Container Vulnerability
The Lacework Platform provides the capability to scan container images for vulnerabilities at both build time and runtime. The Lacework CLI provides the lacework vulnerability container
sub-command with a number of capabilities to retrieve data about container vulnerability assessments. This command is intended for use by individuals or teams responsible for tracking and remediating vulnerabilities. It provides data to help with prioritizing vulnerability remediation, with the ability to sort assessments by what is actively running in the environment and to filter on vulnerabilities that have available fixes.
To view all container vulnerability assessments for your Lacework account for the last 24 hours (default):
lacework vulnerability container list-assessments
Additionally, you can filter results with the following flags:
--fixable
displays only vulnerabilities with fixes--repository
displays assessments for the specific repository
Note: You may pass this flag multiple times to filter on multiple repositories--registry
displays assessments for the specific registry--start
specifies the start of the time range in UTC (format:yyyy-MM-ddTHH:mm:ssZ
)--end
specifies the end of the time range in UTC (format:yyyy-MM-ddTHH:mm:ssZ
)--range
natural time range
You can specify different start and end times in one of the following formats:
- A relative time specifier
- RFC 3339 date and time
- Epoch time in milliseconds
To view all of the containers in your environment with vulnerabilities that have fixes.
lacework vulnerability container list-assessments --fixable
To request an on-demand container vulnerability scan.
lacework vulnerability container scan <registry> <repository> <tag|digest>
Where:
<registry>
is the container registry where the container image has been published<repository>
is the repository name that contains the container image<tag|digest>
could be, either a tag or an image digest to scan (digest format:sha256:1ee...1d3b
)
Scans can take up to 15 minutes to return results.
The following is an example of integrating the lacework vulnerability container
command into a CI pipeline. The specific example requests an on-demand container vulnerability scan and waits for the scan to complete (results will be displayed in the terminal):
lacework vulnerability container scan <registry> <repository> <tag|digest> --poll --noninteractive
The
--noninteractive
flag disables interactive progress bars. ⏲️
When the flag --poll
is specified, there are a few other flags you can use to modify the output of the assessment:
--fixable
displays only fixable vulnerabilities--packages
modifies the output format to show a list of packages with CVE count--html
generates a vulnerability assessment in HTML format--fail_on_fixable
returns a non-zero exit code if the assessed container has fixable vulnerabilities--fail_on_severity
allows you to specify a severity threshold to fail (return a non-zero exit code) if vulnerabilities are found
(available severities are critical, high, medium, low, and info)
To view a specific container vulnerability assessment use the command.
lacework vulnerability container show-assessment <sha256:hash>
You can extend the details of a vulnerability assessment by providing the flag --details
.
Additionally, there are a few more flags you can use to modify the output of the assessment:
--fixable
displays only fixable vulnerabilities--packages
modifies the output format to show a list of packages with CVE count--html
generates a vulnerability assessment in HTML format--csv
outputs the assessment in CSV format--fail_on_fixable
helps automated pipelines to fail if the assessed container has fixable vulnerabilities--fail_on_severity
allows you to specify a severity threshold to fail if vulnerabilities are found (available severities are critical, high, medium, low, and info)
Generate Static HTML Vulnerability Assessment
To provide developers with clear, actionable, insights to understand and remediate vulnerabilities, the Lacework CLI has the ability to generate static HTML files of container vulnerability assessments.
Use the flag --html
in the following commands:
lacework vulnerability container scan
lacework vulnerability container show-assessment
The result is a standalone HTML file that you can download and share with other teams without additional artifacts, and which looks exactly like the Lacework Console!