TABLE OF CONTENTS

Overview

This topic explains the security issues found in an image during its scanning and all the information about an image and its scan results in the image detail view.


Review security issues in an image

In the Images > General page, Security Issues column of the images may show the following issues:

  • A bar, with one or more colored segments. This represents the security issues found during the most recent scan of the images in the repository.
  • The number of instances of malware
  • The number of instances of sensitive data


A bar appears in an entry for a repository, it provides a quick visual indication of the most important security issues found in the images of that repository. When you expand the entry for a repository by clicking the right-arrow (>) to the left of the repository name, the bar indicates the number and type of security issues found for each image. 


Different color coding and the representation of each color in the security issues bar is explained below:


No security issues (green)
Vulnerabilities of critical severity (dark red)
Vulnerabilities of high severity (red)
Vulnerabilities of medium severity (orange)
Vulnerabilities of low severity (yellow)
Vulnerabilities of negligible severity (grey)
Sensitive data (violet)
Malware (very dark grey)


Security issues found on different images is explained in the following example:



Following are a few observations on the example to analyze the security issues:


  • No security issues were detected by Aqua in the image in the busybox repository.
  • The image ccobutan/malware-test-debian:0.0.6 was found to contain 27 vulnerabilities of varying severity and 3 instances of malware. This image was also found to be non-compliant with one or more Image Assurance Policies.
  • The image hnaung/sensitive-data-test-image:latest contains 48 vulnerabilities and 3 instances of sensitive data. It is also non-compliant.

Image scan detail view


You should click the image name to see detail view of the image and its scan results. Image detail view consists of the following tabs and are explained in the different sections below:

  • Risk
  • Vulnerabilities
  • Layers
  • Resources
  • Sensitive Data
  • Malware
  • Information
  • Scan History

Risk

This tab shows the following information:

  • Image compliance status
  • Details widget shows the number and types of vulnerabilities in a pie chart
  • Evaluation status of each image assurance policy (If the image is non-compliant)
  • Policy controls that failed the image compliance (If the image is non-compliant)
  • If the image is non-compliant, Actions Needed section in the UI explains how to correct the situation of non-compliance  (If the image is non-compliant)
  • You can click Rescan Image to scan image again instantly



In the example shown above:

  • The Vulnerability_6 assurance policy failed, due to failure of the vulnerability severity control
  • Details widget shows that 27 vulnerabilities of different types shown in the pie chart
  • Actions Needed section says that image vulnerabilities should be fixed to reduce security issues.

Vulnerabilities

This tab shows the following information on a specific image:

  • List of all vulnerabilities by their severity found in the image during is recent scan
  • Basic information on all vulnerabilities such as its severity, resource, exploit availability, vendor fix availability
  • Vulnerability detail view


The list is always filtered by one of the vulnerability severity levels: critical, high, medium, low, or negligible at the top of the page. The following screenshot shows the list filtered with vulnerabilities of high severity:



Filter list

You can filter the list of vulnerabilities using controls at the top of the page as explained below:

  • Score: filters vulnerabilities of severity ranging from 0 through 10.
  • Search by CVE or resource: You can enter the vulnerability or resource name to find the required vulnerability
  • More Filters:
    • Acknowledge: Yes or No
    • Vendor Fix: Yes or No
    • Exploit Availability: Available or Not Available
    • Exploit Type: either Remote, DoS, Local, or Web Apps


For example, the following screenshot shows filtered list of vulnerabilities of high severity for which a vendor fix and exploit is available:



Vulnerability detail view

Vulnerability detail view appears when you click the specific vulnerability. It displays detailed information about the vulnerability. Following are the different actions that you can perform on the vulnerability detail view:

  • Acknowledge: You can click Acknowledge to perform this action. Once you acknowledge the vulnerability, it is removed from the list. For more information, refer to Apply and Manage Security Issue Acknowledgments.
  • NVD (National Vulnerability Database): You can click the NVD CVSS score to open the NVD web page on the vulnerability in a new tab (if available) 
  • Open the software vendor's web page on the vulnerability (if available)
  • Image link: You can click the image name and navigate to the Risk tab.



