Articles

Integrate Aqua into a DevSecOps Workflow (2026)

April 16, 2026 3 min read

Aqua Security, a platform for cloud-native security, can be integrated into a DevSecOps workflow to automate security checks and policies throughout the software development lifecycle.

Let’s see Aqua in action. Imagine a developer pushes a new Docker image to a registry. Aqua scans this image for vulnerabilities and compliance violations. If it finds critical issues, it can automatically fail the build or deployment pipeline, preventing insecure code from reaching production.

Here’s a typical scenario:

  1. Code Commit: A developer commits code to a Git repository.
  2. CI Trigger: A CI/CD pipeline (e.g., Jenkins, GitLab CI, GitHub Actions) is triggered.
  3. Image Build: The pipeline builds a Docker image from the code.
  4. Aqua Scan (CI Stage): Aqua Security is invoked within the CI pipeline to scan the newly built image. This is often done using the Aqua CLI (aqualet) or a direct API call.
    • Command Example:
      aqualet scan --image my-registry/my-app:latest --output-file scan-results.json
    • Why it works: aqualet locally scans the image layers against Aqua’s vulnerability database and compliance checks. The results are immediately available for the pipeline to act upon.
  5. Policy Enforcement: The CI pipeline checks the scan-results.json file. If Aqua’s policy (e.g., "no critical vulnerabilities," "CIS Docker Benchmark compliance") is violated, the pipeline stops.
    • Example Check:
      import json
with open('scan-results.json', 'r') as f:
    results = json.load(f)
if any(vuln['severity'] == 'Critical' for vuln in results.get('vulnerabilities', [])):
    print("Critical vulnerabilities found. Failing build.")
    exit(1)
    • Why it works: This script programmatically interprets the scan results, enforcing predefined security gates.
  6. Image Push (if secure): If the scan passes, the image is pushed to a container registry.
  7. Aqua Scan (Registry Stage): Aqua Security also continuously scans images already in the registry. This provides an additional layer of security, catching any vulnerabilities introduced post-build or that were missed.
    • Configuration: This is typically configured in the Aqua console by setting up registry integrations. Aqua then pulls images for scanning.
    • Why it works: Aqua’s cloud-based scanner has access to a constantly updated vulnerability database and can monitor the registry for new or changed images.
  8. Runtime Protection: Aqua can then enforce runtime security policies on deployed containers, such as network segmentation, file integrity monitoring, and preventing execution of disallowed binaries.
    • Configuration: Policies are defined in the Aqua console and applied to specific workloads or namespaces.
    • Why it works: Aqua’s runtime agent (often deployed as a DaemonSet in Kubernetes) monitors and enforces these policies at the container level.

The core problem Aqua solves is the gap between development speed and security assurance. Traditional security checks are often manual, slow, and performed too late in the lifecycle. By integrating Aqua into the CI/CD pipeline, security becomes an automated, continuous part of the development process, shifting security "left."

The system works by maintaining a comprehensive, frequently updated database of known vulnerabilities (CVEs) and compliance benchmarks. When an image is scanned, Aqua compares the software packages and configurations within that image against its database. It also uses static analysis to identify misconfigurations or insecure practices. For runtime, it leverages kernel-level instrumentation (often via eBPF in Linux) to monitor process activity, network traffic, and file system changes, comparing them against defined security policies.

A particularly powerful, yet often overlooked, aspect of Aqua’s integration is its ability to perform drift detection and enforce immutability at runtime. Beyond just scanning images for known vulnerabilities, Aqua can monitor running containers and alert or block any unexpected changes – such as new processes being spawned, files being modified, or network connections being established that were not part of the original image’s expected behavior. This is crucial for preventing runtime attacks that exploit zero-day vulnerabilities or modify compromised containers.

The next step in a DevSecOps journey after integrating image scanning and runtime protection is often exploring Aqua’s capabilities for Infrastructure as Code (IaC) scanning, which allows you to secure your Kubernetes manifests or Terraform configurations before they are deployed.

Want structured learning?

Take the full Aqua course →