Aqua Security Scanner

The Jenkins project announced an unresolved security vulnerability affecting the current version of this plugin (why?):

Description

Adds a Build Step for scanning Docker images, local or hosted on registries, for security vulnerabilities, using the API provided by Aqua Security

Changelog:

Version 3.2.9 (Jul 14, 2025)

  • Resolved an issue where the custom scanner path is not respected during local image scans.

Version 3.2.8 (Apr 1, 2025)

The image scanning now includes two options for Aqua registry authentication to pull the scanner image:

  • Manual authentication to the registry hosting scanner image: Perform manual authentication during the build process
  • Username/Password for authentication to the registry hosting scanner image: Enter the username and password of the registry hosting scanner image

Version 3.2.7 (Dec 11, 2024)

  • Added rootless podman support to scan images using podman.
  • Added Podman socket directory (applicable to non-root users) in build job configurations which accepts runtime directory.

Version 3.2.6 (Sep 30, 2024)

  • Added Hide base image vulnerabilties flag for all scan types in build job configurations.

Version 3.2.5 (Sep 14, 2023)

  • Fix [SLK-69159] StringIndexOutOfBoundsException occuring inconsistently when scanning images.

Happened because of we are not handling String.substring() properly, Now its handled.

Version 3.2.4 (Jun 14, 2023)

  • Fix JENKINS-71287 plugin is overriding reports when several builds\jobs are running in parallel
  • Update the Action Menu items added by the plugin to contain the scanned image name.

Version 3.2.2 (Feb 02, 2023)

  • For each assurance policy failure, show the name of the specific controls that failed.

Version 3.2.1 (Feb 25, 2022)

  • Made localToken an optional field which accepts string value in pipeline syntax.

Version 3.2 (Jan 19, 2022)

  • Added support of aqua scanner token for authentication at the global and job level settings.

Version 3.1.2 (Sept 16, 2021)

  • Added custom container runtime scanning support with following optional fields:
    1. containerRuntime
    2. scannerPath

Version 3.1.1 (Sept 15, 2021)

  • Reverted the container runtime support added in 3.1.0 due to backward compatibility support.

Version 3.1.0 (Sept 15, 2021)

  • Added custom container runtime scanning support

Note: Please add empty values("") for following parameters in pipeline

  1. containerRuntime
  2. scannerPath

Version 3.0.25 (May 31, 2021)

  • Updates for cloudbees
  • Fix issue with css for cloudbees

Version 3.0.24 (Jan 21, 2021)

  • Update css static file
  • Fix issue with stappler logging error

Version 3.0.23 (Nov 17, 2020)

  • Adding docker archive support for scanning tar files.
  • Fix issue with scanner report has random string

Version 3.0.22 (May 26, 2020)

  • Adding support for DTA scan results.

Version 3.0.21 (Oct 29 19, 2019)

  • Migrate to GitHub docs

Version 3.0.19 (Oct 29 19, 2019)

  • Remove scanner default image

Version 3.0.18 (Sep 19, 2019)

  • Jenkins global configuration improvements

Version 3.0.17 (June 17, 2019)

  • Update scanner default version to 4.2 and changing global settings checkbox text

Version 3.0.16 (April 5, 2019)

  • Adding encryption in the persisted in forms Url/User/Pass**
    **

Version 3.0.15 (March 14, 2019)

  • Adding support for custom flags.

Version 3.0.14 (November 25, 2018)

  • Change default registry.

Version 3.0.13 (November 25, 2018)

  • Allow "Register" checkbox on local and hosted images.**
    **

Version 3.0.12 (October 22, 2018)

  • Bug fix: Fixing error when job name have space.**
    **

Version 3.0.11 (September 20, 2018)

  • Adding support for --policies force use of provided image assurance policies (local scans only)**
    **

Version 3.0.10 (September 13, 2018)

  • Report build ID,build URL,build name from the running Jenkins Job to Aqua Console.**
    **

Version 3.0.9 (August 28, 2018)

  • Support html output without lower jenkins security in the script console.
  • Change default version to 3.x

Version 3.0.8 (August 6, 2018)

  • Adding support for k8s jenkins plugin.

Version 3.0.7 (June 18, 2018)

  • Adding support for --no-verify. (Do not verify TLS certificates)

Version 3.0.6 (May 13, 2018)

  • Adding multiple images artifact archive support.**
    **

Version 3.0.5 (April 30, 2018)

  • Bug fix: Fixing policy not saved on UI.
  • Bug fix: Fixing password masking when runOptions is set.
  • Adding support to register remote images.

Version 3.0.3 (April 9, 2018)

  • Bug fix: plugin archive the entire working directory.

Version 3.0 (March 19, 2018)

  • Support for Jenkins pipeline. 

Version 2.0 (February 6, 2017)

  • Two new checkboxes in the step definition control whether base image vulnerabilities are hidden (for hosted images only) and whether negligible vulnerabilities are shown.
  • Additional options for the "docker run" command running the scanner can be specified in the "Configure System" page.
  • If the plugin has not been configured in the "Configure System" page, a message is displayed directing the user to do so.
  • Multiple Aqua Scanner steps in a build are now supported, each resulting in its own output.

Version 1.3.3 (October 15, 2016)

  • A shell command to be run when the scanned image does not comply with Aqua policy, can be specified.

Version 1.3.2 (September 11, 2016)

  • Bug fix:. could not run steps from 1.3 without re-saving configuration.

Version 1.3.1 (August 22, 2016)

  • In the build page, there are now icons display the scan results.
  • The artifacts are now archived automatically and there is no need for the "Archive the artifacts" post-build step.
  • In the build step, you can decide whether the build fails or not, when the scanned image does not comply with Aqua policy.

Version 1.3 (July 29, 2016)

  • Aqua's scanner image can be set in the global configuration.
  • Artifact is now an HTML report.

Version 1.1 (June 19, 2016)

  • First release.