Aqua Vulnerability Scanning is a service that scans container images for known vulnerabilities (CVEs), allowing security teams to assess and mitigate potential risks. The service engine is based on Aqua’s open-source Trivy, an easy-to-use scanner that can be integrated into CI/CD processes. As new vulnerabilities are published every day, it’s important to cover both pre-production applications in the CI/CD process and post-production applications scanned from image registries using the Aqua Vulnerability Scanning service.
The following terms are key in understanding the scan results:
Resources and vulnerabilities: Applications running on top of container images have dependencies on packages that might have known vulnerabilities. When scanning images, the service analyzes these packages and dependencies and checks whether they are vulnerable. The scan results include the "image-resources-vulnerabilities" relationship for each scanned image, so you can trace the vulnerability source.
Fixable vulnerabilities: Vulnerabilities that have an available official fix are marked as fixable. In addition, the earliest version of the fixed package appears in the results, to help you remediate the vulnerability by upgrading. You can filter the image scan results to view only the fixable vulnerabilities.
Vulnerability severity: The vulnerability severity is mapped from NVD CVSS v3 or CVSS v2 for vulnerabilities that were published before 2015.
The mapping to the severity is:
- Critical: 10.0 – 9.0
- High: 8.9 – 7.0
- Medium: 6.9 – 4.0
- Low: 3.9 - 0