Skip to content

Aqua Enterprise Scanner

You can use Aqua's commercial scanner to scan container images and generate vulnerability reports. The Starboard connector for Aqua attempts to fetch the vulnerability report for the specified image digest via Aqua's API. If the report is not found, it spins up an ad-hoc scan by executing the scannercli command.

The value of aqua.imageRef determines the version of the actual scannercli binary executable and must be compatible with the version of your Aqua server. By default, scannercli 5.3 is used, but if you are running, for example, Aqua 5.2, change the value to docker.io/aquasec/scanner:5.2.

To integrate Aqua scanner change the value of the vulnerabilityReports.scanner property to Aqua:

kubectl patch cm starboard -n <TRIVY_OPERATOR_NAMESPACE> \
  --type merge \
  -p "$(cat <<EOF
{
  "data": {
    "vulnerabilityReports.scanner": "Aqua"
  }
}
EOF
)"

Specify the container image of Aqua scanner and server URL:

AQUA_SERVER_URL=<your console URL>

kubectl create configmap starboard-aqua-config -n <TRIVY_OPERATOR_NAMESPACE> \
  --from-literal=aqua.imageRef=docker.io/aquasec/scanner:5.3 \
  --from-literal=aqua.serverURL=$AQUA_SERVER_URL

Finally, create or edit the starboard-aqua-config secret to configure aqua.username and aqua.password credentials, which are used to connect to the Aqua's management console:

AQUA_CONSOLE_USERNAME=<your username>
AQUA_CONSOLE_PASSWORD=<your password>

kubectl create secret generic starboard-aqua-config -n <TRIVY_OPERATOR_NAMESPACE> \
  --from-literal=aqua.username=$AQUA_CONSOLE_USERNAME \
  --from-literal=aqua.password=$AQUA_CONSOLE_PASSWORD

Tip

You can use Helm installer to enable Aqua Enterprise scanner as follows:

AQUA_SERVER_URL=<your console URL>
AQUA_CONSOLE_USERNAME=<your username>
AQUA_CONSOLE_PASSWORD=<your password>

helm install starboard-operator ./deploy/helm \
  --namespace starboard-system --create-namespace \
  --set="targetNamespaces=default" \
  --set="operator.vulnerabilityReportsPlugin=Aqua" \
  --set="aqua.imageRef=docker.io/aquasec/scanner:5.3" \
  --set="aqua.serverURL=$AQUA_SERVER_URL" \
  --set="aqua.username=$AQUA_CONSOLE_USERNAME" \
  --set="aqua.password=$AQUA_CONSOLE_PASSWORD"

Settings

CONFIGMAP KEY DEFAULT DESCRIPTION
aqua.imageRef docker.io/aquasec/scanner:5.3 Aqua scanner image reference. The tag determines the version of the scanner binary executable and it must be compatible with version of Aqua console.
aqua.serverURL N/A The endpoint URL of Aqua management console
SECRET KEY DESCRIPTION
aqua.username Aqua management console username
aqua.password Aqua management console password