Policy Scope
TABLE OF CONTENTS
- Overview
- Additional Scope Criteria
- Scope Definition
- Interpretation of Scope Terms
- Define Additional Scope Criteria
Overview
This topic explains the configurations applied in defining the additional scope criteria in the image assurance policy. Scope explained in this document refers to the following:
- Scope: Selecting the application scope in the policy configuration always predefined to Global, meaning scope covers all the images unless additional scope criteria is defined to limit the scope. Aqua does not support editing the Global scope definition and creating the custom application scope to select in the policy configuration.
- Additional Scope Criteria: In the image assurance policy configuration, you can apply different conditions in the additional scope criteria, to set the logic of defining scope to images. Defining additional scope criteria is optional and is associated to Global configuration of application scope. You cannot define additional scope criteria in the Default image assurance policy.
For more information on the image assurance policy and its configuration, refer to Image Assurance Policies.
Additional Scope Criteria
You can optionally configure a policy with additional scope criteria. It's purpose is to limit the set of images, the policy should apply to. After scanning a given image, Aqua will apply all image assurance policies whose scope includes the image, in order to determine image compliance. For example, additional scope criteria can enable an image assurance policy to restrict images with only a specific image tag to get covered under the scope.
A syntax is used for the definition of additional scope criteria as explained below:
- A scope definition comprises one or more terms. Each term consists of a category, an attribute, and its value (in a few cases, two values must be specified)
- Value(s) can incorporate an asterisk (*) for use as a wildcard (representing zero or more characters). Values cannot contain embedded spaces. You can use an asterisk to represent one or more characters, including spaces.
Examples of scope term: image, label, lab1, *blue* (there are two values in this case). In this example, category=image=, attribute=label, values=lab1, *blue*.
To form a complete scope definition with multiple terms, you can use the following logical operators, between the terms to form a regular expression:
- Logical operators: AND, AND NOT, OR, and OR NOT
- Parentheses, which can change the order of evaluation (which is normally from left to right) as shown in the following sample
Following is the expression for sample scope definition having three terms connected with logical operators:
(image.name."*latest*" AND aqua.registry."Docker Hub") OR (image.label."lab1","*blue*")
Scope Definition
The scope of an Image Assurance Policy can include the following attributes for the respective categories listed below:
- Aqua: Label, Registry
- Build: Pipeline
- Image: Author, Environment Variable, Label, Name, OS
Example
This scope will select all images named *rhel*, that are found in either the Aqua registry named X or the Aqua registry named Y as shown in the scope definition below:
aqua.registry.X OR aqua.registry.Y AND image.name.*rhel*
This is logically same as:
(aqua.registry.X OR aqua.registry.Y) AND image.name.*rhel*
Interpretation of Scope Terms
Following table explains the interpretation of value to each attribute in the respective categories. You can refer the following table while entering values for the respective attributes.
| Category | Attribute | Interpretation of value(s) |
|---|---|---|
| Aqua | Label | Name of the Aqua Label |
| Registry | Name of a registry as defined in Aqua | |
| Build | Pipeline | Name of the pipeline |
| Image | Author | Author field of the container image (Maintainer field of the Dockerfile) |
| Environment Variable | Environment variable (name and value) | |
| Label | Image label name (key) and value as defined in the container engine (for example: Docker). For more information, refer to the Docker document, Label. Note: This is not an Aqua label. | |
| Name | Image name | |
| OS | Image OS. This can be either Linux or Windows |
Define Additional Scope Criteria
When configuring an image assurance policy, you can define additional scope criteria, which is associated to the Global application scope.
To define additional scope criteria:
- Navigate to Policies > Assurance Policies.
- Create a new policy or edit any existing policy to define additional scope criteria. For more information, refer to Operations on Assurance Policies. Note that you cannot define additional scope criteria to the Default image assurance policy.
- Click + Additional Scope Criteria in the Scope field.
- Under Additional Scope Criteria, select the required category, attribute from the dropdown and enter values in the text boxes. For more information on this, refer to the Interpretation of Scope Terms section.
- Click Add. Navigation and definition process is shown in the previous screenshot.
When you add each term, it will be added to the complete scope definition in the following text box. By default, each new term is added with AND operator. You can edit the text in the box manually to change this to a different logical operator, add parentheses, or change the scope definition as required.
When the term Label appears as an attribute when you select Aqua category, It is the Aqua Label.
When the term Label appears as an attribute when you select Image category, it refers to a label that has been defined independently as part of an image or a container.
Did you find it helpful? Yes No
Send feedback