2022 March SaaS Update Release
The March 2022 SaaS Update Release includes the following changes with respect to the previous SaaS product release.
Unless otherwise stated, all updates were made available on March 13.
TABLE OF CONTENTS
- Image Scanning and Workload Protection
- Additional predefined default Image Assurance Policies
- Image Assurance Policies: scope filtering of images by repository
- Images screen enhancements
- Vulnerabilities screen enhancements
- IBM Cloud Container Registry integration
- Support for ACR integration using token authentication
- Base image identification from child image when they were built using different tools
- Enhancements for Trivy Premium scanner
- Vulnerability Exploitability control for Image, Function, and Host Assurance Policies
- Setting in the Image registry configuration to pull and scan the latest images
- Workload Protection
Image Scanning and Workload Protection
Additional predefined default Image Assurance Policies
These new predefined Image Assurance Policies are named "default" because they have the Global application scope:
- Malware-Default-Policy: includes the Malware control
- Sensitive-Data-Default-Policy: includes the Sensitive Data control
Image Assurance Policies: scope filtering of images by repository
In Image Assurance Policies, the additional scope criteria can specify filtering of images by repository. Refer to Specific Scope Definitions for Image Assurance Policies for all scope filtering options.
Images screen enhancements
It is possible to filter the images listed in the Images screen by failed Image Assurance Policy.
Vulnerabilities screen enhancements
The Vulnerabilities screen, when viewing All Vulnerabilities, allows selection of multiple severity levels simultaneously (multi-select) for filtering the list.
IBM Cloud Container Registry integration
It is possible to integrate with IBM Cloud Container Registries by specifying ICR Region, account ID, username, and password.
Support for ACR integration using token authentication
It is possible to integrate with Azure Container Registry through token authentication, by using token name and token password.
Base image identification from child image when they were built using different tools
If you use the Legacy commercial scanner, the Scanning Settings page includes the Save uncompressed image layers in cache checkbox for mapping the child image with the base image, if they were built with different image build tools.
Enhancements for Trivy Premium scanner
The Aqua Trivy Premium scanner:
- Supports scanning objects for sensitive data and malware
- Detects vulnerabilities in more than 500 kinds of standalone binaries (applications installed directly without the use of a package manager). For the complete list of standalone binaries, contact Aqua Security.
- Supports Oval 2 security feed from Red Hat to get the best and richest results for the Red Hat artifacts directly from Red Hat. Trivy Premium is also a certified scanning partner of Red Hat.
Vulnerability Exploitability control for Image, Function, and Host Assurance Policies
- Image, Function, and Host Assurance Policies support the "Vulnerability Exploitability" control. If included in a policy, this control will fail the image, serverless function, and host if any exploitable vulnerabilities are detected during scanning.
- The Scan Report output of the Jenkins Plugin for Image Scanning includes information about all exploitable vulnerabilities detected.
Setting in the Image registry configuration to pull and scan the latest images
Image Registry integration > Registry Configuration > Advanced settings includes a new option which will automatically pull and scan only the specified number of latest images from the repositories.
Workload Protection
Dashboard: drill down for details
Several dashboard widgets contain clickable text elements; clicking them will open a UI screen that shows details of the element in question. For example: In the "Images with Security Issues" widget, clicking the text "Contain Malware" will open the Images screen, pre-filtered to show all images with malware found during scanning.
The widgets and their clickable elements are as follows:
Dashboard widget | Drill down for details |
---|---|
Container Runtime Events | All Blocked events Detected events Malware events |
Containers with Security Issues | Containers (all) Unregistered running containers Containers with Image Issues:
|
Host Assurance Policy Compliance | Hosts Non-compliant Malware Compliant |
Host Runtime Events | All Blocked events Detected events Malware events |
Image Assurance Policy Compliance | Registered Images Non-compliant Compliant |
Images with Security Issues | Contain vulnerabilities Contain malware Contain sensitive data |
Enhanced audit event filtering
There are additional ways to filter the list of events shown in the Audit screen.
Audit Type
Selection | Includes audit events related to... |
---|---|
Non-Compliant |
|
Sensitive Data | Images, functions, and hosts in which sensitive data is detected during scanning |
More Filters
Selection | Includes audit events related to... |
---|---|
Container Runtime Control Name | The Container Runtime Policy control(s) whose names include the text you enter into the Search field |
Host Runtime Control Name | The Host Runtime Policy control(s) whose names include the text you enter into the Search field |
Example: If you Select "Container Runtime Control Name" and enter "Blocked" into the Search field, the filter will include audit events related to both the Executables Blocked and Volumes Blocked controls.
Additional predefined default Host Assurance Policies
These new predefined Host Assurance Policies are named "default" because they have the Global application scope:
- Malware-Default-Policy: includes the Malware control
- Sensitive-Data-Default-Policy: includes the Sensitive Data control
Aqua Cloud Connector: token-based authentication
The Aqua Cloud Connector can connect to the console through the proxy server using a token-based authentication method; the AQUA_CLOUD_CONNECTOR_TOKEN environment variable is used in place of a username and password.
Did you find it helpful? Yes No
Send feedback