Skip to main content

Aqua Security (Server)

Aqua Security (Server) is an on-premises container security tool that provides workload protection and security for containers, Kubernetes, and serverless applications. You can bring container, host, and security data from Aqua into Brinqa to construct a unified view of your attack surface, thus strengthening your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Aqua Server and how to obtain that information from Aqua. See create a data integration for step-by-step instructions on setting up the integration.

info

The Aqua Server connector differs from the Aqua SaaS connector only in its authentication method. Instead of an API key and API secret, the Aqua Server connector uses a username and password. The underlying APIs, data retrieved, operation options, and data mappings remain the same as the Aqua SaaS connector.

Required connection settings

When setting up a data integration, select Aqua Server from the Connector drop-down. If you cannot find the connector in the drop-down, make sure you have installed it first. You must provide the following information to authenticate Aqua with Brinqa:

  • Server URL: The API Server URL. The default URL format is http://<server_name>.net:8080.

  • Username and Password: The username and password associated with the Aqua user, which must have permissions to log in to the API server and return data.

    Aqua role and permissions

    The Auditor role is a read-only role and is considered to be the minimum role needed to read and retrieve data from the Aqua API. For additional information, see Aqua Platform documentation on creating users and roles and permissions.

Additional settings

The Aqua Server connector contains additional options for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.

  • Parallel requests: The maximum number of parallel API requests. The default setting is 4.

  • Skip certificate verification: Select this option to allow for untrusted certificates.

Types of data to retrieve

The Aqua Server connector can retrieve the following types of data from the Aqua API:

Table 1: Data retrieved from Aqua

Connector ObjectRequiredMaps to Data Model
ContainerYesContainer
Container ImageYesContainer Image
FunctionNoNot mapped
HostYesHost
VulnerabilityYesVulnerability
Vulnerability DefinitionYesVulnerability Definition
info

For detailed steps on how to view the data retrieved from Aqua in the Brinqa Platform, see How to view your data.

Attribute mappings

Expand the sections below to view the mappings between the source and the Brinqa data model attributes.

Container

Table 2: Container attribute mappings

Source Field NameMaps to Attribute
account_idLocal variable
agent_existsLocal variable
aqua_serviceLocal variable
assurance_resultsLocal variable
cluster_nameLocal variable
compliantLocal variable
container_typetype
create_timefirstSeen
criticalLocal variable
highLocal variable
have_secretsLocal variable
host_enforcer_groupLocal variable
host_idtargets, Local variable
host_lnameLocal variable
host_namehost
iduid
image_assurance_compliantLocal variable
image_digestLocal variable
image_idLocal variable
image_nameimage
is_disallowedLocal variable
is_evaluatedLocal variable
is_privilegedLocal variable
is_profilingLocal variable
is_registeredLocal variable
is_rootLocal variable
ke_existsLocal variable
last_vuln_time_seenLocal variable
level3Local variable
lowLocal variable
malwareLocal variable
mediumLocal variable
modify_timelastSeen
mutableLocal variable
namename
namespace_nameLocal variable
network_modeLocal variable
origin_image_nameLocal variable
owner_nameowner
permissionLocal variable
registry_image_nameLocal variable
riskriskScore
risk_levelLocal variable
runtime_malware_countLocal variable
runtime_profile_nameLocal variable
scan_statusLocal variable
secretsLocal variable
sensitiveLocal variable
server_digestLocal variable
start_timefirstSeen
statusstatus
system_containerLocal variable
totalLocal variable
valid_digestLocal variable
vulnerabilitiesLocal variable
vulnerability_riskLocal variable
Container Image

