Product Update: Host Image Management Changes (Deprecation & Enhancement)
This article details the upcoming changes to how host images are managed in the Aqua platform. These changes are designed to simplify the experience and align host image visibility with your active workloads.
Please review the details below to determine whether any action is needed in your environment.
Change 1: Removal of Host Images Without Running Containers
Target: End of October (SaaS Update 16 / On-Prem 2022.4 Update 48)
Aqua will no longer detect or display host images that are not associated with a running container. Going forward, only images actively in use by running containers will be discovered and managed.
The following UI pages will be removed:
• Workload Protection → Images → Host Images
• Workload Protection → VMs → Images
Why: Host images not associated with running containers provide limited security value while contributing to additional data storage and management overhead. Focusing on active workloads improves the relevance of what you see in the platform.
What to check: If you have operational processes, reporting, or automation that depend on the Host Images views listed above, please plan to transition these to use the running container image views instead.
Change 2: Registry-Based Host Image Scanning (New Default)
Target: End of August (SaaS Update 15 / On-Prem 2022.4 Update 47)
The default host image scanning workflow will change to prioritize registry-based scanning over enforcer-based scanning. This provides a more consistent scanning experience, including support for the Layers view and Rego custom compliance policies for host images.
How it works:
• Default behavior: Host images will be scanned through the registry scan flow whenever possible. If the image cannot be scanned through an integrated registry, Aqua will automatically fall back to enforcer-based scanning.
• Optional “registry only” mode: You can choose to scan via registry scan flow only. In this mode, images from registries not integrated with Aqua will be detected but not scanned, and enforcer-based scanning will not be used as a fallback.
For most customers using the default configuration, this change will be seamless — Aqua handles the transition automatically with enforcer fallback in place.
Recommended steps:
• Ensure all container registries used in your environment are integrated with Aqua.
• Use the default scanning mode unless registry-only scanning is specifically required.
• If you enable “Automatically register running containers” after this change, restart enforcers to detect existing running containers immediately.
If you have any questions about how these changes affect your environment, or would like help reviewing your configuration, please don’t hesitate to ask your account representative or Aqua Support (support@aquasec.com).
Did you find it helpful? Yes No
Send feedback