Your images may contain one or more security issues (vulnerabilities, malware, and sensitive data). This topic explains image risk management from these security issues, which involves proactive risk management and reactive management. Proactive risk management explains the configurations in Aqua to detect all kinds of security issues, evaluate them appropriately, and report them in the most useful manner. Whereas, reactive risk management deals with security issues and image assurance policy violations reported by Aqua. Security team should take recommendations from this topic and secure image during build.

Proactive risk management

As proactive risk management of images, Aqua scans all images in your registries frequently. Your Aqua admin can configure scan options to scan all registered images on a regular basis and register modified images automatically.

Configure image assurance policies

It is important to define and configure Image Assurance Policies so that images with security issues are evaluated as non-compliant. Your security team can configure image assurance policies as proactive risk management of images.

For scanning within CI/CD pipelines, images that fail any image assurance policy report image scanning failure to the CI/CD system. That system prevents non-compliant images from being pushed to a registry and ensures they will not be deployed.

Image assurance policies should be defined and configured as explained below:

  • Configure the Default (global) Image Assurance Policy for precautions that you want to apply to all images.
  • Define and configure additional policies for more specific purposes.
  • Set the actions as explained in the Image Assurance Policies document. If there are no actions in your policies, the policies are effectively non-existent.  
  • Include the following controls related to vulnerabilities, and configure them as appropriate for your needs:
    • CVEs Blocked: fails a policy if one or more specifically named vulnerabilities are found during scanning. You should use this if you are aware of vulnerabilities that must absolutely be blocked from appearing in containers.
    • Vulnerability Severity and/or Vulnerability Score: fail a policy if the Aqua-assigned vulnerability severity and/or score for any vulnerability exceeds the configured value. The severity and score can also assist you in addressing the images with the most significant risks first.
  • For protection against malware:
    • Ensure that malware scanning is enabled in the settings
    • Include the Malware control in your Image Assurance Policies.
  • For protection against sensitive data:

Reactive risk management

Aqua detects security issues (vulnerabilities, malware, and sensitive data) during image scanning and image assurance policy violations during evaluation of image compliance. Aqua shows you precisely which security issues and policy violations are detected, and make it possible for you to take the required corrective actions.

An image might have security issues without being considered non-compliant. To understand this in detail, consider the extreme case of an image with vulnerabilities, malware, and sensitive data. If none of your image assurance policies are configured with controls that relate directly to such security issues, the image will not be considered non-compliant (unless it fails other controls). The controls related to vulnerabilities are CVEs Blocked, Vulnerability Severity, and Vulnerability Score. There are also controls for Malware and Sensitive Data.

The options for managing vulnerabilities, malware, and sensitive data are described in this section. Aqua users can perform different reactive actions as explained in the following sections.

Risk-based insights

This section is applicable to only Advanced plan.

A valuable tool in reactive risk management is Risk-based Insights. This feature is designed to help you focus on the most important and urgent vulnerabilities to manage. The predefined risk categories are based on several factors, including the availability of exploits for the vulnerabilities found. Risk-based insights on vulnerabilities can be analyzed from the Vulnerabilities screen.

Manage vulnerabilities

Image scanning may reveal vulnerabilities in your images. The options for managing vulnerabilities are described in this topic. It is important to understand that:

  • Not all options to manage a vulnerability in the image may be available under all circumstances. For example, there may or may not be a fix for a given vulnerability. You should take an alternate option to manage a vulnerability in this scenario.
  • Options are not listed in any specific order of desirability. Your best option may depend on many aspects of your container development and deployment process. For example: You might deem it best to eliminate the vulnerability. If that is not possible, your best alternative might be to be extremely cautious, and block the image.

The following sections explain a few important reactive steps that can be taken to manage vulnerabilities in the images.

Eliminate vulnerability by updating resource

Vulnerability detail view shows whether a specific vulnerability is addressed in a later version of the affected resource. If so, you can rebuild the image with this version and then re-scan the image to ensure there are no vulnerabilities. This option may not always be available. There may be zero-day vulnerabilities that may take a long time to discover and an additional long time for the software vendor to make fixes available.

Acknowledge or unacknowledge vulnerabilities

You can acknowledge a given vulnerability for a specific image. When you acknowledge, Aqua server is informed not to fail any image assurance policy, for that image, due to the specific vulnerability. In other words, you believe that deploying containers based on the image in question will not cause unacceptable security risks due the vulnerability. Similarly, you can also acknowledge a vulnerability for the specific repository or all scanned images having this vulnerability.

You can optionally set an expiration period (between 1 and 999 days) for the acknowledgment. This gives you a "grace period" for deploying containers based on the image with the vulnerability. During this grace period, you may plan to fix the vulnerability without having to disturb deployment of dependent containers on the images in question.

At any later time, you can unacknowledge (cancel the acknowledgment of) the vulnerability, or change or cancel its expiration period.

For more information, refer to Apply and Manage Security Issue Acknowledgments.

Allow images

Allowing an image acknowledges all security issues that are present in the image, not only to a single vulnerability.

You can allow one or more images from the Images page on UI. When you allow an image, Aqua will allow deployment of the image in containers, irrespective of the image's compliance status. Allowing an image does not actually change its compliance status but it informs Aqua to ignore non-compliance for the progress of image deployment.

You should allow an image only if you believe that running the image in containers will not cause unacceptable security risks.

For more information, refer to Actions on Images.

Block Images

You can block an image to block deployment of the image in containers, irrespective of the image's compliance status. Blocking an image does not actually change its compliance status but it informs Aqua to ignore compliance for the purposes of image deployment.

For more information, refer to Actions on Images.

Manage malware and sensitive data

If scanning detects malware or sensitive data in your image and was found in your own code, you should first attempt to clean your code and then re-scan the image. Your other options to manage malware or sensitive data is listed below:

Manage image assurance policy violations

An image assurance Policy is violated when an image fails one or more of the controls that you have configured. Aqua shows which controls your image has failed, and suggest specific fixes when possible. For more information, refer to Image Scan Detail View.