Aqua Support Portal

TABLE OF CONTENTS

Introduction
Applicability
Prerequisites
Steps/Procedure
CI/CD Plugins for Serverless Function Scanning
Tips and Tricks
Troubleshooting
Conclusion
Additional Resources

Introduction

By default, the Aqua platform is natively able to integrate with your cloud environment where your server-less applications [1] are being deployed and scan it for problems/vulnerabilities to be found in your code. However, in order to scan your server-less application code before it is deployed, we can use the Aqua Scanner (container or CLI Scanner) to scan your server-less code using either your Shell/Prompt or CI/CD pipeline.

Applicability

Aqua Self-Hosted Edition

Aqua SaaS Edition

Azure Functions [4][7]

AWS Lambda [8]

Google Cloud Functions [9]

Prerequisites

Aqua Scanner and/or the relevant Aqua Plugin [5].

Steps/Procedure

Scanning Serverless Functions using the binary Aqua Scanner or Aqua Scanner container

- How to use the Aqua Scanner Container Images

In order to scan Serverless code/scripts in CI/CD pipelines or directly using the Linux Shell the --code-scan flag along with the directory or file where the code is located in order to have the vulnerabilities detected by the Aqua scanner.

Flag:

--code-scan <directory or file where the code is located>

Here you can see a functional example that can be applied

Function scan using --code-scan flag

docker run --rm -v <function_folder_path>:/opt/aquasec/<function_folder_name> \
-e SCALOCK_LOG_LEVEL=DEBUG registry.aquasec.com/scanner:2022.4 scan \
--dockerless -H http://you_host.com \
--user <insert_your_aqua_user> --password <insert_your_password> \
--text --code-scan <function_folder_name>

Note: When using the --code-scan flag the generated results are only displayed through the output of the Scanner CLI command, and for this reason, it is not possible to see the results in the CI/CD tab of Aqua UI, which by default.

However, as an alternative solution, we can see the results in the CI/CD tab of Aqua UI if we use the --fs-scan flag as explained in the procedure below.

Workaround:

For those clients who really need to view the results of this type of scan in Aqua's graphical interface (Images > CI/CD tab), we can work around this problem by using the --fs-scan [10] flag followed by the path where the folder or file with the serverless code to be scanned is located.

However, by using this flag, Aqua will interpret this code as a container image and not as a Serverless function or Serverless code, but even so, the results can be viewed in the menu "Images > CI/CD scans".

Functional Example:

File system scan using --fs-scan flag

docker run --rm -v <function_folder_path>:/opt/aquasec/<function_folder_name> 
-e SCALOCK_LOG_LEVEL=DEBUG registry.aquasec.com/scanner:2022.4 scan --dockerless -H http://you_host.com --user <insert_your_aqua_user> --password <insert_your_password> --fs-scan <function_folder_path>

CI/CD Plugins for Serverless Function Scanning

Jenkins Plugin for Serverless Function Scanning

You can use the Aqua Security Serverless Scanner plugin for Jenkins to scan serverless functions in the build pipeline for vulnerabilities, sensitive data, and excessive permissions.

This plugin is installed in Jenkins. Once installed, you provide details for scanning one or more functions in the build process. You can view the scanning results in Jenkins, and use these as the basis for actions to remediate the problems found.

Azure DevOps Extension for Serverless Function Scanning

The Azure DevOps Extension provides an easy way for Aqua Enterprise to scan serverless functions in Azure DevOps projects for vulnerabilities, sensitive data, and excessive permissions.

The Aqua Security extensions are installed in Azure DevOps. Once installed, you can add a build step to scan the serverless function.

This topic describes how to install and configure the extensions for Azure DevOps, and then how to use them to scan functions during the build process and view the results.

Tips and Tricks

There may be differences in the number of vulnerabilities detected when scanning only the Serverless code as compared to scanning the function that has already been implemented in your cloud environment. This is because when we scan only the Serverless code, we are scanning only the scripts and libraries, which may contain a certain number of vulnerabilities. However, when we implement the code directly in the function present in the cloud environment, the Aqua scanner considers not only the vulnerabilities of the Serverless code but also the vulnerabilities of the function created to run the code.

When we scan the Serverless code of a function through the Aqua scanner directly from a folder or file, we are not scanning the function itself that will be created after the implementation of the code, but only the script (code, libraries, and other files). As a result, we cannot correlate this code with an existing function or the name of an existing function, and for this reason, we do not display this information in the Aqua GUI. The results can only be viewed in your Pipeline output or Shell output. However, this behaviour does not occur when we integrate your Azure environment with Aqua and directly scan a Function using the Aqua UI, as shown in the image below.

Troubleshooting

N.A.

Conclusion

In conclusion, the Aqua platform provides native integration with cloud environments where serverless applications are deployed and can scan for vulnerabilities in the code. To scan the code before deployment, the Aqua Scanner (container or CLI Scanner) can be used either directly through the Linux Shell or in a CI/CD pipeline. Additionally, plugins for Jenkins and Azure DevOps are available to scan serverless functions for vulnerabilities, sensitive data, and excessive permissions. It is important to note that differences in the number of vulnerabilities may occur depending on whether the serverless code or the function itself is scanned, and that when scanning directly from a folder or file, the results may only be visible in the pipeline or shell output, and not in the Aqua GUI.