Aqua Enterprise Scanner¶
You can use Aqua's commercial scanner to scan container images and generate vulnerability reports. The Starboard
connector for Aqua attempts to fetch the vulnerability report for the specified image digest via Aqua's API.
If the report is not found, it spins up an ad-hoc scan by executing the scannercli
command.
The value of aqua.imageRef
determines the version of the actual scannercli
binary executable and must be
compatible with the version of your Aqua server. By default, scannercli
5.3 is used, but if you are running,
for example, Aqua 5.2, change the value to docker.io/aquasec/scanner:5.2
.
To integrate Aqua scanner change the value of the vulnerabilityReports.scanner
property to Aqua
:
kubectl patch cm starboard -n <TRIVY_OPERATOR_NAMESPACE> \
--type merge \
-p "$(cat <<EOF
{
"data": {
"vulnerabilityReports.scanner": "Aqua"
}
}
EOF
)"
Specify the container image of Aqua scanner and server URL:
AQUA_SERVER_URL=<your console URL>
kubectl create configmap starboard-aqua-config -n <TRIVY_OPERATOR_NAMESPACE> \
--from-literal=aqua.imageRef=docker.io/aquasec/scanner:5.3 \
--from-literal=aqua.serverURL=$AQUA_SERVER_URL
Finally, create or edit the starboard-aqua-config
secret to configure aqua.username
and aqua.password
credentials,
which are used to connect to the Aqua's management console:
AQUA_CONSOLE_USERNAME=<your username>
AQUA_CONSOLE_PASSWORD=<your password>
kubectl create secret generic starboard-aqua-config -n <TRIVY_OPERATOR_NAMESPACE> \
--from-literal=aqua.username=$AQUA_CONSOLE_USERNAME \
--from-literal=aqua.password=$AQUA_CONSOLE_PASSWORD
Tip
You can use Helm installer to enable Aqua Enterprise scanner as follows:
AQUA_SERVER_URL=<your console URL>
AQUA_CONSOLE_USERNAME=<your username>
AQUA_CONSOLE_PASSWORD=<your password>
helm install starboard-operator ./deploy/helm \
--namespace starboard-system --create-namespace \
--set="targetNamespaces=default" \
--set="operator.vulnerabilityReportsPlugin=Aqua" \
--set="aqua.imageRef=docker.io/aquasec/scanner:5.3" \
--set="aqua.serverURL=$AQUA_SERVER_URL" \
--set="aqua.username=$AQUA_CONSOLE_USERNAME" \
--set="aqua.password=$AQUA_CONSOLE_PASSWORD"
Settings¶
CONFIGMAP KEY | DEFAULT | DESCRIPTION |
---|---|---|
aqua.imageRef |
docker.io/aquasec/scanner:5.3 |
Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua console. |
aqua.serverURL |
N/A | The endpoint URL of Aqua management console |
SECRET KEY | DESCRIPTION |
---|---|
aqua.username |
Aqua management console username |
aqua.password |
Aqua management console password |