How Aqua Scans Container Images On-Demand From The AWS Marketplace
Today we announced the availability of a new offering on AWS - our on-demand, pay-per-scan security scanner for container images is now available in the AWS Marketplace. The scanner is a full-featured version of Aqua's image scanning capabilities found in the Aqua Container Security Platform, but with a licensing mechanism that enables a pay-per-scan model, allowing AWS customers to use it as needed with no commitment.
Aqua's scanner is (to borrow from Carlsberg commercials) probably the best security scanner on the market, for several reasons:
- It aggregates and correlates multiple sources of known vulnerabilities, including public sources such as NVD, but also proprietary databases and vendor advisories. The benefit it provides is not only a very comprehensive and up-to-date dataset of CVEs, but also the ability to avoid false positives of CVEs that are not relevant in a given context.
- It support multiple languages, including Java, Go, C++, Pyhton, Ruby, NodeJS, and more, as well as static binaries.
- It provides actionable advice on how to mitigate vulnerabilities that were found.
- It works on all container registries, and supports multiple CI/CD tools for scanning early in the development pipline, including Jenkins, GitHub and Microsoft VSTS among others. Virtualy any CI tool can be supported via API integration.
- It scans for configuration issues that may raise security risks, such as running the container with root privileges.
- It scans for "secrets" hard-coded into the image, such as private keys, certificates and passwords.
Getting the Aqua Scanner on The AWS Marketplace
The Aqua scanner on the AWS Marketplace can be found here. You need to be logged into your AWS account to be able to select it, then subscribe. You won't be charged until you actually scan images.
What ensues is an automated process that allows you to download and run the Aqua scanner. You can run it anywhere and use it to scan any registry (not only Amazon ECR) as well as integrate with your favorite CI tool. This is the full Aqua platform, but with a license key that only enables the image scanning functionality - as you'll see in the screenshots below, other features are disabled.
Securing The Image Pipeline
To get started, you need to define a policy - in this case we defined a default policy that will not pass images that have high severity CVEs, have blacklisted packages (which you can specify), have a CVE score higher than a given threshold, or have sensitive data embedded in the image (for example, private keys or passwords).
Once you've connected a registry (under System > Integrations) and scanned a few images, you'll see a visual summary of the issues found. It's immediately apparent that the Bitnami Nginx image has several issues:
Clicking on the image will present a summary of all risks and why this image was disallowed. As we can see, it failed on several criteria including high severity vulnerabilities and sensitive data. Note that recommended actions are listed at the bottom, suggesting a course of action to make this image more secure:
Looking at the vulnerabilities tab, we can see the list of CVEs found and their severities:
Clicking on any CVE will display additional details about the vulnerability as well as the recommended steps to rectify it - in this case updating to a newer version:
What about the sensitive data that was found inside the image? Clicking on the Sensitive Data tab reveals that there's an RSA private key embedded in the image, under the certs lib. Sometimes this is OK, for example in a testing environment, so you have the ability to acknowledge this issue and it will not be flagged as violating the policy:
Paving The Way to a More Secure Pipeline
As you can see from the super-quick walkthrough, this is a very easy-to-use scanner. While there are open-source and free scanners on the market, none are as comprehensive in language support or CVE sources, nor as flexible in setting a policy. The ability to run this anywhere (unlike a SaaS offering) will also appeal to many. While it isn't free, it is pay-per-scan, so you only pay for what you scan.
If you've been sitting on the fence with image scanning, it probably means you're running vulnerable images. This is a great way to start with no commitment - give it a whirl and tell us what you think!
If you'd like to learn more about our full offering for AWS users, visit our AWS ECS container security page.