This topic explains Aqua scanner, its scanning locations, scanner forms, and the scan process. The primary function of the Aqua scanner (or simply "scanner") is to scan the container images for security issues such as vulnerabilities, sensitive data, and malware. The secondary function of the scanner includes registering container images with Aqua. 

Image scanning is supported by the Aqua CyberCenter, which maintains up-to-date information on vulnerabilities and malware. Once an image is scanned, the scanner reports the results to the Aqua server, which makes them available on the Aqua UI.

Scanning use cases

The scanner scans objects in the following use cases:

  • Automatic and schedule scans of images in registries.
  • CI/CD: scans objects in CI/CD processes (pipelines)
  • Aqua console (UI): scans new images added from registries to the Aqua console.
  • Scanner Command Line Interface (CLI)on your Linux/Windows host:
    • Aqua scanner deployed as an image
    • Executable binary: Run scanner binary either on a VM or Container

The following table explains the use cases of utilizing the scanner for image scanning:

Use caseImage locationPrerequisite
Automatic and scheduled scansImage registriesIntegration of image registries
Aqua console (UI)Image registriesIntegration of image registries
CI/CDCI/CD pipelinesIntegration of CI/CD pipeline
Scanner CLIImage registriesDownload scanner image or executable binary for scanning images

The following diagram depicts different use cases of utilizing Aqua scanner for scanning images:

Scheduled scans

In this use case, Aqua scanner scans images in the registries by pulling them automatically on a schedule. Aqua admins can schedule scanning of the registered images either daily or specific days in a week by assigning specific time of the day. For more information on this configuration, refer to Configure Scanning Options.

Aqua console (UI)

In this use case, scanning can be performed on images, that are added manually to the Aqua Console, by utilizing Aqua Scanners registered on the Console. This is supported from the Aqua Platform UI. For more information, refer to Images Screen Operations.

CI/CD process

In this use case, Aqua scanner scans images in the CI/CD pipeline. This is executed only when the CI/CD pipeline is integrated with Aqua. This integration allows Aqua to perform the following at image build time:

  • Scan images for security issues and evaluate image compliance as per all image assurance policies whose scope includes the image
  • (Optional, but recommended) Report image non-compliance to the CI/CD system, to prevent these images from being pushed to registries. This requires selection of the Fail the Aqua step in CI/CD action in all image assurance policies. For more information, refer to Image Assurance Policies.

You can also view image scan results within the CI/CD tool.

Scanner CLI

In this use case, scanner CLI is used in the following methods to scan images:

  • Aqua scanner through CLI:  users can pull Aqua scanner to the Linux host through scanner CLI to scan images on the registries.
  • Binary scanner in the container: users can deliver a scanner binary inside a lean container to scan images in the registries through Scanner CLI.
  • Scanner executable binary: users can deliver a scanner binary as a file to scan images in the registries through Scanner CLI. This is used when you use either Linux or Windows operating system.

For more information, refer to Scanner Command Line Interface.

Scanning locations of container images

The scanner can scan container images from the following locations:

  • Registries: Images that are pushed to public or private registries and are registered in Aqua. This is also called "remote scanning".
  • Local host: Images that are created in a development environment, but not yet been pushed to a registry. They might include images that are not yet registered in Aqua. This is also called "local scanning".
  • CI/CD systems: Images that are in the pipelines of CI/CD systems

For more information, refer to Image Scanning.

Scanning initiation

Image scanning can be initiated in the following methods.

Scan options set in the Aqua Settings > Scanning page apply to all of these use cases. For more information, refer to Configure scanning options.

Server-initiated scanning

The Aqua server scans images in its scan queue. Images enter the scan queue when they are added to Aqua manually or automatically.

One or more scanners can be deployed, each as a container in its own process (daemon). All such processes generally run if the Aqua server runs. These processes perform image scanning as directed by the server. For more information, refer to Add Daemon Scanners. The server dispatches images for scanning, one at a time, to one of the available scanner daemons. If there are no daemons deployed, the server performs the scanning.

It is common for organizations to deploy several scanner processes to meet their scanning throughput requirements. This provides a load-balancing mechanism for the server to scan all images that require scanning.

User-initiated (ad-hoc) scanning

Users can initiate scanning from one of the following:

  • The scanner command line interface (on a Linux or a Windows host) for image scanning
  • The REST API for Image Scanning
  • Images from the integrated CI/CD Systems as scheduled by user

Requests are handled by a scanner process through one of the following methods:

  • A container (for images scanned through docker engine)
  • An executable binary (running without a container engine)

For more information, refer to Scanner CLI.

Image scanning process

The scanner performs the following actions while scanning an image:

  1. Pull the image from the registry. The scanner pulls the image to the host on which it is running.
  2. Analyze for Programming Languages, and Operating System and Standalone resources in the image.
  3. Analyze images for packages and get security data such as vulnerability and malware information from CyberCenter (Aqua threat intelligence database).
  4. Apply image assurance policies for evaluation of images and consider controls in the policy to determine the image compliance.
  5. Report the scanning results to the Aqua Server. Scan logs can also be stored in the specified working directory when images are scanned through CLI.