The June 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on June 25.


TABLE OF CONTENTS


Aqua Platform


REST API documentation improvements


The REST API documentation for Aqua Platform SaaS Edition is now located in a dedicated section of this portal. You can access it by clicking the new API Reference tile on the landing page of this portal, or going directly to Getting Started with Aqua Platform APIs.


These topics have been completely rewritten:

Overview and detailed endpoint usage information is found in the Workload Protection API section.


Azure organizational onboarding


Azure Auto-Discovery now supports onboarding all accounts (subscriptions) in an Azure management group.


Auto-discovery for GCP


GCP (Google Cloud Platform) Auto-Discovery now supports image registries, serverless functions, and CSPM resources.


Enhancements to the Aqua Hub Inventory page

  • The Security Graph widget has been added to the resource overview page. It offers a visual representation of the resource details, its supply chain details (for the container and container image resources only), and all security issues detected in the resource.
  • For the resources related to containers and container images, details of the supply chain (if available) which built the resources are displayed in the following pages:
    • Resource Overview: Links to the code repository, release artifact, SBOM, and build, commit details
    • Security Graph: A Link to the code repository and last commit developer details
  • In the resource list view, the Source column has been added to show the registry provider, account details for the container images, containers and cloud provider, and account details for all other resources.
  • In the VM resource overview page, the VM hosting containers field has been added to show the presence (Yes, No, or Not Analyzed) of any running containers in the VM. You can also filter VMs having running containers using the VM Hosting Containers filter in the "Other" category.
  • In the container and VM resource overview and full details pages, the top three incidents of the highest severity reported in the resource are displayed. On clicking any incident in this page, the incident detailed view is displayed.
  • In the filters menu on the left pane, a new filter Incidents has been added to the "Risk" category to filter resources in which incidents are detected.


Enhancement to the Aqua Hub Dashboard page


In the Dashboard page > VMs widget, the count of hosting containers is displayed.


Supply Chain Security


Edit code repository and artifact registry integrations


In the Integrations page, you can now change authentication details of the following integrations:

  • Code repositories
    • Bitbucket: username and app password
    • GitLab: access token
  • Artifact registry:
    • JFrog: access token


Rescan the selected code repositories


In the Code Repositories page, you can now select one or more code repositories and scan them again. This option should be used only for the code repositories added through the Source Code Management method.


Workload Protection


Lightning Mode: custom policies and runtime threat prevention (early availability)


Custom policies for Lightning Mode are not yet generally available. Please contact Aqua Security if you are interested in early availability.


Lightning Runtime Protection Mode is the default for new deployments of Aqua SaaS Edition. This mode now allows you to add custom policies to both detect and prevent (enforce, not only audit) runtime threats. See Lightning Mode: Custom Runtime Policies


You can define custom policies to add runtime protection to the previously-supported default policies, which remain available for use out-of-the-box with zero configuration. As before, the default policies have been optimized to detect several forms of advanced runtime security threats to your cloud-native workloads (containers, VM workloads, and Kubernetes clusters).


The alternative to Lightning Mode is Classic Mode (renamed from "Custom Mode").


Moreover, the documentation pertaining to both Runtime Protection Modes has been improved and reorganized from the top down. See Runtime Protection: Lightning and Classic Modes.


Improved Custom Vulnerability V2 API endpoints


The following endpoints have been enhanced to provide a capability for vulnerability assessment based on OS:


Also, two new v2 Custom Vulnerability API endpoints /custom_vulnerabilities/CVE ID and /custom_vulnerabilities (GET method) have been introduced to fetch a particular CVE and all CVEs which are set with custom severity, respectively.


Vulnerability Score control supports range


The Vulnerability Score control of Image Assurance Policies allows the configuration of a range instead of a single value. The control will check if images have any vulnerabilities whose score is within the configured range.


File Integrity Management (FIM) control change


The File Integrity Management (FIM) control of Host Runtime Policies no longer monitors read operations on files or directories. Read operations create a large number of events that consume a lot of resources, but are useless in most cases. The FIM control remains compliant with PCI DSS Requirement 11.5, which requires alerting unauthorized changes to (but not reads of) critical system files, configuration files, and content files.


DTA support for local images in the Podman container


Users can perform Aqua Dynamic Threat Analysis (DTA) scanning of local images which are built by the Podman container runtime engine (Docker container runtime engine is already supported) in CI/CD pipelines. This works only when the Aqua Server is enabled with the Classic scanner (not with Trivy Premium).


Scan images with Aqua Scanner as rootless Podman container


It is possible to scan images with Aqua Scanner as rootless Podman container using the Scanner Command Line Interface (CLI) commands. This works only when the Aqua Server is enabled with the Classic scanner (not with Trivy Premium).


Support of Azure DevOps extension for the Podman container engine


The Azure DevOps Extension for Image Scanning supports scanning images using the Podman container engine. This works only when the Aqua Server is enabled with Classic scanner (not with Trivy Premium).


Passing secrets to Aqua Enforcer via environment variable


RFEs SLK-28699 and SLK-28806: You can use the environment variable AQUA_SECRETS_PARAM_FILE_PATH to pass secrets to the Aqua Enforcer. Refer to Passing secrets to the Enforcer.


Aqua MicroScanner deprecation


The Aqua MicroScanner is no longer supported, and is no longer referenced in the product documentation. This also holds true for the previously-documented OpenShift S2I (Source to Image) Integration procedure, which used the MicroScanner.


"Fetch Audit Events" and "Fetch Audit Events with Additional Data" endpoints


The response parameter result was incorrectly documented as a string. The documentation for Fetch Audit Events and Fetch Audit Events with Additional Data now shows this parameter as an integer.