Summary


You are a customer who is doing CI/CD scanning using the Jenkins Scanner plugin and you want to scan images from your registries and you want to use a service account , or scanning via the CLI or UBI scanner image


You wish to use a custom role which has :

- Scanner API functionality

- Images View and Edit functionality


This will allow the service account which is a member of this AD/LDAP bound role to be allocated a service account to use within Jenkins.


When using a script  or calling from a Jenkins pipeline as part of a git hub PR and image build using curl 


curl -s -I -X POST -H "$HEADER_CONTENT_TYPE" \
    -H "Authorization: Bearer $AQUA_TOKEN" \
$AQUA_BASE_URL/scanner/registry/$AQUA_REGISTRY/<imageRepo>/$IMAGE/scan


Solution


To get this to work : 


create a customised role that allows
- scanner image -read/write
- Assets > Image view/edit

1. Create an Aqua Role - with the following perms. 
With the following role permissions :

and
Save the role in aqua:

3. Map the Aqua role to the ldap group


Save your changes within the UI.


When deploying the scanner CLI  using K8s YAML or HELM charts you will need to edit the authentication string as follows



Kubernetes YAML


    spec:
      serviceAccount: aqua
      containers:
      - name: aqua-scanner
        image: registry.aquasec.com/scanner:4.6.20079
        args: ["daemon", "--user", "aqua-scann-non-prod-id@corporateLDAPdomain.com", "--password", "<scannerLDAPPassword>", "--host", "http:/<AQUA_UI_FQDN>:8080"]



HELM
 


  image: "registry.aquasec.com/scanner:4.6.<buildNumber>"
        imagePullPolicy: "IfNotPresent"
        args:
        - "daemon"
        - "--user"
        - "aqua-scann-non-prod-id@corporateLDAPdomain.com"
        - "--password"
- "UserLdapPassword"


Then redeploy your scanner instance and use kubectl logs <kubernetes_scanner_ID>


References


https://docs.aquasec.com/reference#image-scanning-api