Articles

Add Aqua Security to GitLab CI/CD (2026)

April 16, 2026 2 min read

GitLab CI/CD can integrate with Aqua Security to provide automated security scanning for your containerized applications.

Here’s how you can set it up:

First, you’ll need to create an Aqua Security account and obtain your Aqua Security API credentials. These credentials will be used to authenticate your GitLab CI/CD pipeline with Aqua Security.

Next, in your GitLab project, navigate to Settings > CI/CD > Variables. Add the following CI/CD variables:

  • AQUA_USERNAME: Your Aqua Security username.
  • AQUA_PASSWORD: Your Aqua Security password or API key.
  • AQUA_ACCOUNT: Your Aqua Security account name.

Now, you can add the Aqua Security scanning job to your .gitlab-ci.yml file. Here’s an example of a job that scans a Docker image:

scan_image:
  stage: build
  image: aquasec/aqua-scanner:latest
  script:
    - aqua-scanner --uri $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --host $AQUA_HOST --username $AQUA_USERNAME --password $AQUA_PASSWORD --account $AQUA_ACCOUNT
  only:
    - main

In this job:

  • stage: build: This places the scanning job within the build stage of your CI/CD pipeline. You might adjust this stage based on your pipeline structure.
  • image: aquasec/aqua-scanner:latest: This specifies that the Aqua Security scanner image should be used for this job.
  • script: This contains the command to run the Aqua scanner.
    • aqua-scanner: The executable for the Aqua Security scanner.
    • --uri $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA: This tells the scanner which image to scan. It uses GitLab CI/CD predefined variables to dynamically get the container registry image path and the commit SHA, ensuring you scan the exact image built in the pipeline.
    • --host $AQUA_HOST: This specifies the hostname of your Aqua Security backend. You’ll need to set this as another CI/CD variable: AQUA_HOST (e.g., app.aqua.security).
    • --username $AQUA_USERNAME, --password $AQUA_PASSWORD, --account $AQUA_ACCOUNT: These pass your Aqua Security credentials, which you set up earlier as CI/CD variables.
  • only: - main: This ensures the scan job only runs for commits to the main branch. You can adjust this to run on other branches or tags as needed.

This job will build your Docker image, push it to your GitLab Container Registry, and then pass the image’s URI to the Aqua scanner. The scanner will connect to your Aqua Security backend, perform the scan, and report any vulnerabilities found.

If the scan fails due to critical vulnerabilities, you can configure the job to fail the pipeline. You might also want to add a job to report the scan results back to GitLab, perhaps as a badge or a summary in the merge request.

The next step is to explore Aqua Security’s capabilities for scanning runtime workloads and infrastructure as code.

Want structured learning?

Take the full Aqua course →