aqua-security-scanner plugin | Can't use Additional Docker run options

XMLWordPrintable

      Summary

      After upgrading the Jenkins Aqua Security Scanner Plugin from version 3.2.5 to 3.2.10,
      we encountered an issue when scanning local Docker images.

      Additional Docker run options, especially proxy-related environment variables,
      are no longer passed to the scanner container. This causes the container to be
      unable to connect to Aqua Console and CyberCenter in restricted network environments.

      Working behavior in 3.2.5

      In version 3.2.5, additional Docker run options were correctly applied.

      Example Docker command (simplified):

      docker run
      -e BUILD_JOB_NAME=...
      -e BUILD_URL=...
      -e BUILD_NUMBER=...
      --env HTTP_PROXY=http://192.168.95.***:1985/
      --env HTTPS_PROXY=http://192.168.95.***:1985/
      --env NO_PROXY=aqua.s*k.com,192.168.117.185,192.168.0.0/8
      --rm
      -v /var/run/docker.sock:/var/run/docker.sock
      registry.aquasec.com/scanner:2022.4.805
      scan -host https://aqua.***.com/ -local dotnet/dhcd/dhcd-api:4.0.0-sit

      The scanner container could successfully connect to Aqua services.

      Broken behavior in 3.2.10

      In version 3.2.10, the same job generates a Docker command without proxy environment variables.

      docker run
      -e BUILD_JOB_NAME=...
      -e BUILD_URL=...
      -e BUILD_NUMBER=...
      --rm
      -v /var/run/docker.sock:/var/run/docker.sock
      registry.aquasec.com/scanner:2022.4.805
      scan -host https://aqua.****.com/ -local dotnet/dhcd/dhcd-api:4.0.2-sit

      As a result, the scanner fails to reach Aqua CyberCenter:

      failed validating CyberCenter connection:
      Get "https://cybercenter5.aquasec.com/":
      dial tcp: lookup cybercenter5.aquasec.com: i/o timeout

      Root cause analysis

      This regression appears to be introduced by changes made to support
      rootless Podman image scanning.

      The logic that conditionally applies runOptions now skips them in some cases,
      which unintentionally affects the Docker runtime path.

      As a result, Docker-specific options such as proxy environment variables
      are no longer passed to the scanner container.

      Proposed fix

      Restore runOptions for the Docker runtime while keeping the intended behavior
      for Podman rootless (socket-based) scanning unchanged.

      This ensures backward compatibility for Docker users and avoids breaking
      enterprise environments that rely on HTTP/HTTPS proxies.

      Impact

      This issue blocks image scanning in environments where outbound network access
      requires a proxy, which is a common enterprise setup.

            Assignee:
            Moshe Cohen
            Reporter:
            Ho
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: