TABLE OF CONTENTS

Overview

This topic explains the command Line Interface (CLI) for interacting with Aqua scanner to scan container images and execute different actions through arguments. The scanner CLI is a robust utility that has multiple functions which result in several arguments, as well as flags related to those arguments.


The Scanner CLI is executed using one of the following:

  • Aqua Scanner Container: The scanner CLI runs as a container on your Linux host and requires some parameters being passed through Docker command
  • Executable Binary: You can pass commands directly to scanner through executable binary on the Linux or Windows operating systems to scan the images

You can also pass different flags with each command to specify different scanning options. For more information on Aqua scanner, refer to Aqua Scanner Overview.


Use cases:

  • When you do not have plugin available for your CI/CD integration, you can use scanner CLI to scan your images
  • You can use Scanner CLI when you cannot use CI/CD plugin with docker engine
  • When you do not have required permissions to configure image scanning in the CI/CD plugin per your requirement, you can apply these customizations in the executable binary to scan the images.


Aqua Scanner container

Aqua scanner runs as a container on your Linux host through docker engine. You can scan images using Aqua Scanner in two steps as explained below:

  1. Prerequisite: Pull the Aqua Scanner to the Linux host. This is one time setup.
  2. Run the Command Syntax

Pull the Aqua Scanner to Linux host

You should pull scanner from Aqua registry to the host. If you are on the Linux operating system, you should perform the following actions to pull Aqua scanner to the host: 

  1. Copy the following Docker command to login to the Aqua registry.
  2. Replace <AQUA_USERNAME> and <AQUA_PASSWORD> with the credentials that you have received from Aqua Security. 
  3. Run the Docker command, after adding your user credentials.

docker login registry.aquasec.com -U <AQUA_USERNAME> -P <AQUA_PASSWORD>
  1. Run the following Docker command to pull the scanner image.
docker pull registry.aquasec.com/scanner:6.2

Download scanner executable binary

Scanner executable binary is used to scan images, like Aqua scanner scans the images. You can use executable binary to scan images instead of Scanner when you do not have required permissions to configure image scanning in the CI/CD plugin per your requirement. You do not need docker container engine to scan images using executable binary. Downloading scanner executable binary is one time operation. 


Download the scanner executable binary for Linux

You can download the executable binary file using the following link:


https://download.aquasec.com/scanner/6.2.0/scannercli


You need the username and password that you have received from Aqua Security to download the binary. You can run the binary scanner on either a VM or a container. For more information on scanning images using executable binary, refer Aqua Scanner Executable Binary.


Download and setup Aqua Scanner Installer for Windows

If you are on the Windows operating system, you should download the installation file named AquaScannerWindowsInstaller.6.2.*.msi and store in your Windows machine.


Perform the following actions to download scanner executable binary:

  1. Download the Windows installation file using the link: AquaScannerWindowsInstaller.6.2.21171.msi.
  2. Enter your Aqua credentials to download the file. Aqua Scanner file is downloaded successfully.
  3. Run the downloaded file in your machine. Server Parameters dialog appears as shown below.
  4. Enter the parameter details as shown in the following dialog.
  5. Click Install. A new folder Aquasec is created in C:/Program Files. You can find scanner in this folder.


Once you run the scanner .msi file for Windows, scanner executable binary for Windows is downloaded and stored in the C:/ Program Files > Aquasec folder. 


The scanner executable binary available in the previous link is Intel Linux binary, works with Linux and Windows OS. There is no executable binary available for MacOS X hence you cannot scan images using executable binary on MacOS X.


Command Syntax

Command syntax which is passed through CLI interacts with either Aqua scanner or executable binary to scan images and execute different operations. Scanner CLI can be passed either on Linux or Windows environments. You can scan images on Windows environment using the scanner executable binary only. Command syntax can have one argument such as scan and multiple general flags such as -H, -U, -P for different operations. For more information, refer General Command Syntax.


Each argument when passed through Scanner CLI executes a specific operation. Following is the sample command using scanner image that can be passed on Linux to scan local images:


docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:6.2 <argument> -H http://aqua-server:8080 -U <SCAN_USER> -P <SCAN_PASSWORD> --local imageName:tag <flags>


Following is the sample command using scanner image that can be passed on Linux to scan images from a registry: 


docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:6.2 <argument> -H http://aqua-server:8080 -U <SCAN_USER> -P <SCAN_PASSWORD> --registry "registry name" imageName:tag <flags>


Following is the sample command using scanner executable binary that can be passed on your Linux environment:


./scannercli scan --dockerless -H http://aqua-server:8080 -U <SCAN_USER> -P <SCAN_PASSWORD> --local imageName:tag <flags>


Following is the sample command using executable binary that can be passed on your Windows environment to scan images from a registry: 


scannercli.exe <argument> -H http://aqua-server:8080 -U <SCAN_USER> -P <SCAN_PASSWORD> --registry "registry name" myimage:latest

For more information on each scanner command operation with the argument, sample syntax, and its output, refer All Scanner Arguments.