This topic explains how you can test Aqua's image scanning feature. In this document, we will consider a use case of adding an image to Aqua from a registry and see the actions and results of scanning the image in Aqua. As a prerequisite, your Aqua admin should first integrate with an image registry from which you want to add an image for scanning.

The image scanning process covered in this document is explained with features offered in the Advanced plan. When you purchase a plan, features offered in image scanning may vary depending on the selected plan. 


The following are required before you start image scanning:

  • Ensure that your security team or Aqua admin defines the required image assurance policies from the Policies > Assurance Policies page. If you do not want to define a policy at this time, your image will be evaluated using a predefined default Image Assurance Policy. For more information, refer to Image Assurance Policies.

Image scanning process

This section explains the image scanning process by adding images to Aqua, manually from the integrated image registries. The Default Image Assurance Policy is considered for the evaluation of this image compliance. To execute this process:

  1. Navigate to the Images page.
  2. Click Add Images. Registry Search dialog appears.
  3. Add any image name using repository and tag or search an image in the specific repository. To show this process, image, hnaung/sensitive-data-test-image:latest is added for reference. For more information on adding images, refer to Images Screen Operations.

View results of image scanning

Images list and detail view

You can see that image scanning results with security issues found in the Images page. In this example, vulnerabilities of different severities and sensitive data have been found in the selected image: 

You can click the image to navigate to the image scan detail view page. You can find the following information in the respective tabs of the image scan detail view page:

  • Risk: Image compliance status, details of security issues found, and evaluation with respect to Image Assurance Policies
  • Vulnerabilities: All vulnerabilities found in the image
  • Layers: Vulnerabilities found in each layer of the image
  • Resources: Vulnerabilities found in each resource (such as a package) of the image
  • Sensitive Data: All sensitive data, such as passwords or keys, which were found in folders in the selected image
  • Malware: All malware, such as viruses, which were found in folders in the selected image
  • Information: General information about the image
  • Scan History: A list of Image scans, with scan results, which have been conducted on the image

For more information on the image scan detail view page, refer to Image Scan Detail View.

Vulnerabilities page

You should navigate to the Security Repots > Vulnerabilities page to get detailed analysis on the list of vulnerabilities found in the image. You can see detailed information on the vulnerabilities in either of two display modes as explained in the following sections.

Risk-based Insights

This view is designed to help you focus on the most important and urgent vulnerabilities to fix them in priority order. All your vulnerabilities are organized in the predefined risk categories. In the following example of results on the image scanned in the previous section, you can see 103 vulnerabilities that were found in the image, organized per the risk categories. A given vulnerability may be listed in multiple categories, depending on the presence of potential threats in the vulnerability.

This view helps you focus on the highest risk category, Available or Remote Exploit than low or medium severity vulnerabilities to improve security of the image.

All Vulnerabilities

On this page, you can view the list of all vulnerabilities found in the image scanned in the previous section. You can also filter the list as required to prioritize fixing them.

Other methods of image scanning

There are other ways of scanning images, besides the manual process explained above: 

  • Scanning registered Images from the integrated image registries automatically, as per schedule set in the Aqua Settings > Scanning page.
  • Images that are in your CI/CD pipelines can be scanned automatically. This can be performed only when you have integrated your CI/CD pipeline with Aqua and enabled Save CI/CD scans from the Settings > Scanning page. Images from the CI/CD pipelines are displayed in the Images > CI/CD Scans page. For more information, refer to Images Screen Operations.