Which images are scanned?

We shall use the term "qualifying images" to designate all images that are "in scope", but not "excluded", as defined below:

In scope

When integrated, DTA will scan all images included in the scope of at least one Image Assurance Policy that includes the Dynamic Threat Analysis policy control. (This is different from Aqua Enterprise image scanning, in which the Image Assurance Policy scope is used only for determination of image compliance. It does not determine which images get scanned).

Excluded (limitations)

The following are not scanned by DTA:

  1. Other artifacts: DTA does not scan host images, CF Applications, hosts, or serverless functions
  2. Images from a Docker v1 registry
  3. Images built with Docker schema Version 1
  4. Images in OCI format
  5. Windows images

What if an image is in scope, but is excluded from DTA scanning?

The scanner will detect that DTA scanning cannot be performed, and will not attempt to do so. Any related Image Assurance Policy, which contains the Dynamic Threat Analysis policy control, will not fail because of this. 

The UI will indicate that DTA scanning has been skipped, and show the reason in the Risk tab and the Dynamic Threat Analysis tab for the image in question. DTA scanning works in both direct and Docker scanning mode.

What triggers DTA scanning?

Qualifying images will be scanned as follows:

  1. Adding images to Aqua from a registry: DTA scanning will be performed
  2. Images in an integrated CI/CD system, sent to Aqua Enterprise for scanning: DTA scanning will be performed 
  3. Images previously added to Aqua: 
    • Re-scanning: DTA scanning will be performed only for images that do not already have DTA scan results
    • Full re-scan: DTA scanning will be performed. If scan results already exist for the image, they will be updated.

Use Image Assurance Policy scope to avoid waste

As explained in assurance policies, the scope of an Image Assurance Policy determines the images that the policy applies to. After scanning a given image, Aqua will apply all Image Assurance Policies whose scope includes the image, in order to determine image compliance.

In the case of DTA, Aqua will also use this scope, for policies that include the Dynamic Threat Analysis control, which images will get scanned by DTA. Since DTA scans can be costly, you can configure your Image Assurance Policy scopes to limit DTA scanning to the images that really require it.

DTA scan results

Once the image scan is initiated, DTA runs and analyzes the image for several minutes and displays detailed the analysis results, determining the potential risk level that the image presents if allowed to run in an open, networked environment. The results will appear in the Dynamic Threat Analysis tab for each DTA-scanned image.

As with any other Image Assurance Policy control, failure of this control will cause the DTA-scanned image to be considered non-compliant.