The image score is a risk indicator aggregating findings from vulnerability scanning and dynamic threat analysis.


Please note that Aqua Image Score is still labeled as "Preview" and is expected to go through additional changes before it will be officially released.


Using templates


TABLE OF CONTENTS


Introduction to Aqua Image Score

The Aqua Image Score is a letter grade between “A” and “F” that represents the overall security risk of a container image. The image score is used in reports and assurance policies.


Image Score Calculation

The image score is calculated by aggregating security findings discovered by vulnerability scanning and Dynamic Threat Analysis (DTA) in the following manner.

  • Known vulnerabilities (CVEs) discovered when scanning the image for vulnerabilities are assessed based on the Common Vulnerability Scoring System (CVSS) using their numerical score, attack vector, exploit indicator, and their fix indicator.
  • Risks discovered during the image analysis are assessed based on the Aqua DTA severity model used in the DTA scanning. 


The calculated numerical score is between 0 and 100 and then is mapped to a letter grade using the table below.

GradeScore Range

A

90-100

B

80-90

C

70-80

D

60-70

F

Below 60


Factors Lowering the Image Score

The image score starts with a score of 100, which is reduced for each risk factor discovered. The following are factors that reduce the image score.

  • DTA risks based on severity: Low, Medium, High, Critical deduct 15, 25, 35, 45 points respectively.
  • CVEs based on severity: Low, Medium, High, Critical deduct 5, 10, 25, 30 points respectively.
  • CVEs with Network Attack Vector: Deduct 5 points.
  • CVEs with Published Exploit: Deduct 5 points. 
  • CVEs with Remote Exploit: Deduct 5 points.
  • CVEs with Published Fix: Deduct 5 points.