TABLE OF CONTENTS
- Workload Protection
- Lightning Mode: custom Runtime Policies
- Default Lightning Mode Runtime Policies: enhancements
- Scanning functions deployed from container images
- Aqua Enforcer and scanner for TAS
- Deployments (documentation)
- Advanced Malware Protection (documentation)
- Aqua Platform Environment and Components (documentation)
- KubeEnforcer scanning of tainted notes
- Supply Chain Security
Lightning Mode: custom Runtime Policies
Custom Runtime Policies for Lightning Mode are now generally available.
Default Lightning Mode Runtime Policies: enhancements
Refer to the Default Runtime Policies documentation for Lightning Mode:
- The Default VM Workload Protection policy now supports the "Detect fileless execution" and "Detect reverse shells" controls.
- In the "Real-time malware protection" control of the Default Container and VM Workload Protection policies, Alert is now the default setting (for new deployments). This setting is less intrusive than Block, which was the previous default.
Scanning functions deployed from container images
When Trivy Premium Scanner is selected, Aqua supports scanning AWS and Azure serverless functions deployed from container images (including the functions deployed from zip files). Scan results of these functions will be displayed in the Functions screen.
Aqua Enforcer and scanner for TAS
The deployment instructions on these documentation pages have been updated:
Advanced Malware Protection (documentation)
The Advanced Malware Protection documentation page has been reorganized for clarity.
Aqua Platform Environment and Components (documentation)
The Aqua Platform Environment and Components documentation page has been updated.
KubeEnforcer scanning of tainted notes
RFE SLK-52604: For the deployment of Aqua KubeEnforcers, a new optional environment variable AQUA_KB_SCAN_TAINTED_NODES can be used to enable kube-bench to scan tainted nodes (default setting is true) by setting the correct toleration to the kube-bench pod.
Supply Chain Security
Enhancement to the scope definition of suppression rules and Assurance Policies
When defining the scope in a suppression rule or an Assurance Policy, you can add glob pattern for the branch property. This pattern is used to selectively apply the suppression rule or Assurance Policy on the code repositories discovered in the branches matching the specified pattern.
Enhancement to the manual suppression of security issues
When suppressing a particular security issue manually, a new checkbox Apply only for this finding instance is available now; on enabling this, you can configure the suppression rule to apply to the issue detected in the specific code repository, file, and line number. This option is available when you suppress the security issues from the Code Repositories, Risks, and Build Pipelines screens.
Did you find it helpful?Send feedback