Image Scanning
TABLE OF CONTENTS
- Overview
- Security issues in images
- Sensitive data in user code
- Malware detection
- Location of images for scanning
- Support of software components for image scanning
- Standalone binaries
Overview
Aqua scans container images based on a constantly updated stream of aggregate sources of vulnerability data (CVEs, vendor advisories, and proprietary research), which ensures up-to-date, broad coverage while minimizing false positives. Additionally, find malware, embedded secrets, and configuration issues in your images to further reduce the attack surface. Aqua automates security testing in your CI/CD pipeline and continuously scans registries to detect emerging risks. You get actionable feedback within your CI/CD environments to empower developers to fix issues fast.
Aqua users can create image assurance policies that determine which images should be allowed to progress through your build pipeline. Assurance policies are based on any combination of vulnerability score or severity, malware severity, the presence of sensitive data, and more. It also gains insight into your vulnerability posture, prioritize remediation, and mitigation according to contextual risk.
This topic explains the security issues detected in image scanning, location of images to be scanned, and Operating System (OS), programming language, binary support by Aqua for image scanning.
Security issues in images
Aqua scans images to detect the following security issues:
- Vulnerabilities: security holes in third-party code (packages) that have been identified by governmental organizations such as NIST and software vendors.
- Sensitive data: the data consists of sensitive information such as user or application related information. For example, private RSA keys
- Malware: software intentionally designed to cause damage; for example, viruses, worms, ransomware, and spyware
Scanning for sensitive data and malware is optional and controlled by your Aqua Admin from the Settings > Scanning page. For more information, refer to Configure Scanning Options.
Aqua Security maintains a list of known vulnerabilities and malware in the Aqua CyberCenter which serves as the information hub for threat-related intelligence. The CyberCenter continually receives threat-related feeds from the software vendors.
Sensitive data in user code
Aqua detects the following patterns of sensitive data:
- Private keys: CMS, DSA private keys, EC private keys, encrypted private keys, RSA) private keys
- PKCS #7 signed data, PKCS7
- SSL session parameters
Malware detection
Aqua normally scans only executable files in the image. It calculates the hash values of the file being scanned, and compares them with values known to ClamAV, an open source antivirus engine for detecting malware (and other threats).
Malware scanning is enabled by the following scan options by your Aqua admin:
- Scan for malware
- Extend malware scanning to non-executable files. Aqua also scans files in ELF format.
Location of images for scanning
Aqua scans container images located in the following locations, under the conditions specified.
Image Registries
Aqua Admins can add image registries to Aqua. This enables Aqua to scan images in the registries. Once image scanning is completed, the images are considered registered.
Aqua can be configured to scan images automatically when:
- They have been added to a known registry
- They have been changed since the previous time they were scanned
- At a specific time of day every day, or on certain days of the week
In addition, you can manually trigger re-scanning of one or more images from UI or through Command Line Interface (CLI). Aqua enters all images for scanning in its scan queue.
CI/CD systems
Aqua Admins can integrate Aqua image scanning into the pipeline of many CI/CD systems. Scanning of images in the integrated CI/CD systems takes place synchronously within the context of the CI/CD pipeline.
Support of software components for image scanning
Aqua scans images which are developed on different OS packages, programming languages components, and may contain different binaries. This section explains different types of OS packages, programming language components, and binaries in which Aqua can detect vulnerabilities while scanning an image.
OS packages
Aqua identifies vulnerabilities in operating system (OS) packages, based on information collected from security advisories published by OS vendors. Aqua extracts the OS packages that were deployed through the OS package manager (e.g., apt or yum) and checks whether the extracted packages have known vulnerabilities.
Aqua supports the following OS packages:
- Alpine
- Amazon Linux
- CentOS
- Debian
- Mariner OS (supported by Trivy commercial scanner only)
- Microsoft Windows Server
- RedHat Enterprise Linux
- SUSE Linux and openSUSE Linux
- Ubuntu
Programming language components
CyberCenter maintains vulnerability information for popular programming languages. Scanning process can identify vulnerabilities in programming language components (files and packages).
Aqua scans programming language files in the file system for specific patterns such as specific file extensions or file names, which are popularly used by open-source components under different programming languages. Aqua extracts the open-source components and file signatures that it finds and compares them against its threat intelligence of known open-source vulnerabilities.
Aqua also looks for binaries that were not deployed with a standard OS package manager. These binaries will be examined for open-source components and compared against Aqua’s threat intelligence.
The following table lists the supported programming languages, as well as how the scanner identifies them in the image.
| Language | Files searched for | Within directories |
|---|---|---|
| Java | JAR files (Aqua looks for MANIFEST.MF within the jars) which are found using Group ID, Artifact ID, or version. Notes:
| all |
| Javascript | .js files | all |
| Node.js | package.json | all |
| NuGet (.Net) | csproj, .config, project.json, or .deps.json files | all |
| PHP | composer.lock | all |
| Python | METADATA or pkg-info files | <PackageName>.egg-info; <PackageName>.dist-info |
| Ruby | Gemfile.lock and *.gemspec files | all |
Standalone binaries
Aqua can detect vulnerabilities in more than 500 kinds of standalone binaries (applications installed directly without the use of a package manager). These include Apache, GZIP, Httpd, Java, Mongo, Mysql, Nginx, Node, PHP, Postgres, Python, Redis, Ruby, SSL, SVN, and more. You can contact Aqua Security for a more complete list.
Your Aqua admin can enable this functionality from the Settings > Scanning page. For more information, refer to Configure Scanning Options.
Did you find it helpful? Yes No
Send feedback