TABLE OF CONTENTS

Overview

This topic explains the admins of configuring options for image scanning. Any changes in the existing configurations will be reflected in future scans but not on the current and historic scan results. If you have changed these configurations, you must scan the images again in order to see the updated results.


Configure scanning options

To configure image scanning options:

  1. Navigate to Settings > Scanning. You will see the following list of scanning options that are explained below.


     2. Enable or disable the following scanning options to configure your Aqua platform, as explained below:


OptionDescription
Scan all registered images on a regular basis

configures Aqua to scan all registered images on a regular basis. For more information, refer to the Scan all registered images on a regular basis section.


If you enable this setting, Scan time, Daily, and Specific Days schedule settings appear.


Include parent package vulnerabilitiesAqua will include the vulnerability on both the current and its parent package being scanned, in the scan results. For more information, refer to the Parent package vulnerabilities section.
Include sibling package vulnerabilitiesAqua will include the vulnerability on both the current and its sibling (associated) package being scanned, in the scan results. For more information, refer to the Sibling package vulnerabilities section.
Use CVSS v3 vulnerability scoring (when available)CVSS v3 vulnerability scoring will be used for enforcing image assurance policy controls. If you do not select this option, or CVSS v3 scoring is not available, CVSS v2 scoring will be used.
Only scan images with scanner-cli daemons (if exist)Images will be scanned only by scanners started as daemon processes, and not by the scanner built into the Aqua server. This will reduce the load on the server.
Show vulnerabilities marked 'Will not fix'The scanner will check and show images for vulnerabilities marked by the component vendors as "will not fix". For more information, refer to the Show vulnerabilities marked 'Will not fix' section.
Suggest fixes based on a newer OS versionAqua will suggest a fix for vulnerabilities that are based on a newer version of the operating system (OS). If this option is not selected, attributes of the CVE: Vendor fix, Fixed version, Solution will appear as "None" if such a fix is available.
Scan standalone binaries in imagesThe scanner will check images for OS packages that are not discovered by the distro package manager.
Search for sensitive data in images and functionsThe scanner will check images for sensitive data (such as keys and passwords).
Scan for malwareThe scanner will look for malware in the images.
Extend malware scanning to executable files without executable permissionThis option can be selected only if the previous option Scan for malware is selected.

The scanner will scan images to check malware in the executable files of each image. Images must be scanned again to get the benefit of this setting after enabling this. Selecting this option may impact scanning performance.
Audit every scanNormally, audit results are logged only when an image is scanned for the first time. The re-scanning may yield a difference in the scan results, every time the images are scanned. If you enable this setting, it will force audit results to be logged for all images every time they are scanned.
Save CI/CD scansAqua can integrate image scanning with the pipelines of many CI/CD systems. Normally, scan results of images that are scanned through scanner-cli command are stored in Aqua, only for the registered images. If this setting is enabled, scan results of all types of images scanned through scanner-cli will be stored and displayed in the Aqua UI, at the Images > CI/CD Scans page. If this setting is not enabled, the scan results of these images will be sent to the CI/CD system, and not stored and displayed by Aqua.
Send scan results to Log Management SystemsAqua will send full information on the detected security issues to integrated log management (SIEM) systems, through configured webhook from the Settings > Image Scan Results Webhook page.


     3. Click Save in the upper right of the page.


Scan all registered images on a regular basis

This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting configures Aqua to scan all registered images on a regular basis: every day or on selected weekdays, at a specific time of day. Selecting Daily can ensure that your images are scanned daily for the latest security issues.


When you configure this option, Aqua will scan each registered image as scheduled.


Note: If you have a large number of repositories in your registries, it might be necessary to set the optional Server environment variable AQUA_AUTO_PULL_TIMEOUT_SEC


Parent package vulnerabilities

This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting is explained with the following scenario:

  • Aqua image scanning discovers a vulnerability in package libc6
  • Package libc6 has a source package, glibc and we can refer to it as the "parent" of libc6
  • There is also a vendor report of a vulnerability in the parent, glibc


If the setting Include parent package vulnerabilities is enabled, Aqua will include the vulnerability on both the package scanned (libc6) and its parent (glibc) in the scan results.

Sibling package vulnerabilities

This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting is explained with the following scenario:

  •  Aqua scanning discovers a vulnerability in package A.
  • In addition, the relevant vendor security advisory recommends updating other packages associated with package A. We can refer them as "sibling" packages. 
  • There is also a vendor report of a vulnerability in the sibling package


If the setting Include sibling package vulnerabilities option is enabled, Aqua will include the vulnerability on both the package scanned (A) and its sibling packages in the scan results.

Show vulnerabilities marked 'Will not fix'

Some Linux distributions (mostly Red Hat) often mark vulnerabilities as "Will not fix", which usually means that the relevant packages will never be upgraded to a version that fixes these vulnerabilities in the specific branch of the distribution.


These vulnerabilities are generally not fixable, and should be taken into account while selecting base images. However, since users do not have much control over these vulnerabilities, the CyberCenter gives Aqua admins, the ability to toggle the display of such "Will not fix" vulnerabilities using this checkbox.


Scanning for malware and sensitive data

Aqua requires you to explicitly enable scanning for malware and sensitive data in images. This is because scanning for these security issues can cause scan times to increase significantly. It is recommended that you enable scanning of these security issues from the Settings > Scanning page as explained in the table above.