TABLE OF CONTENTS
- Compatibility with Aqua components
- Install the Aqua Security extension in Azure DevOps
- Create new service connection
- Use extension to scan images
- View image scanning results
The Azure DevOps Extension in the Azure Marketplace provides an easy way for Aqua to scan images in Azure DevOps projects to detect various security issues.
The Aqua Security extensions are installed in the Azure DevOps projects. Once installed, you can add a build step to scan the image.
This topic explains how to install and configure the Aqua Security extension for Azure DevOps, and then how to use it to scan images during the build process, and view the scan results.
Compatibility with Aqua components
Aqua Security Extension (images)
- Linux: 6.x (container)
- Windows: Artifacts (embedded scanner) (recommended) and 4.2.0
Supported agent pools
The list below shows which agent pools should be used to scan images through Aqua extension. The agent pool is different for Linux and Windows.
Ensure that the Aqua Scanner image is pulled to the agent pool through Docker registry connection in Azure DevOps. If the required scanner image is not already pulled, this will be done automatically before image scanning, when you connect to Docker registry in Azure DevOps.
If you use Aqua extension having scanner version later than 4.2.0, you should use Artifacts feature to download the scanner binary. For example, if you want to use Windows scanner version 5.2.0 or 6.2.0, you should create an artifact to download and publish the package from Aqua storage and add the package as a task in the Azure image scanning pipeline. Using artifacts, the desired scanner version is packaged and used in the Azure image scanning pipeline to scan Windows based images. For more information, refer to
If you use Aqua extension having scanner version 4.2.0, the Aqua Scanner binary executable is embedded in the Aqua extension, so there is no need to pull or install it.
- Before you configure the Azure DevOps extension, make sure that you have scanner permission assigned by your Aqua admin.
- You should add a Docker Login task before the Aqua's Image Scanning task, having a valid service connection to your docker instance. This task help scanning Linux images from Aqua, through your specific docker instance.
Install the Aqua Security extension in Azure DevOps
This procedure configures Aqua Server as a service connection in Azure DevOps. This is executed by installing the Aqua Security extension downloaded from Azure Marketplace. To download and install the extension:
- In your browser, navigate to this Azure Marketplace URL. You are navigated to the Aqua Security extension page.
2. Click Get it free. You will be redirected to the Install extension page.
3. From the dropdown, select an Azure DevOps organization.
4. Click Install. The extension is installed to your Azure DevOps organization.
Create new service connection
You should create a new service connection from your Azure DevOps project to Aqua server using which system will scan images in the Aqua Security task. To create a new connection:
- In the Azure DevOps console, select the project in which you want to scan images with Aqua.
- In the left pane, select Project settings.
3. In the left pane, navigate to Pipelines > Service connections.
4. Click Create service connection and select Generic. New Generic service connection dialog appears.
5. Enter following details in the new service connection dialog:
- Server URL: the Aqua Server URL or IP address
- Username: an Aqua user with scanner permissions
- Password/Token Key: the Scanner user password
- Service connection name: a name for the connection
- Description: (Optional) description for the service connection
- Select Enable Grant access permission to all pipelines
6. Click Save. A new service connection to the specified Aqua server is created.
Use extension to scan images
You can use the Aqua Security extension to scan images, as a step in a pipeline build process. This task scans a Docker image for security vulnerabilities and compare it against an image assurance policy. You should add this task after a step that builds a Docker image and before a step that pushes the image to a registry.
To add Aqua Security as a task in the build process:
- In the Azure DevOps console, navigate to Pipelines in the left pane.
- Select the required pipeline from the available list.
- Click Edit on the top right of the page. Pipeline detail view appears.
4. In the Tasks tab on the left pane, Click + and go to the Marketplace tab.
5. In the Marketplace tab on the right pane, in the search box, enter Container Security. Container Security extension from Aqua appears in the search results.
6. Click Get it free. The Aqua Security extension is added to this pipeline and it is available in the All tab now.
This extension shows Installed, if you have already installed extension by following steps mentioned in the section, Install the Aqua Security extension in Azure DevOps.
7. In the Tasks tab on the left pane, Click + and go to the All tab.
8. Hover on the Aqua Security task and click Add. A new task Image Scanning is now added to the list of tasks on the left pane.
9. In the Tasks tab on the left pane, click the just added task, Image Scanning. Task configuration page appears on the right pane.
10. Enter the following details in the Aqua extension configuration page:
|Task version||Version of the specific task|
|Display name||Name of the step that should appear in the list of build steps|
|Scan type||Select one of the following options:|
|Registry||Name of the Aqua registry in which the image is stored (for the remote scan). Entering details in this field is required when you select hosted in the Scan type field.|
|Aqua Management Console Connection||From dropdown, select the required service connection name that you have created by following steps mentioned in the section, Install the Aqua Security extension in Azure DevOps.|
|Docker Compose File||Specify the file which has multiple images that need scanning|
|Tar File Path||Enter the file path which has images stored in the docker tar file|
|Policies||Apply the list of image assurance policies to the image. You can enter multiple policies separated by spaces.|
|Shell command to execute when no compliance||(optional) Add a shell command to be run after scanning, if the image is found to be non-compliant|
|Custom flags||Add additional command-line flags here. You should pass the --direct-cc flag to connect to the CyberCenter directly. Passing this flag is mandatory, if you connect Aqua with Azure DevOps through token based authentication.|
|Do not verify TLS certificates||Select this checkbox to prevent scanner check the valid TLS certificates (use this in a development environment, for example).|
|Collect malware files when scanning image||Select this checkbox to look for malware files in images while scanning|
|Show vulnerabilities that will not be fixed||Select this checkbox to check images for vulnerabilities marked by the component vendors as "will not fix"|
|Register the image in the Aqua Server only if is determined to be compliant||Select this checkbox, if required|
|Local image||Register: Select the Register checkbox to register the image with the Aqua Server after it is scanned. You can select this option if you have selected local in the Scan type field|
|Hosted image||Enter following details, if you have selected hosted in the Scan typefield:|
|Linux Parameters||Enter the following Linux parameter if your image is Linux based:|
|Windows Parameters||Enter the following Windows parameter if your image is Windows based:|
|Control Options||Enter the following details for the Control Options:|
|Output Variables||Reference name: Enter a unique name in the Reference name field to allow a given task to publish a set of variables back to server, so the variables can be used in the downstream jobs. For more information, refer to the Azure document, Output Variables.|
Aqua scans the image during execution of a task in the build process. For local images, Aqua uses the Default image assurance policy. For images in a registry, Aqua applies all image assurance policies. For more information, refer to Image Assurance Policies.
Scan results are returned to the build process. If the scan results are negative, the process will proceed as per action on the Continue on error switch and the policy actions settings in the policies.
View image scanning results
Select the desired pipeline from the list of available pipelines, and select Aqua Scanner Report tab to view the scan results. A sample image scan result is shown below:
Did you find it helpful?Send feedback