Scanning container images for vulnerabilities with Aqua Security’s tools is fundamentally about proactively identifying and mitigating security risks before they can be exploited in your running applications.
Let’s see it in action. Imagine you’ve just built a new Docker image for your web service. You’ve got it locally, and you’re ready to push it to your registry. Before you do, you want to scan it.
First, you’d need Aqua’s scanner installed. If you’re using their cloud platform, it’s already there. If you’re running it on-prem or in a CI/CD pipeline, you might have the trivy CLI installed (Trivy is an open-source scanner from Aqua Security, often used as a standalone tool or integrated into Aqua’s platform).
Let’s say your image is tagged my-web-app:latest. You’d run a scan like this:
trivy image my-web-app:latest
The output will be a detailed report, categorized by vulnerability type. You’ll see critical, high, medium, and low severity issues, along with the CVE (Common Vulnerabilities and Exposures) identifier, the affected package, and often a link to the vulnerability’s description.
my-web-app (debian 10.13)
| Alpine 3.16
| --------------------------------------------------------------------------------------
| Total: 195 (CRITICAL: 10, HIGH: 50, MEDIUM: 80, LOW: 55)
|
+----------------------------------------------------------------------------------------+
| CRITICAL (10) |
+----------------------------------------------------------------------------------------+
| CVE-2023-XXXX | curl 7.74.0-1.1+deb10u6 | Debian 10 |
| A buffer overflow vulnerability exists in curl... |
| https://avd.aquasec.com/nvd/CVE-2023-XXXX |
+----------------------------------------------------------------------------------------+
| ... more critical vulnerabilities ... |
+----------------------------------------------------------------------------------------+
| HIGH (50) |
+----------------------------------------------------------------------------------------+
| CVE-2023-YYYY | openssl 1.1.1n-0+deb10u3 | Debian 10 |
| A use-after-free vulnerability in OpenSSL... |
| https://avd.aquasec.com/nvd/CVE-2023-YYYY |
+----------------------------------------------------------------------------------------+
| ... more high vulnerabilities ... |
+----------------------------------------------------------------------------------------+
This scan is performing a deep inspection of your image’s filesystem and package manager. It enumerates all installed packages (like curl, openssl, bash, etc.) and their exact versions. Then, it cross-references this inventory against Aqua’s continuously updated vulnerability database. This database contains millions of CVEs, mapping specific software versions to known security flaws.
The problem Aqua solves is the inherent opacity of container images. When you build an image, you’re layering software from various sources. It’s incredibly difficult for a human to keep track of every single package and its version, let alone the security implications of each. Aqua automates this inventory and comparison process, providing a clear, actionable security posture for your images.
You control the scope and depth of scanning. Aqua can scan for OS package vulnerabilities, application dependencies (like Python, Node.js, Java libraries), malware, misconfigurations, and even secrets embedded within the image. You can configure policies to define what constitutes an acceptable risk – for instance, blocking any image with a critical vulnerability or flagging images with more than five high-severity issues.
The most surprising thing is how deeply Aqua can understand the composition of an image, even down to the specific build of a third-party library or a deeply nested dependency. It’s not just looking at the top-level packages you explicitly installed; it’s tracing the transitive dependencies and understanding the precise versions of everything that was included, whether directly or indirectly. This granular detail is what allows it to pinpoint vulnerabilities that might otherwise go unnoticed.
Once you’ve addressed the vulnerabilities reported, you’d rebuild your image and rescan it to confirm they’re gone.