TABLE OF CONTENTS

Overview

This topic explains how can you test Aqua's image scanning feature after you sign up and in free trial. In this document, Let us consider a use case of adding an image to Aqua from a registry and see the actions and results of scanning the image in Aqua. As a prerequisite, your Aqua admin should first integrate with a image registry from which you want to add an image for scanning.


When you sign up with Aqua, you are assigned with Aqua's Advanced plan during trial period. Image scanning process covered in this document explained with features offered in the Advanced plan. When you purchase a plan, features offered in image scanning may vary depends on the selected plan. When your trial period expires and if you want to continue with Developer plan which is free of cost, Image Scanning module is not offered. You should purchase commercial version of Aqua license with either Team, Advanced, or Enterprise plan to continue using the Image Scanning module.


Prerequisites

Following are the prerequisites that you must ensure before you start image scanning:



  • Ensure that your security team or Aqua admin define the required image assurance policies from the Policies > Assurance Policies page. If you do not want to define a policy at this time, your image will evaluated using out of the box default image assurance policy. For more information, refer to Image Assurance Policies.



Image scanning process

This section explains image scanning process by adding images to Aqua, manually from the integrated image registries. Default image assurance policy is considered for the evaluation of this image compliance. To execute this process:

  1. Navigate to the Images page.
  2. Click Add Images. Registry Search dialog appears.
  3. Add any image name using repository and tag or search an image in the specific repository. To show this process, image, hnaung/sensitive-data-test-image:latest is added for reference. For more information on adding images, refer to Images Screen Operations.


View results of image scanning

Images list and detail view

You can see that image scanning results with security issues found in the Images page. In this example, vulnerabilities with different severities and sensitive data found in the selected image, as shown below. 



You can click the image to navigate to the image scan detail view page. You can find the following information in the respective tabs of the image scan detail view page:

  • Risk: image compliance status, details of security issues found, and evaluation of considered policies
  • Vulnerabilities: list of all vulnerabilities found in the image.
  • Layers: vulnerabilities found in each layer of the image. This information helps you fix them to improve the security of an image
  • Resources: vulnerabilities found in each resource (such as a package) of the image. This information helps you fix them to improve the security of an image
  • Sensitive Data: shows all sensitive data, such as passwords or keys, that were found in folders in the selected image. This information helps you fix the sensitive data issues to improve the security of an image
  • Malware: all malware, such as viruses, that were found in folders in the selected image. This information helps you remove the issues to improve the security of an image
  • Information: general information of the image
  • Scan History: Image scan that we have performed now with scan results

For more information on the image scan detail view page, refer to Image Scan Detail View.



Vulnerabilities page

You should navigate to the Security Repots > Vulnerabilities page to get detailed analysis on the list of vulnerabilities found in the image. You can see detailed information on the vulnerabilities in to display modes as explained in the following sections.


Risk-based Insights

This view is designed to help you focus on the most important and urgent vulnerabilities to fix them in priority. All your vulnerabilities are organized in the predefined risk categories. In the following example of results on the image scanned in the previous section, you can find that 53 vulnerabilities found in the image, are organized as per the risk categories. One vulnerability may be listed in the multiple categories, depends on the presence of potential threats in the vulnerability.


This view help you focus on the highest risk category, Available or Remote Exploit than low or medium severity vulnerabilities to improve security of the image.



All Vulnerabilities

You can view list of all vulnerabilities found in the image scanned in the previous section, in this page. You can also filter the list as required to prioritize fixing them.



Other methods of image scanning

Other than scanning images manually as explained above, following are different ways of scanning your images:

  • Scanning registered Images from the integrated image registries automatically, as per schedule set in the Aqua Settings > Scanning page.
  • Images that are in your CI/CD pipelines can be scanned automatically. This can be performed only when you have integrated your CI/CD pipeline with Aqua and enabled  Save CI/CD scans from the Settings > Scanning page. Images from the CI/CD pipelines are displayed in the Images > CI/CD Scans page. For more information, refer to Images Screen Operations.