Aqua Security for PCF
This topic describes the Aqua Security for PCF tile.
As a PCF operator, you can download and install the Aqua Security for PCF tile to deploy the Aqua Command Center in your PCF environment, which security teams can then use to set policies that determine whether your PCF droplets meet your organization’s security policies and may be deployed. As a developer, you can perform security scanning of your PCF applications at build time with immediate feedback about vulnerabilities and open source licenses in your code, all while complying with corporate GRC policies.
Aqua Security enables enterprises to secure their container and cloud-native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security. Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance.
Aqua Security for PCF enables customers to automatically scan droplets using the Aqua Decorator buildpack. It supports more than forty languages, including Java, Go, C++, Python, Ruby, NodeJS, and more, as well as static binaries. Aqua then either allows or prevents the droplets’ transition to the running environment, based on the scan results matched against your organization’s security policy. In addition, users can view detailed droplet risk information directly from within their preferred CI/CD tool (e.g. Concourse, Jenkins, TeamCity, etc.).
With Aqua Security for PCF, you can benefit from these capabilities:
- Scan droplets for known vulnerabilities based on data from multiple resource feeds (public CVEs, vendor-issued, proprietary vulnerability data streams, and malware)
- Block unauthorized droplets based on droplet assurance policies, for example:
- Stop unknown droplets
- Stop droplets by CVEs and score
- Detect and stop droplets with hardcoded secrets
- Add custom compliance checks (bash, OPAL, and powershell-based)
- View actionable mitigation information on how to mitigate detected vulnerabilities
- Gain visibility into droplet vulnerabilities directly from CI tools (e.g. Concourse, Jenkins, TeamCity, Bamboo, Microsoft VSTS, etc.) and Aqua dashboard
- Scan docker registries to identify unregistered containers
The following table provides version and version-support information about Aqua Security.
|Release date (GA)||March 19, 2019|
|Software component version||1.0.0|
|Compatible Ops Manager version(s)||v2.1.x, v2.2.x, v2.3.x, and v2.4.x|
|Compatible Pivotal Application Service version(s)||v2.1.x, v2.2.x, v2.3.x, and v2.4.x|
|BOSH stemcell version||Ubuntu Xenial|
|IaaS support||All platforms|
WARNING: Aqua Security for PCF v0.8.9 and earlier require a Ubuntu Trusty stemcell. The end-of-life date for Ubuntu Trusty is April 2019. If a security vulnerability is found on this stemcell after April, it will not be fixed.
Aqua Security for PCF has the following requirements:
For help with troubleshooting this product, contact Aqua Security Support