Summary


This article will describe what "distroless" images are and how Aqua handles scanning these types of images. 


What are "distroless" images?


"Distroless" images allow you to package only your application and its dependencies in a container image.  This means that there is no package manager, shell or other programs that typically come with a container image. By excluding unnecessary components the container footprint and attack surface shrink significantly which results in a lighter container footprint and better security.


How does Aqua scan "distroless" images?


The Aqua scanners will result in a partially scanned image.  This is because "distroless" images do not have a package manager. You can read more about partially scanned images here.  


For "distroless" images, Aqua does scan binary files and programming language files and will only display vulnerabilities in binaries and programming languages. The list of deployed packages for "distroless" images is stored in a text file that Aqua does not parse and therefore cannot derive any package vulnerabilities from. 


When scanning a "distroless" image with the "Scan non-package executables in images (beta)" scanning option turned OFF, in the "Images" tab, you will see the scan result in "No Issues" (figure 1-1). 


Figure 1-1


When looking at the vulnerabilities tab for the image with the "Scan non-package executables in images (beta)" scanning option turned OFF, you will see the partially scanned message and no vulnerabilities listed (figure 1-2).


Figure 1-2


When scanning a "distroless" image with the "Scan non-package executables in images (beta)" scanning option turned ON, in the "Images" tab, you will see a vulnerability overview (figure 1-3). 


Figure 1-3


When looking at the vulnerabilities tab for the image with the "Scan non-package executables in images (beta)" scanning option turned ON, you can see some vulnerabilities listed, but only for binaries and programming languages. (figure 1-4).




Figure 1-4


Please note, that although some binary and programming language vulnerabilities are listed, the image is still considered partially scanned. 


Additional Information


Aqua version 4.2 update 20, addresses an issue in which "distroless" images show "No issues" after scanning, even when the scan option "Scan non-package executables in images" is enabled.


You can read all of the release notes for Aqua version 4.2 update 20, here.


In Aqua CSP 4.6, Aqua has renamed this scanning option to "Scan stand-alone binaries in images".