TABLE OF CONTENTS

Overview

The determination of image compliance or non-compliance is important for Risk Management.


Aqua allows you to define and configure one or multiple image assurance Policies to evaluate the scan results (security issues found, if any) as per the criteria set in the policy. These policies include the specific controls (criteria) that Aqua will use to determine whether your images are compliant or not. The controls relate to the types of security issues that scanning may discover and/or other characteristics of the image.


Each image assurance policy has a defined scope, which defines the set of images to which the policy applies. Aqua also offers a predefined Default image assurance policy that applies to all images.


Once an image has been scanned, Aqua evaluates the scan results (security issues found, if any) according to all image assurance policies whose scope includes the image in question. 


This topic explains the components of image assurance policies that are used for scanning container images. These components include definition of policies and different actions, exceptions, controls that can be applied in a policy. This topic also explains the default policy and its configuration. To explore the default policy and the policy components, navigate to Policies > Assurance Policies. You can click any policy from the Assurance Policies page to explore the policy components. 


Policy components

An image assurance policy consists of the following components:

  • Application scopes and additional scope criteria: define set of images to which the policy should be applied. For more information, refer to Policy Scope.
  • Actions: taken by Aqua server if an image fails the assurance policy such as fail the Aqua step in CI/CD pipeline or mark images as non-compliant.
  • Exceptions: conditions that evaluation of the assurance policy can ignore to pass the image being scanned, such as ignore vulnerabilities that meet the conditions specified.
  • Controls: individual tests that are evaluated on the results of image scans

Actions

You can select any or all of the following actions to be performed on an image if the specific assurance policy fails: 

  • Fail the Aqua step in CI/CD: An image build that is scanned during the CI/CD process will be marked as failed, and cannot be pushed to a repository
  • Mark failed image as non-compliant: If you enable this, an image which is failed as per any control in the policy, will be marked as non-compliant and prevent pushing this non-compliant image to image registries.


Exceptions

You can select any or all of the following exceptions to the evaluation of the image assurance policy:

  •  Ignore vulnerabilities that have no available fix: for vulnerabilities that do not have any fix available, policy failure will not be triggered.
  • Ignore vulnerabilities that were published in the last [nn] days: Provides a "grace period" of 1-999 days for vulnerabilities that are less likely (as they are new) to have exploits.
  • Ignore specific vulnerabilities: after you select this checkbox, you can list any number of specific vulnerabilities (example: CVE-2019-1234) on separate lines or as a comma separated list.
  • Ignore vulnerabilities and malware found in specific path: after you select this checkbox, you can list any number of paths (resources) on separate lines. Vulnerabilities and malware found in those paths will not cause policy failure. The paths must be entered in gitignore syntax (example: /projects/proj1).


Policy controls

A control is an individual test that can be applied to the results of a scan as part of an assurance policy. You can include the following controls in the image assurance policies. An image is considered non-compliant if it fails any control in any of these image assurance policies. Each control has a checkbox to enable the control in the specific policy.


The first column of the table that follows contains icons to indicate policy support for the respective host: 


Image assurance policies on Linux hosts
Image assurance policies on Windows hosts



ControlDescription
Approved Base Image Fails the image if it has not been built using an approved base image. You can add one or multiple base images from the respective registries to the list.
CVEs Blocked
Fails the image if it contains any of the specified vulnerabilities (CVE names). You can add one or multiple vulnerabilities to the list. 
Images Allowed
Shows list of all images that have been allowed from the Images screen. You can only remove allowed images from the list in this control, if required.

This control appears only in the Default Image Assurance Policy.
Images Blocked
Shows list of all images that have been blocked from the Images screen. You can only remove blocked images from the list in this control, if required.

This control appears only in the Default Image Assurance Policy.
Labels Forbidden
Each label has key and value pair and you can add one or multiple labels in this control. 

Fails the image if it contains ANY of the specified Docker object Labels. If only a key is specified, it must exist on the image, but can have any value. If a key-value pair is specified, the key must exist with the value that you specify. Only images containing labels and their values defined in this control will be considered compliant. When a value is left empty for a specific label, any value in the label for a specific key will be considered compliant.

Note: This control is not related to Aqua Labels. 
Labels Required
Each label has key and value pair and you can add one or multiple labels in this control. 

Fails the image if it does not contain ALL of the specified Docker object labelsIf only a key is specified, it must exist on the image, but can have any value. If a key-value pair is specified, the key must exist with the value that you specify. Only images containing labels and their values defined in this control will be considered compliant. When a value is left empty for a specific label, any value in the label for a specific key will be considered compliant.

Note: This control is not related to Aqua Labels. 
MalwareFails the image if it contains malware. The control is available in any policy configuration only if Scan for malware is enabled in the Settings > Scanning page. For more information, refer to Configure Scanning Options.
OS Package Manager
Fails the image if it does not contain one of the OS package managers that Aqua needs in order to complete scanning: apk, dpkg, or rpm
OSS Licenses AllowedPasses if images have a resource with any of the selected OSS licenses in this control
OSS Licenses Blocked
Fails if images have a resource with any of the selected OSS licenses in this control
Packages BlockedFails the image if it contains any of the specified packages in this control
Packages RequiredFails the image if it does not contain one of the specified packages in this control
Sensitive Data
Fails the image if it contains sensitive data, such as RSA keys. The control is available in any policy configuration only if Search for sensitive data in images and functions is enabled in the Settings > Scanning page. For more information, refer to Configure Scanning Options.
SuperuserFails images which are configured to run as “root” (Linux) or “Container Administrator” (Windows)
Vulnerability Score Fails the image if its vulnerability score is greater or equal to the selected value
Vulnerability Severity
Fails the image if its vulnerability severity is greater or equal to the selected value.

If there is a custom severity to all the vulnerabilities and loaded to Aqua console through the respective API, enable Use custom severity when available. Custom severity selected in this control will be considered to apply control on the image.


Default Policy

An image assurance policy named Default is predefined in Aqua. This policy has Global scope and is applied to all images after they have been scanned. This policy ensures all Aqua images are scanned for security even if there are no other policies defined in Aqua. You cannot change the scope of this policy.


The Default policy is initially configured with both of the following actions: 

  • Fail the Aqua step in CI/CD
  • Mark failed images as non-compliant


You can reconfigure the actions as required. This policy does not have any exceptions enabled by default but you can enable the exceptions as required.


Initially, the Default policy has no controls. You can include controls in this policy, similar to any other policy configuration. For more information, refer to Operations on Image Assurance Policies.