Table 3: Container Image attribute mappings

Source Field NameMaps to Attribute
assurance_resultsLocal variable
asset_typeLocal variable
authorauthor
blacklistedLocal variable
cf_orgLocal variable
cf_spaceLocal variable
createdfirstSeen, sourceCreatedDate
disalloweddisallowed
digestdigest
docker_idLocal variable
dta_severity_scoreLocal variable
dta_skippedLocal variable
dta_skipped_reasonLocal variable
first_scan_failedLocal variable
high_vulnsLocal variable
image_build_dateLocal variable
image_uidLocal variable
labelsLocal variable
low_vulnsLocal variable
malwareLocal variable
metadataLocal variable
microenforcer_detectedLocal variable
mutableLocal variable
nameuid, name
neg_vulnsLocal variable
newer_image_existsLocal variable
osoperatingSystem
os_versionosVersion
parent_layers_idLocal variable
partial_resultsLocal variable
pending_disallowedLocal variable
permissionLocal variable
permission_lastupdateLocal variable
policy_failuresLocal variable
registryregistry
registry_typeregistryType
repositoryrepository
scan_datelastAssessed, lastSeen
scan_errorscanError
scan_statusscanStatus
security_findingsLocal variable
sensitive_dataLocal variable
sizeLocal variable
tagtag
typeLocal variable
vulns_foundLocal variable
whitelistedwhitelisted
Host

Table 4: Host attribute mappings

Source Field NameMaps to Attribute
account_idLocal variable
cloud_infomapped
cluster_idLocal variable
created_datesourceCreatedDate
iduid
is_agentlessagentless
is_enforcedenforced
is_gateway_existsgatewayExists
namename
node_iduid
permissionLocal variable
security_issuesmapped
statusLocal variable
typeLocal variable
Vulnerability

Table 5: Vulnerability attribute mappings

Source Field NameMaps to Attribute
acknowledgeScopeLocal variable
acknowledgedAuthorLocal variable
acknowledgedDateLocal variable
ackExpirationConfiguredAtLocal variable
ackExpirationConfiguredByLocal variable
ackExpirationDaysLocal variable
baseImageNameLocal variable
baseImageVulnerabilityLocal variable
cloudFoundryApplicationLocal variable
cloudFoundryOrganizationLocal variable
cloudFoundrySpaceLocal variable
clusterLocal variable
containerLocal variable
customSeveritycustomSeverity
deploymentLocal variable
enforcerGroupLocal variable
firstFoundfirstFound
hasNetworkAttackVectorLocal variable
heuristicRefIdLocal variable
imageDigesttargets, imageDigest
imageNametargets, imageName
imageUidtargets, imageUid
lastFoundlastFound
layerIdLocal variable
licensesLocal variable
namespacenamespace
nvdCvssv2SeverityLocal variable
nvdCvssv2VectorsLocal variable
nvdCvssv3ScoreLocal variable
nvdCvssv3SeverityLocal variable
nvdCvssv3VectorsLocal variable
organizationNameLocal variable
osLocal variable
osVersionLocal variable
publishDateSourceLocal variable
qualysIdsLocal variable
referencedByLocal variable
registryLocal variable
repositoryIdLocal variable
repositoryNameLocal variable
resourceresults, affected
resourceArchLocal variable
resourceHashLocal variable
resourcePathLocal variable
resourceTypeLocal variable
runningWorkloadsCountrunningWorkloadsCount
scanIdLocal variable
severitysourceSeverity
siblingPackageLocal variable
solutionrecommendation
statusproviderStatus, sourceStatus, status
temporalVectorLocal variable
vendorCvssv2ScoreLocal variable
vendorCvssv2SeverityLocal variable
vendorCvssv2VectorsLocal variable
vendorCvssv3ScoreLocal variable
vendorCvssv3SeverityLocal variable
vendorCvssv3VectorsLocal variable
vulnerabilityIdLocal variable
vulnerabilityNamename, type, cveIds, cveRecords
vulnerabilityResourceIdLocal variable
workloadshasRunningWorkloads
Vulnerability Definition

