Aqua Security for PCF

This topic describes the Aqua Security for PCF tile.

As a PCF operator, you can download and install the Aqua Security for PCF tile to deploy the Aqua Command Center in your PCF environment, which security teams can then use to set policies that determine whether your PCF droplets meet your organization’s security policies and may be deployed. As a developer, you can perform security scanning of your PCF applications at build time with immediate feedback about vulnerabilities and open source licenses in your code, all while complying with corporate GRC policies.


Aqua Security enables enterprises to secure their container and cloud-native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security. Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance.

Aqua Security for PCF enables customers to automatically scan droplets using the Aqua Decorator buildpack. It supports more than forty languages, including Java, Go, C++, Python, Ruby, NodeJS, and more, as well as static binaries. Aqua then either allows or prevents the droplets’ transition to the running environment, based on the scan results matched against your organization’s security policy. In addition, users can view detailed droplet risk information directly from within their preferred CI/CD tool (e.g. Concourse, Jenkins, TeamCity, etc.).

Key Features

With Aqua Security for PCF, you can benefit from these capabilities:

  • Scan droplets for known vulnerabilities based on data from multiple resource feeds (public CVEs, vendor-issued, proprietary vulnerability data streams, and malware)
  • Block unauthorized droplets based on droplet assurance policies, for example:
    • Stop unknown droplets
    • Stop droplets by CVEs and score
    • Detect and stop droplets with hardcoded secrets
  • Add custom compliance checks (bash, OPAL, and powershell-based)
  • View actionable mitigation information on how to mitigate detected vulnerabilities
  • Gain visibility into droplet vulnerabilities directly from CI tools (e.g. Concourse, Jenkins, TeamCity, Bamboo, Microsoft VSTS, etc.) and Aqua dashboard
  • Scan docker registries to identify unregistered containers

Product Snapshot

The following table provides version and version-support information about Aqua Security.

Element Details
Tile version 1.0.0
Release date (GA) March 19, 2019
Software component version 1.0.0
Compatible Ops Manager version(s) v2.1.x, v2.2.x, v2.3.x, and v2.4.x
Compatible Pivotal Application Service version(s) v2.1.x, v2.2.x, v2.3.x, and v2.4.x
BOSH stemcell version Ubuntu Xenial
IaaS support All platforms

WARNING: Aqua Security for PCF v0.8.9 and earlier require a Ubuntu Trusty stemcell. The end-of-life date for Ubuntu Trusty is April 2019. If a security vulnerability is found on this stemcell after April, it will not be fixed.


Aqua Security for PCF has the following requirements:

A purchased or thirty-day trial license provided by Aqua Security. You can request a trial license here or by emailing Aqua Security Sales.


If you have a feature request, questions, or information about a bug, please email Pivotal Cloud Foundry Feedback list or send an email toAqua Security Support.


For help with troubleshooting this product, contact Aqua Security Support

Create a pull request or raise an issue on the source for this page in GitHub