Aqua Security for Tanzu allows users to deploy an end-to-end solution for scanning, application assurance and runtime protection for their application workloads, empowering organizations to apply security best practices early in the build process to ensure that only code in compliance with their organization’s security and compliance policies is deployed.
Automatically Scan Application or Container Artifacts for Known Vulnerabilities
Application or container artifacts are scanned for vulnerabilities, secrets, and malware. Scans can be done directly from CI/CD tools (e.g. Jenkins, Visual Studio Team Services, Bamboo).
Prevent Deployment of Unapproved Application or Container Artifacts
Identify and block non-compliant application or container artifacts based on pre-configured assurance policies that check for: authorization, CVEs and score, presence of hard-coded secrets, presence of malware, compliance risks.
Monitor and control application activity based on customized runtime policies
Block unapproved changes to application workloads, view network connections to apply firewall rules, and leverage audit trails of application activity, scan coverage, and system events.
Aqua Security for Tanzu
By applying full-lifecycle container security controls to application workloads at a very granular level, Aqua combines preventive and reactive controls to protect applications in runtime, detecting and blocking attacks, and providing granular visibility and audit trails for compliance.
The Aqua Cloud Native Security Platform integrates into the build pipeline to detect issues early in the application lifecycle and minimize the attack surface. It then monitors the runtime environment and prevents malicious activity using a whitelisting policy based on both declarative information and machine-learned behavior. It also integrates with LDAP/AD, secrets stores (e.g., HashiCorp, CyberArk), collaboration tools (e.g., Slack, PagerDuty) and SIEM tools (e.g., Splunk, Sumo Logic) to enable scalable enterprise security.Aqua’s advanced runtime protection for PCF allows users to develop customized policies to control application activity, blocking unapproved changes to running workloads, and applying firewall rules that whitelist authorized network connections. Aqua Security for PCF also enables granular audit trails of access activity, scan events and coverage, application activity and system events.Aqua empowers enterprises to:
- “Shift left” security, enabling DevSecOps to accelerate application delivery with full automation and no compromise on security
- Protect workloads in runtime against known vulnerabilities, zero-day exploits, malware, and insider threats
- Limit the impact of breaches with a container-level firewall
- Secure their applications once, and deploy them anywhere with no need to re-configure security policies and controls
- Meet regulatory compliance requirements such as PCI-DSS, HIPAA and GDPR
Available as a
meta-buildpack for deploying native integration applications in any language.
Available as a
The buildpack is
with instructions for setup and operation.
“We are proud to extend Aqua’s security capabilities to Tanzu users, enabling them to seamlessly implement and automate strong security capabilities into their production-grade application workloads, and allowing them to more closely monitor and control application activity in their PCF environment.”
Upesh Patel, Vice President of Business Development, Aqua Security
- Developer runs a CF push command
- Meta buildpack is invoked and claims the build
- Meta buildpack invokes the relevant language buildpack
- Language buildpack claims the build and produces a droplet
- Meta buildpack invokes the Aqua Decorator
- Droplet contents are scanned by the Aqua Decorator; scan results are displayed in the Aqua dashboard/CI tool
- If droplet complies with the droplet Assurance Policy, the droplet is approved and an application is created
Runtime Enforcement is governed by policies defined in the Aqua Console
- User defines runtime policies in the Aqua console
- Policies are enforced in runtime by the Aqua agent installed as a BOSH add-on
Read the documentation