🤖 Overview

aqua_products is a legitimate web crawler operated by Aqua Security, a cloud-native security company. Its primary purpose is to collect publicly accessible product version information, dependency metadata, and software bill-of-materials (SBOM) data from websites and code repositories. The gathered data feeds directly into Aqua’s cloud security platform to enable automated vulnerability scanning, license compliance checks, and risk assessment for container images and serverless applications.

🌐 Technical Behavior

The aqua_products bot performs targeted HTTP/HTTPS GET requests to common endpoints such as /package.json, /requirements.txt, /Dockerfile, and version‑specific pages. It uses a configurable crawl depth (default 2) and respects Cache‑Control and ETag headers to minimise redundant fetches. According to Aqua’s official documentation (published at docs.aquasec.com/vulnerability‑scanning/crawler), the bot employs a crawl delay of 10 seconds between successive requests to the same host. IP ranges are documented in Aqua’s support portal: the bot originates from 35.222.15.0/24 and 34.69.0.0/16. The crawler supports both HTTP/1.1 and HTTP/2, and it includes a User‑Agent that clearly identifies itself for transparency.

📋 robots.txt Compliance

The aqua_products bot fully honors robots.txt directives, as confirmed in Aqua Security’s “Crawler Behaviour” knowledge base article (accessed via success.aquasec.com). It reads the file at the root of each domain before crawling and respects Disallow rules for paths like /admin, /api, and any path containing private. If a Crawl‑delay directive is present, the bot respects the specified delay value.

🔍 Detection Indicators

The primary User‑Agent string is “aqua_products/1.0 (compatible; Aqua Security; +https://www.aquasec.com/crawler-info)”. Secondary variants include “aqua_products/2.0” and “AquaBot/1.0”. Fingerprint: the bot always sends an Accept header of text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 and a custom header X‑Aqua‑Crawl set to true. It does not modify query parameters or submit forms.

📊 Data Usage

Collected product version data is ingested into Aqua’s vulnerability management engine to match against known CVEs (e.g., CVE‑2024‑27198). The SBOM information is used to generate accurate CycloneDX or SPDX reports for customer compliance audits. No personally identifiable information (PII) is retained; all raw crawl data is deleted after 30 days per Aqua’s published privacy policy.

⚙️ Rate Limiting Policy

Although aqua_products is a legitimate crawler, it is rate‑limited by network administrators because its scheduled scans can generate thousands of requests across large domains within a short window. Aqua recommends setting a threshold of 100 requests per minute per IP and blocking only if the bot exceeds that limit without a crawl‑delay directive, to ensure fair resource usage for all site visitors.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.