The September 2023 SaaS Update Release includes the following changes with respect to the previous SaaS product release. Unless otherwise stated, all updates were made available on September 18.


Aqua Platform

Auto-Discovery (documentation)

The What Is Auto-Discovery? documentation page has been updated and improved for completeness and clarity.

Workload Protection

Lightning Mode: custom Runtime Policies

Custom Runtime Policies for Lightning Mode, previously announced for early availability, are now generally available.


Default Lightning Mode Runtime Policies: enhancement

The Default VM Workload Protection policy now supports the "Detect fileless execution" and "Detect reverse shells" controls. Refer to the Default Runtime Policies documentation for Lightning Mode.

Switch from Classic to Lightning Mode

It is possible to switch the Aqua Platform configuration from Classic to Lightning Runtime Protection Mode. See Switch to Lightning Runtime Protection Mode.

Aqua Enforcer and scanner for TAS

Aqua Platform SaaS Edition supports deployment of Aqua Enforcers and Aqua scanners in VMware Tanzu Application Service (TAS) environments.

/images API enhancement: register images identified in JSON file

The v2 API /images endpoint can now register images that are identified in a JSON file that you provide. The file can contain up to 1,000 records, each specifying an image registry and image name. Aqua will register and scan all new images specified, and rescan all images that have already been registered.


EPSS (Exploit Prediction Scoring System) metrics on Vulnerabilities detail screen

EPSS metrics are displayed on the Vulnerabilities detail screen, allowing users to prioritize and manage vulnerabilities based on their predicted exploitability. For each CVE, you will find the following metrics:


  • EPSS: Indicates the probability score as a percentage, along with its corresponding percentile. For example, 25.7% (47th percentile) indicates a 25.7% probability, ranking it within the 47th percentile.
  • EPSS Date: The date of the EPSS assessment.


Note that EPSS metrics are exclusively available for vulnerabilities detected with the Trivy Premium scanner.


Export SBOM (Software Bill of Materials) resources

The Aqua platform provides the capability to export SBOM containing resources and licenses for the following sources:


  • Images: from Images > Resources tab
  • VMs: from Workloads > VMs > Resources> tab
  • Containers: from Workloads > Containers > Resources tab
  • Serverless Functions: from Functions > Resources tab


The exported SBOM is available in JSON format, and you have the option to obtain it in both CycloneDX and SPDX formats.

New v2 API endpoint

The new endpoint /api/v2/sbom/export generates a Software Bill of Materials (SBOM) file for various Aqua artifacts, including registry images, host images, ad-hoc scans, VMs, serverless functions, and workloads.

Scanning functions deployed from container images

When the Trivy Premium Scanner is selected, Aqua supports scanning AWS and Azure serverless functions deployed from container images (including the functions deployed from zip files). Scan results of these functions will be displayed on the Functions screen.


Enforcers Overview

The Enforcers Overview documentation page has been updated to compare between the functionality provided in Lightning and Classic runtime protection modes, respectively. The page contents were updated and its readability was improved.

Deploy a Scanner Daemon

The Deploy a Scanner Daemon documentation page (under Aqua Scanner) has been updated and improved.

KubeEnforcer: Known Limitations and Problems

In KubeEnforcer: Known Limitations and Problems: limitation SLK-40061 (resolved) has been removed, and the description of limitation SLK-33035 has been updated.


The AQUA_DTA_WAITING_TIMEOUT_SECONDS optional environment variable for the scanner has been documented.

Supply Chain Security

Support for scanning the "Swift" programming language

Aqua now supports scanning the "Swift" programming language and its manifest files in the code repositories, to detect risks.

Enhancement to the supply chain suppression rules

In the suppression rules, multiple controls allow entering a glob pattern for specific files and directories to selectively apply suppression.


Problems fixed


Aqua Server


Aqua ID: SLK-66887

Summary: Users are unable to log in to the Aqua UI using SSO.


Aqua ID: SLK-70503 and SLK-71024

Summary: The console pod sometimes restarts due to continuous increase in memory consumption.


Aqua ID: SLK-70837

Summary: Users cannot upgrade to the July SaaS version due to schema changes that have an impact on columns within the generated report.


Aqua Server (UI)


Aqua ID: SAAS-15677

Summary: Image Assurance Policies may sometimes fail to be implemented as expected according to the application scope and rules defined in the policy for ad-hoc scans.


Aqua ID: SAAS-17830

Summary: Users sometimes experience difficulties when trying to set up notification integrations following the deactivation of Aqua Hub.


Aqua ID: SAAS-18135

Freshdesk: 32943

Summary: Users sometimes see high CPU utilization when accessing the Audit tab of a CI/CD scanned images.


Aqua ID: SAAS-18532

Summary: Users at times see an incorrect Enforcer link within the Enforcer group on the Workload Protection > Administration > Enforcers screen.


Aqua ID: SAAS-18714

Summary: Users sometimes see an "Error 500 - Internal Server Error" when attempting to apply vShield to a CVE.


