Aqua Enterprise

You can use Aqua's commercial scanner to scan container images and generate vulnerability reports. The Starboard connector for Aqua attempts to fetch the vulnerability report for the specified image digest via Aqua's API. If the report is not found, it spins up an ad-hoc scan by executing the scannercli command.

The value of aqua.imageRef determines the version of the actual scannercli binary executable and must be compatible with the version of your Aqua deployment. By default, scannercli 5.3 is used, but if you are running, for example, Aqua 5.2, change the value to docker.io/aquasec/scanner:5.2.

To integrate Aqua scanner change the value of the vulnerabilityReports.scanner property to Aqua and specify the aqua.serverURL:

AQUA_SERVER_URL=<your console URL>

kubectl patch cm starboard -n <starboard_namespace> \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "vulnerabilityReports.scanner": "Aqua",
    "aqua.serverURL":               "$AQUA_SERVER_URL"
  }
}
EOF
)"

Finally, edit the starboard secret to configure aqua.username and aqua.password credentials, which are used to connect to the Aqua's management console:

AQUA_CONSOLE_USERNAME=<your username>
AQUA_CONSOLE_PASSWORD=<your password>

kubectl patch secret starboard -n <starboard_namespace> \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "aqua.username": "$(echo -n $AQUA_CONSOLE_USERNAME | base64)",
    "aqua.password": "$(echo -n $AQUA_CONSOLE_PASSWORD | base64)"
  }
}
EOF
)"