TABLE OF CONTENTS
- Scan Queue
- CI/CD Scans
This topic explains the Images screen and actions that can be performed from this page. Images screen displays all the images pulled into Aqua console, that are scanned or waiting to be scanned. These images are added into console either manually, automatically from image registries, or from CI/CD pipeline.
To navigate to the Images screen, select Images from the main menu of the Aqua UI. You can see the Images screen as shown below:
This screen has four tabs as listed below:
- Scan Queue
- CI/CD Scans
This is the main display of the Images screen. This tab lists all repositories and images in each repository that are registered with Aqua. Each image is associated with the last scan results such as security issues, sensitive data, and Malware.
From this tab, you can:
- Obtain summary and detailed information of the security issues found in the images during its last scan.
- Filter the list of images with different filter attributes.
- Perform operations related to reactive risk management:
- Add images to Aqua
View repository list
In the General tab, the primary display is the list of repositories that are added to Aqua. You can see the following columns for the Repository list that shows different information as explained below:
- Repository name
- Security Issues: a bar, with one or more colored segments, that represents the security issues found during the most recent scan on the images in the repository. For more information on this, refer to < Review Image Assurance Findings doc link >.
- Non-compliant: number of non-compliant images in the repository, followed by the total number of images in the repository.
- Registry: image registry in which the repository is located.
Perform actions on the repositories
You can perform the following actions from the menu of any repository:
- Add Images to the repository
- Delete Repository
To add images to the repository:
- Click Add Images from the repository menu. Registry Search dialog is displayed.
- You can select the required images from the list.
- Click Add.
You can perform different actions on all the repositories at the same time. You should select the checkbox at the left of the Repository column to see the following options:
- Rescan: enters images from all the repositories to scan queue.
- Full Rescan: enters images from all the repositories to scan queue but rescan does not utilize previously cached scan results.
- Export: Exports images from all the repositories in a tar file. Exporting and importing images allows you to copy images from one Aqua Enterprise deployment (Server) to another quickly and efficiently. Mutated images that appear in the Images screen will not be exported. For more information, refer to < Actions on Images.
View images in a repository
To view a list of images in a specific repository, click the right-arrow (>) to the left of the repository name.
You can click any image to see the image scan detail view. For more information, refer to Image Scan Detail View.
Apply filters on repositories
You can apply the following filters on the repository list:
- Show repositories from: one specific registry or all registries
- Show repositories with: images based on their scan results. You can select one of the following options from the dropdown to apply filters on repositories:
- Non-compliant Images
- Approved Base Images
- Allowed Images
- Failed Scans
- Images scanned in the last: specific period, either week, day, hour, or all images.
- Filter repositories by: either specific image name or content digest. You can type specific image name or unique image ID (when you select content digest).
Use case: You can apply filters similar to the one shown below:
- Show repositories with > Vulnerabilities: Filter the list to show only the repositories containing images with one or more vulnerabilities found during scanning.
- Filter repositories by > Image Name: Filter additionally to show only images whose names include the string "alpine".
Prerequisite: Ensure that you have configured the image registries from which you want to add images to the Aqua console.
From the Images screen, you can add one or multiple images from different registries. Once you add images, they are scanned and registered to Aqua. Images can be added from this page, when you know that new images are added to the registry and you want to scan them instantly instead of being scanned as per schedule.
Limitations on the repositories and images for scanning
- If you use Aqua Advanced plan, you can add a maximum of 100 repositories and unlimited images in each repository.
- If you use Aqua Team plan, you can add a maximum of 40 repositories and 10 images in each repository.
In both of the plans, adding each repository consumes 250 Aqua units from your account.
To add images to the Aqua console:
- Click Add Images.
- Select the applicable registry from the dropdown.
- In the search box, add the keywords as shown below:
- To add specific multiple images in a repository, enter the repository name and press enter to select the required images.
- To add the specific image, enter full image name and click Add.
- To add all images in a repository, add wildcard in place of tag name and click Add.
The selected images are added to scan queue.
Add Aqua Labels to images
You can add one or multiple Aqua Labels to each image. These Labels are useful for images to get covered under the scope of a specific policy, which includes this Label configured in the Additional Scope Criteria. For more information on this configuration in the image assurance policy, refer to Policy Scope.
To add Labels to an image:
- From the left pane, Navigate to the Images page.
- Select the required repository to see all the images in it.
- In the required image, from the Labels dropdown, select the required Label that you want to add to the current image. The specific Aqua Label is added to the current image.
- (Optional) To create a new Label from this page, type a new Label name in the text box of the required image. This new Label is added to the current image.
Labels that are created from this page enable other users to add the same to their images. These Labels are also displayed in the Administration > Aqua Labels page for Aqua admins to manage them.
Actions on images
You can select specific images and perform the following actions:
- Rescan: enters the selected image(s) to the scan queue
- Full Rescan: enters the selected image(s) to the scan queue but rescan does not utilize previously cached scan results
- Allow: enables you to allow selected images
- Block: enables you to block selected images
- Delete: deletes the selected images
- Export: exports the selected images to your machine
- Clear selection: cancels the image selection
For more information on these actions on the images, refer to Actions on Images.
Aqua maintains a queue of images awaiting scanning. You can see scan status of all the images added to Aqua in the Scan Queue page. These images may come from different registries, either pulled automatically through image registry integration or added manually from the Images > General tab. For more information, refer to Image Scan Queue.
This tab display information about images scanned in the CI/CD systems that are integrated with Aqua. You can click any image to see the image scan detail view. For more information, refer to Image Scan Detail View.
This list of images scanned in the CI/CD systems are shown in this page only when the Save CI/CD scans scanning option is enabled by your Admin in the Settings > Scanning page.
This tab displays all the security issues (vulnerabilities, sensitive data, and malware) on images that you have acknowledged from the Security Reports > Vulnerabilities page. For more information on the acknowledgement action from the Vulnerabilities page, refer to Vulnerability List and Detail View.
You can see the following information on each acknowledged vulnerability:
- Vulnerability creation time
- Risk name (CVE, DSA, etc.)
- Risk type (vulnerability, sensitive data, or malware)
- Resource name
- Image name (repository : tag)
- Repository name
- Vendor fix available: yes/no
- Expiration time
Filter and search acknowledged vulnerabilities
You can filter the list of acknowledged vulnerabilities using the following criteria:
- Search with either risk name, repository, image, or resource using the search box.
- Type of security risk: either vulnerability, sensitive data, or malware
- Vendor fix available: Yes or No.
Use case: You may want to see all the acknowledged image vulnerabilities in the console having malware for which vendor fix is available. You may fix these vulnerabilities in your registries and scan the respective images again.
Actions on the acknowledged vulnerabilities
You can click any acknowledgement in the page to see more information in its detail view as shown below:
You can perform different actions on any acknowledgement in the acknowledgement detail view:
- Unacknowledge: click the button to cancel the acknowledgement of the vulnerability.
- Set Expiry: Set expiration for the acknowledgement, if not done already.
- Update Expiry: Update the expiration of the acknowledgement, if already set.
For more information, refer to Apply and Manage Security Issue Acknowledgements.