Deployment Task

To use approved base images, the base image needs to be considered registered and added to the Approved Base Image list for the appropriate Image Assurance Profile. Once the image is added, any scanned image checked against that policy will need to be built FROM one of the approved base images in the list. If they are not, they will fail this assurance control and the image will be marked as disallowed.

Deployment Steps

1. Create a Base Image Assurance policy (optional)

    This policy would be used to scan the base image and remediate any issues.

2. Scan base image

By scanning the base image, you are registering the image and creating a digest. The digest is used for the image verification, whereas the image name is used to identify the appropriate image.

3. Add the base image to the appropriate Image Assurance Policies

When adding the base image to an assurance policy, you are indicating that all images scanned against this policy will require a base image from the approved base image list.

4. Create a new 'child' image based on the approved base image

In the child image Dockerfile, this should include a FROM line with the specific image used in steps 2 & 3. Docker will then pull/use that image as the base image for the rest of the build steps.

5.  Scan the new image

When scanning the new image, you should see it passing the approved base image policy controls and has even identified the base image. This base image should also be the same as steps 2-4.


The approved base image is based on an image registry, name, and digest. This needs to correlate to the image known to Aqua and match the digest. In other words, if you were to use the base image 'alpine:latest', Aqua has the digest of alpine:latest at the time of its last scan. If application A is built on a newer version of alpine:latest, this will fail the assurance policy, because the application's base image does not match the known approved base image digest.