Aqua Security’s platform can scan container images in your Elastic Container Registry (ECR), Google Container Registry (GCR), and Azure Container Registry (ACR) to identify vulnerabilities and misconfigurations.
Here’s how it works:
Let’s say you’ve got a Kubernetes cluster running and you’re pulling images from ECR. Aqua can be configured to periodically scan these images.
apiVersion: aqua.oc.io/v1
kind: AquaImageScanner
metadata:
name: ecr-scanner
spec:
scanSchedule: "0 0 * * *" # Daily at midnight
registry:
type: ecr
region: us-east-1
awsAccessKey: "AKIAXXXXXXXXXXXXXXXX" # Sensitive, use IAM roles in production
awsSecretKey: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # Sensitive, use IAM roles in production
imagePullSecrets:
- name: aqua-registry-secret # Kubernetes secret for Aqua's registry access
When a scan runs, Aqua:
- Authenticates to your cloud provider (AWS, GCP, or Azure) using the provided credentials or IAM roles.
- Connects to the specified registry (ECR, GCR, or ACR).
- Enumerates images within the registry, often based on predefined filters or specific repository names.
- Pulls image manifests and layers. This is a crucial step; Aqua needs to access the image data itself.
- Analyzes the image layers for known vulnerabilities (CVEs) in installed packages (OS packages, language-specific packages like npm, pip, Maven, etc.).
- Scans for misconfigurations, sensitive data, malware, and compliance violations based on configured policies.
- Reports findings through the Aqua console, API, or other integrations.
The core problem Aqua solves is shifting security "left" – finding and fixing vulnerabilities before they reach production. Without a tool like Aqua, you’re often left with manual checks or relying solely on runtime security, which is too late for many issues.
Internally, Aqua maintains a comprehensive and continuously updated vulnerability database. When it scans an image, it compares the detected software components and their versions against this database. The scanning engine is designed to be efficient, often pulling only necessary image layers to perform the analysis.
The exact levers you control are primarily around the spec of the AquaImageScanner custom resource:
scanSchedule: When and how often scans occur.registry.type: Which cloud provider’s registry you’re using.registry.region: The specific AWS region for ECR. For GCR, this might begcr.ioor a regional endpoint. For ACR, it’s the ACR login server name (e.g.,myregistry.azurecr.io).registry.awsAccessKey/awsSecretKey(or equivalent for GCP/Azure): How Aqua authenticates. In production, it’s highly recommended to use IAM roles/service accounts for better security.imagePullSecrets: If your registry requires authentication beyond cloud provider credentials (e.g., for private registries or specific user accounts), this specifies the Kubernetes secret containing those credentials.filters: You can often specify which repositories or image tags to scan, or exclude.
One common point of confusion is how Aqua handles image pulling. It doesn’t just scan metadata; it needs to access the actual image layers. If your network policies or firewall rules prevent the Aqua scanner pod (running within your Kubernetes cluster) from reaching your ECR/GCR/ACR endpoints, the scans will fail. This often manifests as timeouts or authentication errors that seem unrelated to the provided cloud credentials, but are actually network connectivity issues. Ensuring that the Kubernetes nodes or the Aqua scanner pod have egress access to the container registry endpoint is paramount.
The next challenge is integrating these scan results into your CI/CD pipeline to prevent vulnerable images from being deployed.