Aqua Blog

Scan Container Images for Vulnerabilities & Hidden Malware with Aqua Wave

Scan Container Images for Vulnerabilities & Hidden Malware with Aqua Wave

With an ever-evolving threat landscape, bad actors increasingly target container infrastructure, installing sophisticated malware into images that changes its behavior to evade detection. As static scanning is not designed to spot such advanced threats, it’s critical to perform dynamic analysis to detect suspicious behavior in real time.

Image Scanning, the latest addition to Aqua, our SaaS-only edition, can perform static and dynamic scans of open source packages in your images, notify you of any known vulnerabilities, and discover unknown risks, such as hidden malware. After leveraging customer feedback to enhance this capability during preview mode, we’ve released it to GA. Let’s delve into what it includes.

Meet Aqua Image Scanning

With Image Scanning now available in Aqua, you can take advantage of both static vulnerability scanning and dynamic threat analysis for your cloud container registries. Aqua is the only integrated SaaS platform that discovers container image registries, scans images for vulnerabilities, and detects hidden malware threats within a seamless workflow.

Image Scanning includes:

  1. Vulnerability Scanning (VS) scans your container images to detect known CVEs and other security issues during the development cycle. It allows you to gain insights into your vulnerability posture and prioritize remediation and mitigation according to contextual risk. This capability uses the market-leading open source scanner Trivy and its comprehensive vulnerability tracking across both OS packages and language-specific dependencies.
  2. Dynamic Threat Analysis (DTA), the industry’s first container sandbox solution, complements Vulnerability Scanning to detect unknown and evasive threats. It dynamically assesses the risks of container images before they run in your production environment. DTA runs your container images in an isolated environment (sandbox) that monitors behavioral patterns and detects multiple Indicators Of Compromise (IOCs) such as container escapes, malware, crypto miners, code injection backdoors, network anomalies, and more. DTA also classifies detected behaviors into categories of the MITRE framework.

With Image Scanning, you gain a comprehensive picture of the security posture of your images and detailed, actionable insights into anomalous container behavior.

However, since new vulnerabilities and exploits are discovered and published every day, even if you deployed your application without a vulnerability today, at some point in the future a new vulnerability may come out for a particular component within it. This means that applying scanning once on-push is not enough. To address this, Aqua re-scans your images daily using vulnerability scanning to ensure you are always aware of new risks as soon as they become known.

What Else is New?

SaaS User Experience

Is designed for a self-service user experience, so it’s very easy to get started and run image scanning. It takes just seconds to set up a 14-day trial account and only minutes to onboard your registries, start scanning, and see results. The entire process takes just a few clicks. I’ll show how it works later in the post.

Supported platforms

Image Scanning now provides support for four types of cloud registries: Amazon Elastic Container Registry, Azure Container Registry, Google Container Registry, and Docker Hub. In the coming months, we plan to add support for on-premise registries too.

Aqua Image Score

With this release, we also introduced a brand-new feature, Aqua Score. It represents a security evaluation of an image that combines the findings from vulnerability scanning and dynamic threat analysis, making it easier to understand its overall security risk. I’ll explore this new concept in more detail later.

Assurance policies

You can now define assurance policies by multiple parameters, such as CVE score, severity, deny list, DTA, and Aqua Score.

Integration with Aqua Vulnerability Database (AVD)

We integrated Image scanning with Aqua Vulnerability Database (AVD) so that you can get a full description of the vulnerabilities that are discovered in your images. AVD provides details and remediation guidance for CVEs in open source applications and cloud native infrastructure by bringing together the data from NVD and multiple software vendor advisories, amplified with the analysis by Aqua’s threat research team Nautilus.

How to Get Started with Image Scanning

Let’s go through the process of how to onboard a registry and start scanning. In this example, I’ll connect an Amazon ECR registry, but the same flow applies to all other types of supported registries as well.

  1. If you’re a new customer, register for a free trial.
  2. You will see the welcome page. To try out image scanning, click on “Connect Image Registry”.
    Wave_Welcome page
  3. You’ll be redirected to the flow of connecting a registry. In our knowledge base, you can learn more about connecting container registries for image scanning.
  4. Follow the instructions on screen, run the CloudFormation script generated, and enable scanning.
  5. Will automatically start to run the image scanning in the background.
  6. Here you can see the scanning results – this page describes the health of your images. With just a few clicks, you get an overview of vulnerabilities and malicious threats in your environment and can explore them in more detail by drilling down on specific results.
    Aqua Wave Scanning Results

Assess Your Images with Aqua Image Score

When managing a live container environment, many teams struggle to identify projects that use high vulnerability images. To address this, we came up with a completely new concept within the Aqua ecosystem, Image Score. By aggregating findings discovered by both of our scanning engines (VS and DTA), this risk indicator leverages all our knowledge about each specific image.

The image score evaluates the overall security risk of an image by assigning it a letter grade between “A” and “F”. Like in the US schools, an “A” will be given to an excellent student (a highly secure image, with little to no significant vulnerabilities), while an “F” will go to a bad one (extremely vulnerable images that should be addressed first).

So how does Aqua calculate the score? CVEs discovered during the static scanning are assessed by multiple parameters, such as their numerical score, attack vector, exploit indicator, and their fix indicator. Dynamic image analysis evaluates detected risks based on the Aqua DTA severity model. The resulting numerical score is between 0 and 100 and then is mapped to a letter grade using the table below:

Grade Score Range
A 90-100
B 80-90
C 70-80
D 60-70
F Below 60

By bringing together all these findings, Image Score provides an easy way to assess the overall security posture of your images and gain a clear understanding of the riskiest ones. You can use Image Score while building reports or setting up assurance policies. For example, you can create a policy that blocks all the images with a grade below “C”.


Deploying containers based only on trusted images should be a key part of your overall cloud native security strategy. By detecting hidden threats in images and vulnerabilities in OS packages and application dependencies, Image Scanning gives you full visibility into the security health of your images. Being SaaS-based, provides effortless scanning capabilities for teams of any size. As you saw, it’s very easy to use – just sign up and run.

Ehud Amiri
Ehud Amiri is a Senior Director of Product Management at Aqua Security, leading the Aqua cloud services. Ehud is passionate about delivering easy to use cyber security products and cross-pollinating product designs with innovating technologies. When he isn’t at work, he enjoys a good sci-fi book or traveling and meeting people around the world.