Assurance Policy is a collection of conditions defining how Aqua assesses images scan results, marking container images as compliant or non-compliant.
TABLE OF CONTENTS
Introduction to Assurance Policies
At the end of an image scanning job, a scan report is generated. When the report is ready, Aqua evaluates the applicable Assurance Policies and determines if the image should be marked as "Compliant" or "Non-compliant".
The evaluation process includes the following.
- A set of applicable Assurance Policies is determined based on the scope configuration of each policy.
- One or more Assurance Policies may be applicable for a given image.
- A single Assurance Policy may contain one or more Assurance Controls.
- Assurance Control is a single condition assessing the risk of an image. For example, a control based on CVE Severity may be configured to mark images as non-compliant if they include at least one "High" Severity CVE.
To summarise, Assurance Policies provides Aqua, a customizable and granular way to compare the scan results against a set of conditions to determine if an image is "Compliant" or "Non-compliant". The result is displayed in the image scan overview. In the example below, the image is marked as "Non-compliant", because the Vulnerability Severity control was evaluated and failed.
Accessing Assurance Policies
Assurance Policies can be accessed from the Assurance Policies page under Aqua Image Scanning.
From the Assurance Policies page, select a policy and edit it. You will be directed to the Assurance Policy edit page with the full details of the policy.
The Assurance Policy page includes three main sections that are the building blocks of the policies.
- General: Name and description of the policy
- Scope: Define which artifacts this policy will apply to
- Controls: Define the set of conditions that will be evaluated by the policy
The general section describes the intent of the policy. It includes name and description fields that are displayed on various pages and reports.
Your policy name and description should feature specific, descriptive elements that make them intuitive and self-explanatory. For example, the policy below clearly describes the purpose of this policy.
The scope section defines which artifacts this policy will apply to. The definition is done by selecting an Aqua Group. The policy will apply to registries assigned to that Aqua Group.
Finally, the controls section defines the conditions in which an image will be marked as Non-compliant. The conditions are defined by adding controls, each control includes a predefined condition template based on different characteristics of the image. The following article provides a complete list of Image Assurance Controls.