TABLE OF CONTENTS
- Scanning use cases
- Scanning locations of container images
- Scanning initiation
- Image scanning process
This topic explains Aqua scanner, its scanning locations, scanner forms, and the scan process. The primary function of the Aqua scanner (or simply "scanner") is to scan the container images for security issues such as vulnerabilities, sensitive data, and malware. The secondary function of the scanner includes registering container images with Aqua.
Image scanning is supported by the Aqua CyberCenter, which maintains up-to-date information on vulnerabilities and malware. Once an image is scanned, the scanner reports the results to the Aqua server, which makes them available on the Aqua UI.
Scanning use cases
The scanner scans objects in the following use cases:
The following table explains the use cases of utilizing the scanner for image scanning:
|Use case||Image location||Prerequisite|
|Automatic and scheduled scans||image registries||integration of image registries|
|Aqua console (UI)||Image registries||integration of image registries|
|CI/CD||CI/CD pipelines||integration of CI/CD pipeline|
|Scanner CLI||image registries||download scanner image or executable binary for scanning images|
The following diagram depicts different use cases of utilizing Aqua scanner for scanning images:
In this use case, Aqua scanner scans images in the registries by pulling them automatically on a schedule. Aqua admins can schedule scanning of the registered images either daily or specific days in a week by assigning specific time of the day. For more information on this configuration, refer to Configure Scanning Options.
Aqua console (UI)
In this use case, scanning can be performed on images, that are added manually to the Aqua Console, by utilizing Aqua Scanners registered on the Console. This is supported from the Aqua Platform UI. For more information, refer to Images Screen Operations.
In this use case, Aqua scanner scans images in the CI/CD pipeline. This is executed only when the CI/CD pipeline is integrated with Aqua. This integration allows Aqua to perform the following at image build time:
- Scan images for security issues and evaluate image compliance as per all image assurance policies whose scope includes the image
- (Optional, but recommended) Report image non-compliance to the CI/CD system, to prevent these images from being pushed to registries. This requires selection of the Fail the Aqua step in CI/CD action in all image assurance policies. For more information, refer to Image Assurance Policies.
You can also view image scan results within the CI/CD tool.
In this use case, scanner CLI is used in the following methods to scan images:
- Aqua scanner through CLI: users can pull Aqua scanner to the Linux host through scanner CLI to scan images on the registries.
- Binary scanner in the container: users can deliver a scanner binary inside a lean container to scan images in the registries through Scanner CLI.
- Scanner executable binary: users can deliver a scanner binary as a file to scan images in the registries through Scanner CLI. This is used when you use either Linux or Windows operating system.
For more information, refer to Scanner Command Line Interface.
Scanning locations of container images
The scanner can scan container images from the following locations:
For more information, refer to Image Scanning.
Image scanning can be initiated in the following methods.
Scan options set in the Aqua Settings > Scanning page apply to all of these use cases. For more information, refer to Configure scanning options.
One or more scanners can be deployed, each as a container in its own process (daemon). All such processes generally run if the Aqua server runs. These processes perform image scanning as directed by the server. For more information, refer to Add Daemon Scanners. The server dispatches images for scanning, one at a time, to one of the available scanner daemons. If there are no daemons deployed, the server performs the scanning.
It is common for organizations to deploy several scanner processes to meet their scanning throughput requirements. This provides a load-balancing mechanism for the server to scan all images that require scanning.
User-initiated (ad-hoc) scanning
Users can initiate scanning from one of the following:
- The scanner command line interface (on a Linux or a Windows host) for image scanning
- The REST API for Image Scanning
- Images from the integrated CI/CD Systems as scheduled by user
Requests are handled by a scanner process through one of the following methods:
- A container (for images scanned through docker engine)
- An executable binary (running without a container engine)
For more information, refer to Scanner CLI.
Image scanning process
The scanner performs the following actions while scanning an image:
- Pull the image from the registry. The scanner pulls the image to the host on which it is running.
- Analyze for Programming Languages, and Operating System and Standalone resources in the image.
- Analyze images for packages and get security data such as vulnerability and malware information from CyberCenter (Aqua threat intelligence database).
- Apply image assurance policies for evaluation of images and consider controls in the policy to determine the image compliance.
- Report the scanning results to the Aqua Server. Scan logs can also be stored in the specified working directory when images are scanned through CLI.