TABLE OF CONTENTS
- Security issues in images
- Sensitive data in user code
- Malware detection
- Location of images for scanning
- Support of software components for image scanning
Aqua scans container images based on a constantly updated stream of aggregate sources of vulnerability data (CVEs, vendor advisories, and proprietary research), which ensures up-to-date, broad coverage while minimizing false positives. Additionally, find malware, embedded secrets, and configuration issues in your images to further reduce the attack surface. Aqua automates security testing in your CI/CD pipeline and continuously scans registries to detect emerging risks. You get actionable feedback within your CI/CD environments to empower developers to fix issues fast.
Aqua users can create image assurance policies that determine which images should be allowed to progress through your build pipeline. Assurance policies are based on any combination of vulnerability score or severity, malware severity, the presence of sensitive data, and more. It also gains insight into your vulnerability posture, prioritize remediation, and mitigation according to contextual risk.
This topic explains the security issues detected in image scanning, location of images to be scanned, and Operating System (OS), programming language, binary support by Aqua for image scanning.
Security issues in images
Aqua scans images to detect the following security issues:
- Vulnerabilities: security holes in third-party code (packages) that have been identified by governmental organizations such as NIST and software vendors.
- Sensitive data: the data consists of sensitive information such as user or application related information. For example, private RSA keys
- Malware: software intentionally designed to cause damage; for example, viruses, worms, ransomware, and spyware
Scanning for sensitive data and malware is optional, and controlled by your Aqua Admin from the Settings > Scanning page.
Aqua Security maintains a list of known vulnerabilities and malware in the Aqua CyberCenter which serves as the information hub for threat-related intelligence. The CyberCenter continually receives threat-related feeds from the software vendors.
Sensitive data in user code
Aqua detects the following patterns of sensitive data:
- Private keys: CMS, DSA private keys, EC private keys, encrypted private keys, RSA) private keys
- PKCS #7 signed data, PKCS7
- SSL session parameters
Aqua normally scans only executable files in the image. It calculates the hash values of the file being scanned, and compares them with values known to ClamAV, an open source antivirus engine for detecting malware (and other threats).
Malware scanning is enabled by the following scan options by your Aqua admin:
- Scan for malware
Location of images for scanning
Aqua scans container images located in the following locations, under the conditions specified.
Aqua Admins can add image registries to Aqua. This enables Aqua to scan images in the registries. once image scanning is completed, the images are considered registered.
Aqua can be configured to scan images automatically when:
In addition, you can manually trigger re-scanning of one or more images from UI or through Command Line Interface (CLI). Aqua enters all images for scanning in its scan queue.
Aqua Admins can integrate Aqua image scanning into the pipeline of many CI/CD systems. Scanning of images in the integrated CI/CD systems takes place synchronously within the context of the CI/CD pipeline.
Support of software components for image scanning
Aqua scans images which are developed on different OS packages, programming languages components, and may contain different binaries. This section explains different types of OS packages, programming language components, and binaries in which Aqua can detect vulnerabilities while scanning an image.
Aqua identifies vulnerabilities in operating system (OS) packages, based on information collected from security advisories published by OS vendors. Aqua extracts the OS packages that were deployed through the OS package manager (e.g., apt or yum) and checks whether the extracted packages have known vulnerabilities.
Aqua supports the following OS packages:
- Amazon Linux
- Microsoft Windows Server
- Oracle Linux
- RedHat Enterprise Linux
- SUSE Linux Enterprise
Programming language components
CyberCenter maintains vulnerability information for popular programming languages. Scanning process can identify vulnerabilities in programming language components (files and packages).
Aqua scans programming language files in the file system for specific patterns such as specific file extensions or file names, that are popularly used by open-source components under different programming languages. Aqua extracts the open-source components and file signatures that it finds, and compares them against its threat intelligence of known open-source vulnerabilities.
Aqua also looks for binaries that were not deployed with a standard OS package manager. These binaries will be examined for open-source components, and compared against Aqua’s threat intelligence.
The following table lists the supported programming languages, as well as how the scanner identifies them in the image.
|Language||Files searched for||Within directories|
|NuGet (.Net)||csproj, .config, project.json, or .deps.json files||all|
|Python||METADATA or pkg-info files||<PackageName>.egg-info; <PackageName>.dist-info|
|Ruby||Gemfile.lock and *.gemspec files||all|
Aqua can detect vulnerabilities in more than 500 kinds of standalone binaries (applications installed directly without the use of a package manager). These include Apache, GZIP, Httpd, Java, Mongo, Mysql, Nginx, Node, PHP, Postgres, Python, Redis, Ruby, SSL, SVN, and more. You can contact Aqua Security for a more complete list.
Your Aqua admin can enable this functionality from the Settings > Scanning page.