The January 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on January 15.


TABLE OF CONTENTS


Supply Chain Security

Two new UI pages: Dependencies and Risks

  • Dependenciesdisplays the packages used in your application code in all code repositories; includes their details and a detailed analysis of the packages for the presence of security issues
  • Risks: displays the security risks (vulnerabilities, IaC misconfigurations, and sensitive data) detected in all code repositories added to Aqua


SAST checks

Aqua now performs Static Application Security Testing (SAST) checks of your application code and displays the security issues detected. For more information, refer to Code Repository Scan Detailed View > SAST tab.


Enhancements to Assurance Policies

  • You can configure an Assurance Policy to fail pull requests or builds if they are not compliant with the policy.
  • The following controls have been added to Assurance Policies:
  • Dependency Name
  • Pipeline Misconfiguration Severity
  • Specific Pipeline Misconfiguration Check
  • Specific Sensitive Data Check
  • Specific Vulnerability

For detailed information, refer to Assurance Policies.


Enhancements to the Suppression Rules page

  • The experience of creating a suppression rule has been enhanced.
  • The Suppression Rules list view page has been enhanced.

For detailed information, refer to Create Suppression Rules.


Workload Protection

Lightning (formerly Express) Runtime Protection Mode; Sizing Guide updates and enhancements

(available February 8)


Express Runtime Protection Mode has been renamed Lightning Runtime Protection Mode. See Runtime Protection Modes: Lightning and Custom for further information.


The Sizing Guide includes updated recommendations for the Aqua Enforcer, for both Lightning Mode and Custom Mode. Sizing recommendations for the Aqua KubeEnforcer and Starboard operator have also been updated (and the memory allocation recommendations, erroneously overstated by a factor of ten, have been corrected).


The sizing recommendations for Aqua Enforcer, KubeEnforcer, and Starboard operator configurations are now easier to use; they can be located by either machine configuration or workload specification.


"Exclude application scope(s)" specification for Runtime Policies and services

When defining a Container, Function, or Host Runtime Policy or an Aqua service, and you select the Global application scope, you can also select one or more application scopes to exclude from the policy or service. (RFE-37520)


Cleanup of incidents

You can configure Settings > Cleanup to remove incidents from the UI and database by setting the retention period in days. (This setting, which previously existed for audit events, has been extended to support incidents.)


Setting to enable/disable container engine audit event logging

(This feature has been withdrawn, pending further evaluation)


Workload Protection and Image Scanning

New v2 API endpoints

The following endpoints are available to add all images from the repository or tag structure to the scan queue:

Integrations

(available February 14)


The integration procedures for Amazon Elastic Container Registry (ECR) and VMware Tanzu Application Service Blobstore image registries have been updated. For more information, refer to Registry-Specific Configurations.


Debug options for the MicroEnforcer and Pod Enforcer


Refer to the documentation of the AQUA_DEBUG_LEVEL and AQUA_DEBUG_TYPE environment variables for the MicroEnforcer and Pod Enforcer.