Configure Scanning Options
TABLE OF CONTENTS
Overview
This topic explains the Aqua admins of configuring options for image scanning. Any changes in the existing configurations will be reflected in future scans but not on the current and historic scan results. If you have changed these configurations, you must scan the images again in order to see the updated results.
Configure scanning options
To configure image scanning options:
- Navigate to Settings > Scanning. You will see the following list of scanning options that are explained below.
2. Enable or disable the following scanning options to configure your Aqua platform, as explained below:
| Option | Description |
|---|---|
| Scan Engine | Shows the scan engine integrated with your Aqua application. Using this setting, you can switch from Trivy Premium Scanner to Classic Scanner or vice versa. For more information, refer to Trivy Commercial Scanner. |
| Scan all registered images on a regular basis | Configures Aqua to scan all registered images on a regular basis. For more information, refer to the Scan all registered images on a regular basis section. If you enable this setting, Scan time, Daily, and Specific Days schedule settings appear. |
| Include parent package vulnerabilities | Aqua will include the vulnerability on both the current and its parent package being scanned, in the scan results. For more information, refer to the Parent package vulnerabilities section. |
| Include sibling package vulnerabilities | Aqua will include the vulnerability on both the current and its sibling (associated) package being scanned, in the scan results. For more information, refer to the Sibling package vulnerabilities section. |
| Use CVSS v3 vulnerability scoring (when available) | CVSS v3 vulnerability scoring will be used for enforcing image assurance policy controls. If you do not select this option, or CVSS v3 scoring is not available, CVSS v2 scoring will be used. |
| Only scan images with scanner-cli daemons (if exist) | Images will be scanned only by scanners started as daemon processes, and not by the scanner built into the Aqua server. This will reduce the load on the server. |
| Show vulnerabilities marked 'Will not fix' | The scanner will check and show images for vulnerabilities marked by the component vendors as "will not fix". For more information, refer to the Show vulnerabilities marked 'Will not fix' section. |
| Suggest fixes based on a newer OS version | Aqua will recommend fixes for upgrading the Operating System (OS) to the newer version to remediate vulnerable packages. If this option is not selected, attributes of the CVE: Vendor fix, Fixed version, Solution will appear as "None" if such a fix is available. This setting is enabled by default. |
| Scan standalone binaries in images | The scanner will check images for OS packages that are not discovered by the distro package manager. |
| Search for sensitive data in images and functions | The scanner will check images for sensitive data (such as keys and passwords). |
| Scan for malware | The scanner will look for malware in the images. |
| Extend malware scanning to executable files without executable permission | This option can be selected only if the previous option Scan for malware is selected. The scanner will scan images to check malware in the executable files of each image. Images must be scanned again to get the benefit of this setting after enabling this. Selecting this option may impact scanning performance. |
| Audit every scan | Normally, audit results are logged only when an image is scanned for the first time. The re-scanning may yield a difference in the scan results, every time the images are scanned. If you enable this setting, it will force audit results to be logged for all images every time they are scanned. |
| Save CI/CD scans | Aqua can integrate image scanning with the pipelines of many CI/CD systems. Normally, scan results of images that are scanned through scanner-cli command are stored in Aqua, only for the registered images. If this setting is enabled, scan results of all types of images scanned through scanner-cli will be stored and displayed in the Aqua UI, at the Images > CI/CD Scans page. If this setting is not enabled, the scan results of these images will be sent to the CI/CD system, and not stored and displayed by Aqua. |
| Send scan results to Log Management Systems | Aqua will send full information on the detected security issues to integrated log management (SIEM) systems, through configured webhook from the Settings > Image Scan Results Webhook page. |
| Fast scanning | If selected, Aqua will enable fast scanning. This feature reduces image scanning time by caching image-related metadata in the Aqua CyberCenter. The cached data is not shared with other accounts. |
| Save uncompressed image layers in cache | Refer to Save uncompressed image layers in cache below. This option is available only if you use Classic Scanner. |
3. Click Save in the upper right of the page.
Scan all registered images on a regular basis
This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting configures Aqua to scan all registered images on a regular basis: every day or on selected weekdays, at a specific time of day. Selecting Daily can ensure that your images are scanned daily for the latest security issues.
When you configure this option, Aqua will scan each registered image as scheduled.
Parent package vulnerabilities
This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting is explained with the following scenario:
- Aqua image scanning discovers a vulnerability in package libc6
- Package libc6 has a source package, glibc and we can refer to it as the "parent" of libc6
- There is also a vendor report of a vulnerability in the parent, glibc
If the setting Include parent package vulnerabilities is enabled, Aqua will include the vulnerability on both the package scanned (libc6) and its parent (glibc) in the scan results.
Sibling package vulnerabilities
This is one of the settings that can be enabled from the Settings > Scanning page as explained in the table above. This setting is explained with the following scenario:
- Aqua scanning discovers a vulnerability in package A.
- In addition, the relevant vendor security advisory recommends updating other packages associated with package A. We can refer them as "sibling" packages.
- There is also a vendor report of a vulnerability in the sibling package
If the setting Include sibling package vulnerabilities option is enabled, Aqua will include the vulnerability on both the package scanned (A) and its sibling packages in the scan results.
Show vulnerabilities marked 'Will not fix'
Some Linux distributions (mostly Red Hat) often mark vulnerabilities as "Will not fix", which usually means that the relevant packages will never be upgraded to a version that fixes these vulnerabilities in the specific branch of the distribution.
These vulnerabilities are generally not fixable, and should be taken into account while selecting base images. However, since users do not have much control over these vulnerabilities, the CyberCenter gives Aqua admins, the ability to toggle the display of such "Will not fix" vulnerabilities using this checkbox.
Scanning for malware and sensitive data
Aqua requires you to explicitly enable scanning for malware and sensitive data in images. This is because scanning for these security issues can cause scan times to increase significantly. It is recommended that you enable scanning of these security issues from the Settings > Scanning page as explained in the table above.
Save uncompressed image layers in cache
This setting should be used if the base and child images were built with different build tools such as Docker and Buildah.
If this checkbox is selected, Aqua will store identities of the uncompressed image layers in cache. This is used for mapping the child images with their base images, using the uncompressed image layer identities.
Changing this setting will invalidate the current cache on the image layer identities. If this checkbox is selected, all the images should be rescanned to rebuild the cache with the uncompressed image layer identities.
By default, Aqua stores the identities of the compressed image layers. While compressing the image layers, different image build tools create different compressed image layer identities for the same uncompressed image layer. This blocks mapping of the child images with their base images. By enabling this setting, Aqua will store the uncompressed image layer identities irrespective of the image build tool, which supports mapping of the child images with their base images.
Did you find it helpful? Yes No
Send feedback