Generating and managing Software Bill of Materials (SBOMs) with Aqua Security isn’t just about listing components; it’s about transforming a static inventory into a dynamic, actionable security posture.
Let’s see Aqua in action. Imagine you’ve just built a new container image for your microservice. You push it to your registry, and Aqua automatically kicks in.
# Example Dockerfile
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y --no-install-recommends \
nginx \
&& rm -rf /var/lib/apt/lists/*
COPY ./html /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
After building and pushing this image (e.g., docker build -t my-nginx-app:1.0 . and docker push my-registry/my-nginx-app:1.0), Aqua Security’s scanning engine, integrated into your CI/CD pipeline or running on your registry, will analyze it. It doesn’t just look for known vulnerabilities; it meticulously identifies every software component, its version, and its license.
Aqua’s core strength lies in its comprehensive understanding of the software supply chain. It goes beyond just package managers. For container images, this means analyzing the base OS packages (like dpkg or rpm), language-specific packages (npm, pip, Maven, Go modules, etc.), and even dynamically linked libraries. For IaC, it parses Terraform, CloudFormation, and Kubernetes manifests to understand the deployed infrastructure and its dependencies.
The result of this scan is an SBOM, typically in CycloneDX or SPDX format, that Aqua stores and makes accessible through its console or API. This SBOM isn’t a one-time snapshot; Aqua continuously monitors these components for new vulnerabilities (CVEs) and license compliance issues.
Here’s how Aqua helps manage these SBOMs:
- Discovery and Inventory: Aqua automatically discovers all software components across your container images, IaC configurations, and even running workloads. This provides a unified view of your entire software inventory.
- Vulnerability Management: When a new CVE is published that affects a component in your SBOM, Aqua alerts you, clearly indicating which artifacts and running instances are impacted.
- License Compliance: Aqua analyzes component licenses, flagging any that violate your organization’s policies, preventing licensing disputes or legal issues.
- Policy Enforcement: You can define granular policies based on SBOM data. For example, "block deployments of images containing packages with GPLv3 licenses" or "fail builds if a critical vulnerability is found in any Go module."
Here’s a snippet of what an Aqua-generated CycloneDX SBOM might look like (simplified):
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:...",
"version": 1,
"metadata": {
"timestamp": "2023-10-27T10:00:00Z",
"component": {
"type": "application",
"bom-ref": "my-nginx-app:1.0",
"name": "my-nginx-app",
"version": "1.0"
}
},
"components": [
{
"type": "operating-system",
"name": "Ubuntu",
"version": "22.04"
},
{
"type": "application",
"name": "nginx",
"version": "1.18.0",
"purl": "pkg:deb/ubuntu/nginx@1.18.0?os=ubuntu&os_version=22.04",
"licenses": [
{
"license": {
"id": "Nginx"
}
}
]
},
{
"type": "library",
"name": "libc6",
"version": "2.35-0ubuntu3",
"purl": "pkg:deb/ubuntu/libc6@2.35-0ubuntu3?os=ubuntu&os_version=22.04"
}
// ... many more components
]
}
Aqua’s ability to integrate with various CI/CD tools (Jenkins, GitLab CI, GitHub Actions, Azure DevOps) and cloud providers (AWS, Azure, GCP) means that SBOM generation and management become a seamless part of your development lifecycle, not an afterthought. You can enforce policies at build time, scan images in your registry, and even monitor running containers for drift or newly discovered threats.
The one part that often trips people up is how Aqua correlates components across different artifact types. For instance, it can trace a specific package version found in a container image back to the exact version of that package that was installed by a particular Terraform module. This cross-artifact traceability is crucial for pinpointing the root cause of a vulnerability or a compliance issue, rather than just seeing a generic alert. It means you’re not just fixing a vulnerable package; you’re fixing the source that introduced it.
Once you’ve mastered SBOM generation and management, the next logical step is to integrate this rich SBOM data into your incident response workflows.