When Aqua releases new CSPM plugins, a specific process is followed to ensure proper testing, notification, and release of the new checks. Because the cloud providers are releasing new services and settings all the time, CSPM routinely releases new plugins to keep its platform up to date.


CSPM Plugin Release Process

When Aqua releases new CSPM plugins, the following process is used:

  1. New plugins are developed based on customer requests, industry and compliance requirements, and open source contributions on an ongoing basis.
  2. Aqua develops and tests the plugins against its own test environments using criteria established in the evaluation process.
  3. Once ready, new plugins are pushed to the live Aqua environment, but are deployed in a "disabled" state.
  4. Disabled plugins can be tested by any user using the "Live Run" tool, but these plugins will not run as part of on-demand and background scans, and will not appear in any reports.
  5. Aqua sends a notification to subscribed users (you can opt into this notification from the "Account Settings" page under the "Notifications" tab) informing them of the availability of new plugins. This notification is typically sent 5-7 days prior to the plugin becoming enabled.
  6. During this time, you can continue using the Live Run tool to test the plugin in your environments. If you choose to use the plugin after the date communicated, no action is required, it will simply run as part of a subsequent scan report. However, if you prefer not to consume this plugin, you may suppress the plugin prior to its release date. Suppressed plugins do not trigger "New Risks Detected" emails or integration alerts, and only appear on scan reports under the "Suppressed Results" section.
  7. For uses who opt into the "Pre-Suppress Plugins" feature (described below), Aqua will automatically suppress the plugin prior to its release date.

"Pre-Suppress" Plugins Option

When new plugins are released and not suppressed ahead of time, either by you or Aqua, they will produce results as part of subsequent scan reports. This can lead to unexpected findings, especially if you do not log into Aqua often. Because Aqua is now checking additional security controls, these findings may be a surprise to you.

The "Pre-Suppress Plugins" option allows you to tell Aqua to suppress all new plugins so that they do not produce these new results. This will essentially "freeze" your scan report so that it only produces results based on the set of plugins available at the time, but has the side effect of preventing your account from receiving automatic releases of new security controls.

To enable this option:

  1. Log into the Aqua console and navigate to Account Settings
  2. Click the Notifications tab.
  3. Under Pre-Suppress Plugins, enable the toggle.

Pre-suppressing plugins is not recommended unless you routinely visit the Aqua console and evaluate newly-released plugins. If plugins are pre-suppressed, your environments will not be audited for the latest security controls until the plugins are unsuppressed by your account administrator.


Q. If I pre-suppress plugins, how do I activate them later?
A. Whenever you are ready to utilize the suppressed plugin, simply delete the suppression from the "Suppressions" page.

Q. What are the disadvantages of pre-suppressing plugins?

A. Enabling this option means that you will not receive new security checks as they are released by Aqua. These new security checks often check new cloud provider settings and services, so it is strongly recommended to continue consuming these plugins in order to receive the latest security updates.

Q. If I pre-suppress plugins, will I still receive notifications as new plugins are released?

A. Yes. If you opted in to the "New Plugin Emails" setting, you will continue receiving notifications.

Q. Can I disable this setting later?

A. Yes.

Q. How can I see which plugins are suppressed?

A. You can see all suppressions at any time from the "Suppressions" page. Suppressions can be added or removed from this page.