Table 6: Vulnerability Definition attribute mappings

Source Field NameMaps to Attribute
aquaEvalScoreLocal variable
aquaScoreLocal variable
aquaUniqueIdLocal variable
aquaVectorsLocal variable
cisaDueDatecisaDueDate
cisaPublishedDatecisaAddedDate
classificationclassification
cpeaffected
descriptiondescription
epssPercentileepssPercentile
epssScoreepssScore
exploitAvailabilityexploitability, references
exploitTypecisaExploited, exploitability, exploitType
fixVersionfixedVersion
formatLocal variable
hasNetworkAttackVectorLocal variable
installedVersionaffectedVersion
modificationDatesourceLastModified
nvdCvssv2ScorecvssV2BaseScore
nvdUrlreferences
publishDatepublishedDate
remoteExploitremoteExploit
resourceresults, affected
severityseverity, sourceSeverity, severityScore
vendorCvssv3SeverityvendorSeverity
vendorStatementvendorStatement
vendorUrlreferences
vulnerabilityNamename, type, cveIds, cveRecords
Local variable

Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.

Data lifecycle management (DLM) strategy

The following table details the DLM strategy for the Aqua Server connector:

Table 7: Aqua Server DLM strategy

Connector ObjectInactivity ConditionPurge PolicySummary
ContainerLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify containers that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
Container ImageLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify container images that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
HostLAST_SEEN NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_SEEN attribute to identify hosts that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.
VulnerabilityLAST_CAPTURED NOT IN LAST 7 DAYS30 days after inactivityUses the LAST_CAPTURED attribute to identify vulnerabilities that are inactive within the last 7 days, and then purges the records after 30 days of inactivity.

Operation options

The Aqua SaaS connector supports the following operation options. See connector operation options for information about how to apply them.

Container Image

Table 8: Container Image operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Container ImagenameAny container nameRetrieves only containers with the specified name. Key: name Value: kubernetes. This key and value combination only retrieves containers named kubernetes.
repositoryAny container repositoryRetrieves only containers from the specified repository.Key: repository Value: angular-spring. This key and value combination only retrieves containers from the angular-spring repository.
Vulnerability

Table 9: Vulnerability operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Vulnerabilityacknowledge_statustrue, falseFilter vulnerabilities by whether they are acknowledged (suppressed) in Aqua.Key: acknowledge_status Value: true. This key and value combination only retrieves acknowledged vulnerabilities.
asset_typesfunctions, hosts, imagesA comma-separated list of asset types. Filter vulnerabilities based on the type of asset they affect.Key: asset_types Value: hosts,images. This key and value combination only retrieves vulnerabilities associated with hosts or images.
exploit_availabilityavailable, not_availableFilter vulnerabilities by whether or not they have an exploit available, as determined by Aqua.Key: exploit_availability Value: available. This key and value combination only retrieves vulnerabilities that have an exploit available.
exploit_typedos, local, remote, web appsA comma-separated list of types of exploits. Filter vulnerabilities by their exploit type.Key: exploit_type Value: dos,remote. This key and value combination only retrieves vulnerabilities with the dos or remote exploit type.
fix_availabilitytrue, falseFilter vulnerabilities by whether a vendor fix is available, as determined by Aqua.Key: fix_availability Value: true. This key and value combination only retrieves vulnerabilities with an available fix.
has_workloadstrue, falseFilter vulnerabilities based on whether they are associated with running workloads. For additional information, see Aqua documentation.Key: has_workloads Value: true. This key and value combination only retrieves vulnerabilities that are associated with workloads.
include_vpatch_infotrue, falseRetrieves suppressed findings from Aqua.Key: include_vpatch_info Value: true. This key and value combination retrieves suppressed findings from Aqua.
namespace_namesAny Aqua resource namespace nameA comma-separated list of namespace names. Retrieves only vulnerabilities from the specified namespace names. For additional information, see Aqua documentation.Key: namespace_names Value: default,kube-system,kube-public. This key and value combination only retrieves vulnerabilities from the specified namespaces.
network_attacktrue, falseFilter vulnerabilities by whether they are classified as network-exploitable, as determined by Aqua.Key: network_attack Value: true. This key and value combination only retrieves vulnerabilities with known network attack vectors.
patch_statuspatch_available, patched_audit, patched_enforce, no_patchA comma-separated list of patch statuses. Filter vulnerabilities by their virtual patch (vShield) status.Key: patch_status Value: patch_available,patched_enforce. This key and value combination only retrieves vulnerabilities with the patched_enforce or patch_available patch status.
severitiesnegligible, low, medium, high, criticalA comma-separated list of severity levels. Filter vulnerabilities based on their severity. For additional information, see Aqua documentation.Key: severities Value: high,critical. This key and value combination only retrieves vulnerabilities with high or critical severity.
show_negligibletrue, falseShow or hide vulnerabilities with negligible severity.Key: show_negligible Value: true. This key and value combination includes vulnerabilities with negligible severity.
Vulnerability Definition