Layers

This tab displays vulnerabilities found in each layer of the image during recent scan. The scan results are reported for each layer after recent scan, as applicable after the image layers are merged. This means that the screen does not show vulnerabilities that do not exist anymore, even if they were in previous (older) image layers. This page is used to filter the layers with vulnerabilities and fix them to improve the security of an image. 


The following are the prerequisites to display the layer data:

  • Aqua must be configured in direct scanning mode
  • For user-initiated scans through scanner CLI (Command Line Interface) commands, the flag --layer-vulnerabilities must be used while scanning through CLI. For more information, refer to scan argument.


You can filter vulnerabilities in the layers using controls at the top of the page as explained below:

  • Layers having vulnerabilities of a specific severity level: critical, high, medium, low, or negligible
  • Search for Layers: You can enter the keywords of a layer name to find vulnerabilities in the specific layer. 
  • Show Non-Vulnerable Layers: Select this checkbox if you want the list of layers should also have layers which do not have any vulnerabilities. This is helpful when you want to see the layers which do not have any security issues.
  • Hide base image layers: Select this checkbox if you want to hide vulnerabilities in the base image layers. This is used when you just want to focus on the vulnerabilities in the layers of the image being scanned so that you can fix issues in the current image.

You can click the right-arrow (>) to the left of a layer to display full command of the layer, from which you can copy the command using the Copy button. It also shows all the vulnerabilities in the specific layer if there are any. From there, you can perform different actions available in the Vulnerabilities tab.


Resources

This tab displays vulnerabilities found in each resource (such as a package) in the image during recent scan. This page also displays vulnerabilities found in the base image (if applicable). This information helps you fix the securities in the resources to improve security of the image.


You can find the following information about the resources of the image:

  • Resource name
  • Type
  • Version
  • Fix version
  • License
  • Vulnerabilities



You can filter vulnerabilities in the resources using controls at the top of the page as explained below:

  • Resources having vulnerabilities of a specific severity level: critical, high, medium, low, or negligible
  • Search by resource: You can enter the keywords of a resource name to find vulnerabilities in the specific resource.
  • Show Files: If you enable this checkbox, Files that are in the current image are displayed. If you disable this, only packages will be displayed.
  • Hide Base Image Vulnerabilities: Select this checkbox if you want to hide vulnerabilities in the resources from the base image. This is used when you just want to focus on the vulnerabilities in the resources of the image being scanned so that you can fix issues in the current image. This option is disabled when your image does not have any vulnerabilities from the base image used to created the current image.

You can click the right-arrow (>) to the left of a resource to display full path to resource, from which you can copy the command using the Copy button. It also shows all the vulnerabilities in the specific resource if there are any. From there, you can perform different actions available in the Vulnerabilities tab.


Sensitive Data

This tab shows all sensitive data, such as passwords or keys, that were found in folders in the selected image. You can also see if the sensitive data has been acknowledged.


You can acknowledge or unacknowledge from the menu of each instance of the sensitive data. For more information, refer to Apply and Manage Security Issue Acknowledgments.



Malware

This tab shows all malware, such as viruses, that were found in folders in the selected image. You can also see if the malware has been acknowledged. You can also copy file hash and path of each malware instance using the Copy button.


You can acknowledge or unacknowledge from the menu of each instance of the malware. For more information, refer to Apply and Manage Security Issue Acknowledgments.



Information

This tab shows details of the selected image, including its date of creation, size, location, Docker-related information, operating system, and architecture. It also includes a history of activity on the selected image since its creation such as its layers details.



Scan History

This tab lists and summarizes the Image Assurance findings (compliance and security issues found) for the selected image. A new entry is created each time the findings are different from the previous image scan. If the findings are the same, the date of the previous scan is updated to that of the most recent scan.


By clicking Scan Date you can sort the list in either descending (default) or ascending order of the scan date.



In the example shown above, You can find that: 

  • In the first scan, the image was found to be compliant.
  • In the second scan, the image was found to be non-compliant and also several vulnerabilities were found. 


There could be several reasons in providing different scan results such as a change in the image, or change in any of theImage Assurance Policies whose scope includes the image.