
name: aqua-scanner
serviceAccount: aqua
- name: aqua-scanner
image: aquasec/scanner-cli:4.2
        args: ["daemon", "--user", "<user>", "--password", "<password>", "--host", "http://aqua-web:8080"]
- mountPath: /var/run/docker.sock
name: docker-socket-mount
- containerPort: 8080
- name: docker-socket-mount
            path: /var/run/docker.sock

Related Information

Scanner-cli Documentation

Openshift Documentation

Kubernetes Documentation