This feature is not Generally Available yet. You can refer to this document only if your Aqua environment is enabled with the feature, Suppression of image vulnerabilities. If you are interested to experience this, please contact Aqua Support for enabling the feature.


Scan all images (in your registries) and scan them frequently

See Configure Scan Options for a discussion of the following options:

  • Scan all registered images on a regular basis
  • Automatically register modified images
  • Automatically register running containers
  • Search for vulnerabilities on the host


Create suppression rules for vulnerabilities detected in the images

You can create suppression rules to suppress the specific vulnerabilities automatically as soon as they are detected after scanning the images. The vulnerabilities eligible for suppression are determined based on the criteria and scope set in the suppression rule. After suppression rules are created, you can disable or delete the suppression rules to prevent suppressing the vulnerabilities in future which meet the suppression criteria and scope set in the rule.


Define and configure Image Assurance Policies


 VMware Tanzu Application Assurance Policies are used for Tanzu applications.

It is important to define and configure Image Assurance Policies so that images with security issues are evaluated as non-compliant. This works in conjunction with Container Runtime Policies, as discussed below.


For scanning within CI/CD pipelines, images that fail any Image Assurance Policy must report image scanning "failure" to the (third-party) CI/CD system. That system should prevent the image from being pushed to a registry (thereby ensuring it won't be deployed).


  1. Configure the Default (global) Image Assurance Policy for precautions that you want to apply to all images.
  2. Define and configure additional policies for more specific purposes, e.g., running Custom Compliance Checks on a specific set of images (defined by a special policy scope).
  3. If no actions are selected in your policies, the policies will effectively be non-existent! Set the following actions:
  • Marked failed images (or VMware Tanzu applications) as non-compliant: as described above
  • Fail the Aqua step in CI/CD: as described above
  • Create an audit message when image failed: Aqua will create an audit event in case of Image Assurance Policy violation; this is useful for performing your own audits


       4. Include the following controls related to vulnerabilities, and configure them as appropriate for your needs:

  • CVEs Blocked: will fail a policy if one or more specifically named vulnerabilities are found during scanning; you might use this if you are aware of vulnerabilities that must absolutely be blocked from appearing in containers
  • Vulnerability Severity and/or Vulnerability Score: will fail a policy if the Aqua-assigned vulnerability severity and/or score for any vulnerability exceeds the configured value. The severity and score can also assist you in addressing the images with the most significant risks first.


       5. For protection against malware:


       6. For protection against sensitive data:


Define and configure Container Runtime Policies

It is important to define and configure Container Runtime Policies to block non-compliant images from being deployed as containers.


In reality, you need only configure the Default (global) Container Runtime Policy as described here. The use of additional policies for blocking specific runtime behaviors is not relevant to this topic.


  1. Ensure that the Default Container Runtime Policy status is set to Enabled.
  2. Ensure that its Enforce Mode is set to Enforce.
  3. Include the following controls:
  • Block Non-compliant Images
  • Block Unregistered Images

(Other controls may be configured for additional runtime protection; this is outside the current scope.)


Define and configure Enforcer(s)

You need to deploy and properly configure one or more Enforcer(s) in order to enforce Container Runtime Policies. Aqua provides different kinds of Enforcers to enforce Container Runtime Policies, meeting different sets of requirements: Aqua Enforcers, MicroEnforcers, Pod Enforcers, and KubeEnforcers. In some cases, your needs might be best served by deploying both KubeEnforcers and Aqua Enforcers. See Enforcers Overview for complete information.