The August 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on August 21.


Workload Protection

Lightning Mode: custom Runtime Policies

Custom Runtime Policies for Lightning Mode are now generally available.

Default Lightning Mode Runtime Policies: enhancements

Refer to the Default Runtime Policies documentation for Lightning Mode:

  • The Default VM Workload Protection policy now supports the "Detect fileless execution" and "Detect reverse shells" controls.
  • In the "Real-time malware protection" control of the Default Container and VM Workload Protection policies, Alert is now the default setting (for new deployments). This setting is less intrusive than Block, which was the previous default.

Scanning functions deployed from container images

When Trivy Premium Scanner is selected, Aqua supports scanning AWS and Azure serverless functions deployed from container images (including the functions deployed from zip files). Scan results of these functions will be displayed in the Functions screen.

Aqua Enforcer and scanner for TAS

Aqua Platform SaaS Edition supports deployment of Aqua Enforcers and Aqua scanners in VMware Tanzu Application Service (TAS) environments.

Deployments (documentation)

The deployment instructions on these documentation pages have been updated:

Advanced Malware Protection (documentation)

The Advanced Malware Protection documentation page has been reorganized for clarity.

Aqua Platform Environment and Components (documentation)

The Aqua Platform Environment and Components documentation page has been updated.

KubeEnforcer scanning of tainted notes

RFE SLK-52604: For the deployment of Aqua KubeEnforcers, a new optional environment variable AQUA_KB_SCAN_TAINTED_NODES can be used to enable kube-bench to scan tainted nodes (default setting is true) by setting the correct toleration to the kube-bench pod.

Supply Chain Security

Enhancement to the scope definition of suppression rules and Assurance Policies

When defining the scope in a suppression rule or an Assurance Policy, you can add glob pattern for the branch property. This pattern is used to selectively apply the suppression rule or Assurance Policy on the code repositories discovered in the branches matching the specified pattern.

Enhancement to the manual suppression of security findings

When suppressing a particular security finding manually, a new checkbox Apply only for this finding instance is available; on enabling this, you can configure the suppression rule to apply to the specific security finding instance that has been detected. This option is available when you suppress the security findings from the Code Repositories, Risks, and Build Pipelines screens.