FAQs


Can a non-admin of the "Organization/Workspace/Project" in an SCM tool set up an integration from Aqua?

No, Aqua currently offers this privilege only to the admins of "Organization/Workspace/Project" in an SCM tool. Once admins set up integration, users of Supply Chain Security can add code repositories from the SCM tool to Aqua for scanning.

 

Once "Connector Client" is deployed on my Kubernetes environment, to which address does this connect to report security issues detected in on-premises code repositories?

While deploying "Connector Client" on your Kubernetes environment, you should pass the environment variable: connect.client_url. This environment variable is used to pass the Kubernetes cluster address to which the connector client should connect, to report security issues detected. 


On a host with Docker Compose, this address refers to the host machine on which Docker is installed. On Kubernetes environments, this address refers to the Kubernetes cluster address which keeps changing. If the Kubernetes cluster address is not passed through this environment variable, it will be connected to the connector server with the address: connect.codesec.aquasec.com. This address was set up during the initial onboarding of Supply Chain Security.


Can I delete an Integration?

No, Aqua does not support this feature currently. If you want an integration to be deleted, please contact Aqua Support. Aqua will check and delete the integration, if required.


Does Aqua support integration with GitHub personal accounts?

Aqua does not support integration with GitHub personal accounts currently. If you want to have this feature in Aqua, please contact Aqua Support.


Are there any APIs available through which I can use Supply Chain Security?

No, Aqua does not currently expose any APIs through which you can use Supply Chain Security. Aqua has plans to expose these APIs in the future.


Can code repositories in an SCM tool be discovered automatically after its integration?

Yes, Aqua discovers code repositories in an SCM tool when it is connected. In the Integrations page, while creating a connection with an SCM tool, you can select the required code repositories for scanning them. In the Code Repositories page, you can select the required code repositories any time later. 


For more information, refer to Code Repository Integrations to select code repositories at the time of integration with SCM tool or Code Repositories and Checks to select code repositories any time later.


Can Aqua automatically discover pipeline files in a CI tool?

No, Aqua does not currently discover pipeline files that may exist in code repositories. This feature will be added soon.


Why are security issues in my "Go Language" go.mod dependencies not detected?

"Go language" always considers the highest dependent version of the package while developing an application, even if the current package is referenced to another. The go.mod file may have fixed versions explicitly specified or a dependent package uses the fixed version as an indirect dependency. As "Go language" uses the most recent version of a dependency, vulnerable versions of the package never enter your project, hence security issues are not detected in the go.mod dependencies.


Which permissions do I need in my SCM tool to integrate with the Supply Chain Security module?

You should be an admin of your SCM tool “Organization” and should have a minimum of Read permissions in the SCM tool to integrate with the Supply Chain Security module.


How does "Connector Client" in my server report scan results on on-premises code repositories to Aqua?

To learn more on the integration of your on-premises code repositories with Aqua, refer to Integration with On-Premises Code Repositories.


How are scan results on code repositories reported to Aqua?

Connector client deployed on your server sends scan results to Aqua through the https method.


What are the details of scan results reported to Aqua?

Detailed information on security issues detected in code repositories such as CVE IDs of vulnerabilities with their severities, CVSS score, last scanned date, files in which security issues detected, code snippet in which sensitive data is detected, and so on.


Which programming languages are supported for the detection of vulnerabilities in code repositories?

Supply Chain Security uses Trivy Premium Scanner to scan packages of different programming languages and detect vulnerabilities. For the list of programming languages supported by Trivy Premium Scanner, refer to Language-specific Packages - Trivy.


What are the configuration types supported for scanning misconfigurations in code repositories?

Supply Chain Security uses Trivy Premium Scanner to scan code repositories and detect any misconfigurations. Trivy Premium Scanner uses different policies defined for different configuration types to detect misconfigurations. For the list of configuration types supported by Trivy Premium Scanner, refer to Built-in Policies – Trivy.


Can I integrate with multiple “Organizations” in an SCM tool?

No, Aqua supports integrating with one “Organization” in an SCM tool currently.


As a developer, should I need access to the Aqua UI to see scan results on pull requests?

No, developers can find scan results in pull requests directly, but push scan results are displayed only in the Aqua UI.