Aqua ID: SLK-67624

Summary: Users sometimes see vulnerabilities data from other images when exporting the data of a specific image.


Aqua ID: SLK-68622

Summary: The SHA value of Schema 1 images in the registry may sometimes not match with the Content/Docker ID SHA value displayed in the Aqua UI.


Aqua ID: SLK-70232

Freshdesk: 30150

Summary: Users with full permissions along with a custom Application Scope are sometimes unable to view the Sensitive Data Detection events on the Audits screen.


Aqua ID: SLK-70275

Summary: The configurations for File Integrity Monitoring (FIM) are not saved when creating a new Host Runtime Policy from the Policies > Runtime Policies screen.


Aqua ID: SLK-70773

Freshdesk: 29966

Summary: Errors are sometimes observed in the Server logs following the completion of host malware scans.


Aqua ID: SLK-71246

Freshdesk: 33677

Summary: Users sometimes see some vulnerabilities related to APK packages being incorrectly categorized as .NET vulnerabilities on the Workload Protection > Images > Vulnerabilities tab.


Aqua ID: SLK-71453

Freshdesk: 33511

Summary: Users sometimes see an inaccurate OpenSSL version on the Workload Protection > Images > Resources screen.


Aqua ID: SLK-71629

Summary: In Lightning Mode, the Block Reverse Shell option sometimes does not appear on the Lighting Default Policies screen.


Aqua ID: SLK-71646

Freshdesk: 31516

Summary: Duplicate entries are sometimes being registered when a Webhook integration is broken on the Audit screen.


Aqua ID: SLK-72255

Freshdesk: 32726

Summary: Users sometimes see an "Error Message in Scanner Container Log: Scanner with same logical name already exists" when setting up a scanner.




Aqua ID: SAAS-17989

Freshdesk: 33152

Summary: Aqua sometimes crashes when integrating with Serverless Applications using the Google Cloud Functions compute provider.


Aqua ID: SLK-68614 and SLK-71169

Summary: ACR registry integrations may sometimes not appear on the Workload Protection > Administration > Integrations > Image Registries screen.


Aqua ID: SLK-71306

Summary: Images are deleted even when the container hosting the registry is temporarily unavailable.


Aqua ID: SLK-71376

Summary: The Aqua scanner sometimes crashes when the "Automatically remove images that don't match the pull criteria" setting is enabled on the Integrations > Image Registries > Registry Configuration tab.




Aqua ID: SLK-69254

Summary: The KubeEnforcer certificate sometimes reference the default namespace in the Common Name (CN) details.




Aqua ID: SAAS-16260

Summary: Users sometimes see conflicting values for "num_running_workloads" and "has_running_workloads" when an image is running as a container while using the "/api/v2/images/registry/repository/image/tag/vulnerabilities" endpoint.


Aqua ID: SLK-70569

Freshdesk: 33248

Summary: Users sometimes see "504 Gateway Timeout" error is sometimes seen when using the “/api/v1/hosts†endpoint.




Aqua ID: SLK-63154

Freshdesk: 27688

Summary: The image results are sometimes inconsistent, depending on whether the image was scanned via CI/CD pipeline or by the Classic scanner.


Aqua ID: SLK-67438

Summary: Users sometimes see "502 Bad Gateway" error when performing scans using the Trivy Premium scanner.


Aqua ID: SLK-67510

Freshdesk: 30935

Summary: When an image is scanned with the Trivy Premium scanner, the information displayed in the Vulnerabilities and Resources tabs appears inaccurate for specific scanned images.


Aqua ID: SLK-68137

Summary: Users sometimes not able to see the remediation for CVE-2023-0464 vulnerability when using the Classic scanner.


Aqua ID: SLK-70082

Summary: Specific scanned images are showing an inappropriate reporting of CVE-2020-5260.


Aqua ID: SLK-70987

Freshdesk: 33566

Summary: "Twirp syntax" errors are sometimes seen when using the Trivy Premium scanner.


Aqua ID: SLK-71485

Summary: The error message is generic in both cases when Artifactory is unavailable and when the image does not exist in Artifactory during image scanning.


Aqua ID: SLK-71644

Freshdesk: 32309

Summary: Warning messages are seen in the Suppress Docker logs when using a container engine other than Docker.


Aqua ID: SLK-72041

Freshdesk: 33566

Summary: "Twirp syntax" errors are sometimes seen when images are scanned.

Aqua scanner product images

To obtain the Aqua scanner product images:

  1. Login to the Aqua Registry with this command; replace <AQUA_USERNAME> and <AQUA_PASSWORD> with the SSO credentials you have received from Aqua Security.
    docker login -u <AQUA_USERNAME> -p <AQUA_PASSWORD>
  2. Once you have logged in, you can pull the Linux scanner image.
  3. You can download the scanner (Windows) and scanner-cli binary by using your Aqua username and password at

ComponentImage name / download link
scanner (Linux: AMD64)
scanner (Windows)AquaScannerWindowsInstaller.2309.4.7.msi
scanner-cli binaryscannercli