The July 2022 SaaS Update Release includes the following changes with respect to the previous SaaS product release.

Unless otherwise stated, all updates were made available on July 17.


Workload Protection

General Availability of Express and Custom Runtime Protection Modes

(This was previously an Early Availability feature)

For more complete information, see the product documentation.

Aqua enforcement secures your workloads and infrastructure during runtime. Aqua offers two distinct modes for runtime protection: Express Runtime Protection Mode and Custom Runtime Protection Mode. For brevity, these will be called Express Mode and Custom Mode, respectively. The Runtime Protection Mode selection does not affect Aqua assurance functionality.

Express Mode provides low-friction, recommended best-practices runtime protection for containers, VM workloads, and Kubernetes clusters. As compared with Custom Mode:

  • Express Mode uses only a single security configuration for all runtime protection. An initial recommended configuration is predefined by Aqua; it allows some customization. For consistency with Custom Mode, this configuration is called a Runtime Policy. 
  • Express Mode is built for immediate Enforcer deployment at scale without the need to configure policies or Enforcer groups. The only action users need to do to protect their containers, VMs and clusters is to deploy Enforcers. The deployment commands are available in the Express Mode "Deploy Enforcers" view.

In Express Mode, Aqua Enforcers and KubeEnforcers use eBPF technology (on supporting operating systems) for low-impact instrumentation, to impact running applications minimally.

Express Mode is the recommended runtime protection configuration for most users and use cases. It deploys Aqua's expert Runtime Protection policies across your cloud-native workloads. Express Mode is optimized for rapid and safe deployment, and is recommended for new deployments.

Compliance of Kubernetes nodes with DISA STIG benchmarks 

When a KubeEnforcer is deployed, you can obtain the evaluation results of DISA STIG (Defense Information Systems Agency Security Technical Implementation Guides) benchmarks on your Kubernetes infrastructure. These results are displayed in the UI page Security Reports > DISA STIG Benchmarks. Refer to the product documentation. 

Sensitive Data tab added to the Workloads > Container detailed view

In the Workloads > Containers > Container detailed view, a new tab Sensitive Data has been added to show all the instances of sensitive data (such as passwords or keys) detected in container workloads.

Aqua Trivy Premium Scanner supports vShield

The Aqua Trivy Premium Scanner supports Vulnerability Shield (vShield) for the data feeds from various sources. 

Limitation: Trivy Premium does not support vShield for data feeds from CentOS and Red Hat OVAL v2.

Workload Protection and Image Scanning

Integrate JFrog Artifactory using API Key

It is possible to integrate with JFrog Artifactory image registries by using the JFrog API key (as well as username/password).

Docker labels of an image are shown in each audit event of its scanning results

In the Images screen > an image detailed view > Audit tab, in the details of each audit entry, Docker labels attached to the image at the time of audit event are shown. These Docker labels which are part of image metadata will help in further analysis in other integrated applications, such as Splunk.