Host image scanning is a feature that provides customers with visibility of container images that reside on a VM or worker node when using Docker or Kubernetes container orchestration. 

In this Document, we will be explaining this process.


Aqua provides two ways to scan and register host images: 

  • Using the Aqua UI; this requires an Aqua Enforcer to be deployed on the node where the image resides. 

  • Using a Scanner-CLI container (without the UI) 

Host image scanning using an AquEnforcer: UI  


1. The Aqua Server sends a request to a Gateway. As the image already exists on the node, the Enforcer runs the image container with the Analyzer binary as the container entry point.

In Kubernetes environments, the container will run under the Enforcer pod (as all containers must be assigned to a pod; otherwise, the orchestrator would kill the container).

2. The Gateway sends a request to the Enforcer to perform host scanning. The Enforcer invokes a process named “Analyzer” which helps enumerate the resources. 

3. The Enforcer analyzes the image and sends the results to the Gateway. 

4. The Gateway sends the results to the Server. 

In the newest Aqua versions, the KubeEnforcer verifies whether Kubernetes is deployed according to the security best practices as defined in the CIS Kubernetes Benchmark. This was previously done by the Kube-Bench. 


This is an example of what we see after the Enforcer starts up:

I0706 16:08:55.828240 2883877 cmdhandler.cpp:1280] Got GW command : 'host.image.scan' 
[slkscan] 2022/07/06 16:08:55 Starting image scan. Image-id: sha256:b629cf2da06f5e3efe38781a0f99e714a3ce4b3bf1603923f705bcd04a330e73, Image-name: 
I0706 16:09:10.824892 2883877 cmdhandler.cpp:1280] Got GW command : 'host.image.scan' 

In the following example, we can see in the console that the scan of the host image “postgres-exporter” is in process, and the image is in the scan queue:

        5. The Server runs the scan pipeline steps to finish the scanning. 


This message gets logged to say that it has completed the host image scan for "postgres-exporter: 

[slkscan] 2022/07/06 16:10:58 Image scan sha256:b629cf2da06f5e3efe38781a0f99e714a3ce4b3bf1603923f705bcd04a330e73 finished, run time: 0 days, 0 hrs, 2 mins, 3 secs 

Any image which is deployed as a running workload will be subsequently scanned by the Enforcer. 

Register host images using the Scanner-CLI container


docker run -v /tmp:/tmp -v /var/run/docker.sock:/var/run/docker.sock --user scanner --password <password> --host http://<host>:<port> scan --local <image:tag>


To export the scan results to a HTML file, add the following:

--register-compliant --htmlfile /tmp/out.html --jsonfile /tmp/out.json > /dev/null

  1. The Enforcer downloads the image layers locally and builds an internal image filesystem. It uses the “Analyzer” binary to enumerate all the resources in the image.
  2. The Enforcer sends the results to the Gateway.
  3. One of the scanners picks up the scan job in the scan queue from the Gateway and performs the scanning.
  4. This information is sent to the CyberCenter  which responds with a list of image resources with security risks.
  5. The Server applies the relevant Image Assurance Policies to determine whether the image is compliant or non-compliant.

Register host images only using Scanner-CLI binary

You can also utilize the binary Scanner-CLI to perform this scan. You can do this on your Linux and Windows hosts. This binary scanner can be run either on a VM or a container on your Linux host.


You can find further explanation here:

Aqua Scanner Executable Binary 




Related articles: