Aqua scans container images based on a constantly updated stream of aggregate sources of vulnerability data (CVEs, vendor advisories, and proprietary research), which ensures up-to-date, broad coverage while minimizing false positives. Additionally, find malware, embedded secrets, and configuration issues in your images to further reduce the attack surface. Aqua automates security testing in your CI/CD pipeline and continuously scans registries to detect emerging risks. You get actionable feedback within your CI/CD environments to empower developers to fix issues fast.

Aqua users can create image assurance policies that determine which images should be allowed to progress through your build pipeline. Assurance policies are based on any combination of vulnerability score or severity, malware severity, the presence of sensitive data, and more. It also gains insight into your vulnerability posture, prioritize remediation, and mitigation according to contextual risk. 

This topic explains the security issues detected in image scanning, location of images to be scanned, and Operating System (OS), programming language, binary support by Aqua for image scanning.

Security issues in images

Aqua scans images to detect the following security issues:

  • Vulnerabilities: security holes in third-party code (packages) that have been identified by governmental organizations such as NIST and software vendors.
  • Sensitive data: the data consists of sensitive information such as user or application related information. For example, private RSA keys
  • Malware: software intentionally designed to cause damage; for example, viruses, worms, ransomware, and spyware

Scanning for sensitive data and malware is optional and controlled by your Aqua Admin from the Settings > Scanning page. For more information, refer to Configure Scanning Options.


Aqua Security maintains a list of known vulnerabilities and malware in the Aqua CyberCenter which serves as the information hub for threat-related intelligence. The CyberCenter continually receives threat-related feeds from the software vendors.

Sensitive data in user code

Aqua detects the following patterns of sensitive data:

  • Private keys: CMS, DSA private keys, EC private keys, encrypted private keys, RSA) private keys
  • PKCS #7 signed data, PKCS7
  • SSL session parameters

Malware detection

Aqua normally scans only executable files in the image. It calculates the hash values of the file being scanned, and compares them with values known to ClamAV, an open source antivirus engine for detecting malware (and other threats).

Malware scanning is enabled by the following scan options by your Aqua admin:

  • Scan for malware
  • Extend malware scanning to non-executable files. Aqua also scans files in ELF format.

Location of images for scanning

Aqua scans container images located in the following locations, under the conditions specified.

Image Registries

Aqua Admins can add image registries to Aqua. This enables Aqua to scan images in the registries. Once image scanning is completed, the images are considered registered.

Aqua can be configured to scan images automatically when: 

  • They have been added to a known registry
  • They have been changed since the previous time they were scanned
  • At a specific time of day every day, or on certain days of the week

In addition, you can manually trigger re-scanning of one or more images from UI or through Command Line Interface (CLI). Aqua enters all images for scanning in its scan queue.

CI/CD systems

Aqua Admins can integrate Aqua image scanning into the pipeline of many CI/CD systems. Scanning of images in the integrated CI/CD systems takes place synchronously within the context of the CI/CD pipeline.

Support of software components for image scanning

Aqua scans images which are developed on different OS packages, programming languages components, and may contain different binaries. This section explains different types of OS packages, programming language components, and binaries in which Aqua can detect vulnerabilities while scanning an image. 

OS packages

Aqua identifies vulnerabilities in operating system (OS) packages, based on information collected from security advisories published by OS vendors. Aqua extracts the OS packages that were deployed through the OS package manager (e.g., apt or yum) and checks whether the extracted packages have known vulnerabilities. 

Aqua supports the following OS packages:

  • Alpine
  • Amazon Linux
  • CentOS
  • Debian
  • Mariner OS (supported by Trivy commercial scanner only)
  • Microsoft Windows Server
  • RedHat Enterprise Linux
  • SUSE Linux and openSUSE Linux
  • Ubuntu

Programming language components

CyberCenter maintains vulnerability information for popular programming languages. Scanning process can identify vulnerabilities in programming language components (files and packages). 

Aqua scans programming language files in the file system for specific patterns such as specific file extensions or file names, which are popularly used by open-source components under different programming languages. Aqua extracts the open-source components and file signatures that it finds and compares them against its threat intelligence of known open-source vulnerabilities.

Aqua also looks for binaries that were not deployed with a standard OS package manager. These binaries will be examined for open-source components and compared against Aqua’s threat intelligence.

The following table lists the supported programming languages, as well as how the scanner identifies them in the image.

LanguageFiles searched forWithin directories

JAR files (Aqua looks for MANIFEST.MF within the jars) which are found using Group ID, Artifact ID, or version.


  • jars can be extracted from other JAR, WAR, or EAR files
  • For the JAR files which cannot be found using Group ID, Artifact ID, or version, JAR file SHA ids are used to find them
Javascript.js filesall
NuGet (.Net)csproj, .config, project.json, or .deps.json filesall
PythonMETADATA or pkg-info files<PackageName>.egg-info; <PackageName>.dist-info
RubyGemfile.lock and *.gemspec filesall

Standalone binaries

Aqua can detect vulnerabilities in more than 500 kinds of standalone binaries (applications installed directly without the use of a package manager). These include Apache, GZIP, Httpd, Java, Mongo, Mysql, Nginx, Node, PHP, Postgres, Python, Redis, Ruby, SSL, SVN, and more. You can contact Aqua Security for a more complete list.

Your Aqua admin can enable this functionality from the Settings > Scanning page. For more information, refer to Configure Scanning Options.