The Aqua Jenkins plugin doesn’t just scan your container images; it actually prevents you from deploying vulnerable ones by integrating directly into your Jenkins build pipeline.
Let’s see it in action. Imagine a Jenkinsfile that builds a simple Node.js app, pushes it to a registry, and then, critically, scans it with Aqua.
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
// Build the Docker image
sh 'docker build -t my-node-app:latest .'
}
}
}
stage('Scan') {
steps {
script {
// Scan the image with Aqua Security
def scanResult = aquaScan(
image: 'my-node-app:latest',
registry: 'my-private-registry.io',
username: env.AQUA_USERNAME,
password: env.AQUA_PASSWORD,
// Fail the build if vulnerabilities are found above a certain threshold
failBuildOn: 'HIGH'
)
// You can also access detailed results if needed
// echo "Scan results: ${scanResult.reportUrl}"
}
}
}
stage('Deploy') {
when {
// Only deploy if the scan passed (i.e., failBuildOn condition was not met)
expression { aquaScanStatus() == 'PASSED' }
}
steps {
script {
echo "Deploying my-node-app:latest..."
// Your deployment steps here (e.g., push to Kubernetes, ECS, etc.)
}
}
}
}
}
This Jenkinsfile defines a basic build process. The Build stage creates a Docker image. The Scan stage is where Aqua Security comes in. The aquaScan step takes your image name, registry details, and crucially, a failBuildOn parameter. If Aqua finds vulnerabilities of severity HIGH or greater, it will fail this stage. The Deploy stage is then gated by aquaScanStatus(), ensuring that only images that passed the Aqua scan are deployed.
The problem Aqua Security solves is the late discovery of vulnerabilities. Traditionally, you’d build an image, push it to a registry, and then a separate security tool would scan it. If it found issues, you might have already deployed the vulnerable image, or you’d have to go back and fix it, potentially delaying your release. Aqua integrates this check directly into the build and deployment workflow, shifting security left.
Internally, the aquaScan step communicates with your Aqua Security platform (either on-premises or cloud-based). It tells Aqua to scan the specified image. Aqua performs its analysis, checking for known CVEs in the image’s operating system packages and application dependencies. The results are sent back to Jenkins. The failBuildOn parameter is a policy enforcement mechanism. You configure Aqua Security with policies that define acceptable risk levels. When the Jenkins plugin receives the scan results, it compares them against these policies. If the policy is violated (e.g., a HIGH vulnerability is found when the policy is MEDIUM), the plugin signals a failure to Jenkins.
The aquaScanStatus() function is a convenient way to check the outcome of the last Aqua scan performed in the pipeline. It returns PASSED if the scan met the defined policy thresholds or FAILED if it didn’t. This allows you to conditionally execute subsequent stages, like deployment, based on your security posture.
You can also configure Aqua Security to scan not just OS packages but also application dependencies (like npm, Maven, Pip packages) and even secrets that might have been inadvertently baked into the image. This comprehensive scanning is managed through your Aqua Security console, where you define your vulnerability management policies, allowing you to granularly control what constitutes a "pass" or "fail" for your builds.
When you set failBuildOn to a specific severity like HIGH, the plugin doesn’t just look for any vulnerability; it checks if there’s at least one vulnerability matching or exceeding that severity level. If it finds one, the build stage fails. This means you can tolerate LOW or MEDIUM severity vulnerabilities based on your organization’s risk appetite, but HIGH and CRITICAL issues will halt the pipeline.
The real power comes when you combine this with Aqua’s image assurance policies. You can define a policy in Aqua that says, "No image with a 'Critical' vulnerability can be deployed to production." Then, in Jenkins, you’d set failBuildOn: 'CRITICAL'. If the Jenkins plugin detects a critical vulnerability, it fails the build. If it passes, you can then push the image to your registry and proceed with deployment, confident that you’ve met your baseline security requirements for that build.
If you’re using Aqua’s image assurance features and have policies that block specific images based on compliance checks (like license compliance or malware), the Jenkins plugin can also report on these. The aquaScan step, by default, will check these policies and fail the build if they are violated.
The next logical step after securing your build pipeline is to extend Aqua’s visibility and control to your running workloads.