The March 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on March 19.


TABLE OF CONTENTS


Aqua Platform


Aqua Hub Inventory Resource Overview displays Top Insights and Top Incidents


In the Aqua Hub Inventory page, on clicking any resource, the top three insights and incidents of the highest severity reported for the resource are displayed in the Resource Overview pane. Upon clicking any insight or incident in this pane, its detailed view is displayed.


Supply Chain Security


Issues tab in the Dependency detailed view


In the Dependencies page, each Dependency detailed view includes the new Issues tab, which shows the list of all security issues detected in the current package.


Workload Protection


Security enhancement to names of image registries created automatically by KubeEnforcer


  • When the "Add discovered registries" setting is enabled in the KubeEnforcer group settings, the KubeEnforcer will add previously unknown image registries from the cluster to Aqua with the name registryurl_username to prevent exposing Kubernetes namespace and secret names. (Previously, registries were added with the name namespace_secretname.)
  • However, if you set the optional KubeEnforcer environment variable AQUA_REG_INTEGRATION_WITH_SECRET_NAME to true, the KubeEnforcer will add the image registries with the name namespace_secretname as it did before this enhancement was made.


Enhancement to Kubernetes Assurance Policies


When setting additional scope criteria for Kubernetes Assurance Policies, the following Kubernetes attributes are available for selection: Clusterrole, Clusterrolebinding, and Resourcename


Setting to enable/disable container engine audit event logging


In the Settings > Enforcer page: 


  • The "Audit Enforcer Connection and Disconnection" section has been renamed "Enforcer Audit Event Settings".
  • A new checkbox, "Log container engine lifecycle events (e.g., container start/stop)", has been added to this section. This checkbox allows you to enable or disable auto-reporting of the container engine's lifecycle audit logs. By default, this checkbox is disabled.


Additional support of OS vendors in Aqua Trivy Premium Scanner


Aqua Trivy Premium now also supports the following Operating System (OS) vendors:

  • Alma Linux
  • Oracle Linux
  • Rocky Linux


Common Weakness Enumeration (CWE) information in Vulnerability details screen


In the Vulnerability detail screen for the selected image, you can view details of the CWE ID for a particular CVE. Each CVE can have multiple CWEs mapped. CWE details are added for the images scanned by either the Classic or the Trivy Premium scanner.


Support of token-based authentication in Azure DevOps plugin


The Aqua Azure DevOps plugin for image scanning can now also use token-based support for authentication (in addition to username/password authentication) in the "Service Connection" settings of a DevOps project.


Pod Enforcer and Aqua Enforcer can coexist in EKS clusters


In an EKS cluster, even when an Aqua Enforcer has already been deployed on any EC2 node, it is possible to inject a Pod Enforcer into any Fargate node.