The image score is a risk indicator aggregating findings from vulnerability scanning and dynamic threat analysis.
Please note that Aqua Image Score is still labeled as "Preview" and is expected to go through additional changes before it will be officially released.
TABLE OF CONTENTS
- Introduction to Aqua Image Score
- Understanding How Image Scores are Calculated
- Factors Lowering the Image Score
Introduction to Aqua Image Score
The Aqua Image Score is a letter grade between “A” and “F” that represents the overall security risk of a container image. The image score is used in reports and assurance policies.
Image Score Calculation
The image score is calculated by aggregating security findings discovered by vulnerability scanning and Dynamic Threat Analysis (DTA) in the following manner.
- Known vulnerabilities (CVEs) discovered when scanning the image for vulnerabilities are assessed based on the Common Vulnerability Scoring System (CVSS) using their numerical score, attack vector, exploit indicator, and their fix indicator.
- Risks discovered during the image analysis are assessed based on the Aqua DTA severity model used in the DTA scanning.
The calculated numerical score is between 0 and 100 and then is mapped to a letter grade using the table below.
Factors Lowering the Image Score
The image score starts with a score of 100, which is reduced for each risk factor discovered. The following are factors that reduce the image score.
- DTA risks based on severity: Low, Medium, High, Critical deduct 15, 25, 35, 45 points respectively.
- CVEs based on severity: Low, Medium, High, Critical deduct 5, 10, 25, 30 points respectively.
- CVEs with Network Attack Vector: Deduct 5 points.
- CVEs with Published Exploit: Deduct 5 points.
- CVEs with Remote Exploit: Deduct 5 points.
- CVEs with Published Fix: Deduct 5 points.