Table 10: Vulnerability Definition operation options

Connector ObjectOptionAll Possible ValuesDescriptionExample
Vulnerability Definitionasset_typesimages, hosts, functions, code repositories, containers, vms, kubernetes resourcesA comma-separated list of asset types. Filter vulnerabilities by their specified asset type.Key: asset_types Value: hosts,images. This key and value combination only retrieves vulnerabilities associated with hosts or images.
exploit_availabilityavailable, not availableFilter vulnerabilities by whether or not that have an exploit available, as determined by Aqua.Key: exploit_availability Value: available This key and value combination only retrieves vulnerabilities that have an exploit available.
exploit_typedos, local, remote, web appsA comma-separated list of types of exploits. Filter vulnerabilities by their exploit type.Key: exploit_type Value: dos,remote. This key and value combination only retrieves vulnerabilities with the dos or remote exploit type.
include_vpatch_info1Retrieves suppressed findings from Aqua.Key: include_vpatch_info Value: 1. This key and value combination retrieves suppressed findings from Aqua.
note

The option keys and values are case-sensitive as they are shown in this documentation.

APIs

The Aqua Server connector uses the Aqua Enterprise API v2. Specifically, it uses the following endpoints:

Table 11: Aqua API Endpoints

Connector ObjectAPI Endpoints
ContainerGET /api/v2/containers
Container ImageGET /api/v2/images/
FunctionGET /api/v2/serverless/functions
HostGET /api/v2/infrastructure
VulnerabilityPOST api/v2/risks/vulnerabilities/exporters/hosts/export
GET api/v2/risks/vulnerabilities/exporters/hosts/jobs/exportId
POST api/v2/risks/vulnerabilities/exporters/hosts/stream
Vulnerability DefinitionPOST api/v2/risks/vulnerabilities/exporters/hosts/export
GET api/v2/risks/vulnerabilities/exporters/hosts/jobs/exportId
POST api/v2/risks/vulnerabilities/exporters/hosts/stream

Changelog

The Aqua Server connector has undergone the following changes:

Table 12: Aqua Server connector changelog

VersionDescription
4.0.3- Added the NAMESPACE attribute to the Vulnerability object.
- Added a new operation option to filter vulnerabilities by their namespace name: namespace_names
4.0.2Enhanced the connector to retrieve suppressed findings from Aqua. As a result, the following operation option has been added to the Vulnerability object: include_vpatch_info
4.0.1Added the HAS_RUNNING_WORKLOADS and RUNNING_WORKLOADS_COUNT attributes to the Vulnerability object.
4.0.0- Transitioned the Aqua Server connector to fully use the Aqua Enterprise API v2 to enhance performance and reliability.
- Added two new operation options to filter vulnerabilities: exploit_availability and exploit_type.
3.1.3Added support for Data lifecycle management to the Container, Container Image, Host, and Vulnerability objects.
3.1.2Fixed an issue where the Vulnerability Definition object sync was failing.
3.1.1No change.
3.1.0No change.
3.0.3Fixed an issue where Container Images were not correctly parsing Docker labels, preventing these labels from being added to the tags.
3.0.2Added two new attributes, EXPLOITABILITY and EXPLOIT_TYPE, to the Vulnerability Definition object.
3.0.0Initial Integration+ release.
Last updated on