Deployment Task

This article describes methods and considerations for ingesting images with Aqua. 

Deployment Steps

Automatic pull from registry

Aqua can enumerate a registry on a nightly basis to find and add images that it does not know about yet.  This is configured on a per-registry basis, directly in the registry configuration settings.   This can be found in the Aqua Console via System -> Integrations -> Registries.  It will be under the 'Advanced settings' for your specific registry.

Webhook Notification

Many registries can be configured to send webhook notifications to external parties after a new image is added.  Aqua implements a receiver for those registries which support webhook notificaitons. 

This is configured directly on the registry configuration page via System -> Integrations -> Registries, within the 'Advanced settings' of the specific registry.

When Aqua receives a webhook notification, it will register the image, scan it, and evaluate any image assurance policies the image is in scope for.

Registration via CI/CD with scanner-CLI

The scanner-CLI can register images with the Aqua console after a scan is performed.  You can choose to either register the image regardless of scan result, or register the image only if there are no image assurance policies violated (from v.4.0 and higher). This is useful in scenarios where images are not pushed onto the registry after a CI/CD scan failed.  

There is a support knowledgebase article here which describes the process in more detail.  For more information on all of the parameters you can use with the scanner-CLI, you can pass the --help parameter when calling it, and the documentation can be found here.

Registration via REST API

Aqua supports registering images via the REST API.  After an image is registered, it is automatically scanned.  However, if you wish to scan an image without registering it, you should use the scanner-CLI.  

Registering images via the REST API is useful for advanced scenarios, such as during enforcement of a promote-to-production process, or registering an image to multiple Aqua instances.  You can find documentation on how to scan and register images here


Image Cleanup

Image cleanup settings allow you to remove images from Aqua when they are no longer needed.  These settings can be configured in the Aqua Console via System -> Settings -> Cleanup.  

This setting currently depends on the nightly pull being enabled on the registry, as it occurs at the same time, but future versions of the product will decouple this dependency. 

Rescanning Images Periodically

There are two settings enabled which allow you to rescan your existing images.  A schedule can be set directly in the registry configuration on the System -> Integrations -> Registries -> Specific Registry page.  It is under "Advanced settings".  

You can also set this globally, for all registries, via System -> Settings -> Scan options, by selecting the box for "Scan all images on a regular basis".  Note that both this setting and the per-registry configuration will take effect, so only use one method to avoid duplication of effort.