Skip to main content

Container Vulnerability

The Lacework Platform provides the capability to scan container images for vulnerabilities at both build time and runtime. The Lacework CLI provides the lacework vulnerability container sub-command with a number of capabilities to retrieve data about container vulnerability assessments. This command is intended for use by individuals or teams responsible for tracking and remediating vulnerabilities. It provides data to help with prioritizing vulnerability remediation, with the ability to sort assessments by what is actively running in the environment and to filter on vulnerabilities that have available fixes.

To view all container vulnerability assessments for your Lacework account for the last 24 hours (default):

lacework vulnerability container list-assessments

Additionally, you can filter results with the following flags:

  • --fixable displays only vulnerabilities with fixes
  • --repository displays assessments for the specific repository
    Note: You may pass this flag multiple times to filter on multiple repositories
  • --registry displays assessments for the specific registry
  • --start specifies the start of the time range in UTC (format: yyyy-MM-ddTHH:mm:ssZ)
  • --end specifies the end of the time range in UTC (format: yyyy-MM-ddTHH:mm:ssZ)
  • --range natural time range

You can specify different start and end times in one of the following formats:

  • A relative time specifier
  • RFC 3339 date and time
  • Epoch time in milliseconds

To view all of the containers in your environment with vulnerabilities that have fixes.

lacework vulnerability container list-assessments --fixable

To request an on-demand container vulnerability scan.

lacework vulnerability container scan <registry> <repository> <tag|digest>

Where:

  • <registry> is the container registry where the container image has been published
  • <repository> is the repository name that contains the container image
  • <tag|digest> could be, either a tag or an image digest to scan (digest format: sha256:1ee...1d3b)
note

Scans can take up to 15 minutes to return results.

The following is an example of integrating the lacework vulnerability container command into a CI pipeline. The specific example requests an on-demand container vulnerability scan and waits for the scan to complete (results will be displayed in the terminal):

lacework vulnerability container scan <registry> <repository> <tag|digest> --poll --noninteractive

The --noninteractive flag disables interactive progress bars. ⏲️

When the flag --poll is specified, there are a few other flags you can use to modify the output of the assessment:

  • --fixable displays only fixable vulnerabilities
  • --packages modifies the output format to show a list of packages with CVE count
  • --html generates a vulnerability assessment in HTML format
  • --fail_on_fixable returns a non-zero exit code if the assessed container has fixable vulnerabilities
  • --fail_on_severity allows you to specify a severity threshold to fail (return a non-zero exit code) if vulnerabilities are found
    (available severities are critical, high, medium, low, and info)

To view a specific container vulnerability assessment use the command.

lacework vulnerability container show-assessment <sha256:hash>

You can extend the details of a vulnerability assessment by providing the flag --details.

Additionally, there are a few more flags you can use to modify the output of the assessment:

  • --fixable displays only fixable vulnerabilities
  • --packages modifies the output format to show a list of packages with CVE count
  • --html generates a vulnerability assessment in HTML format
  • --csv outputs the assessment in CSV format
  • --fail_on_fixable helps automated pipelines to fail if the assessed container has fixable vulnerabilities
  • --fail_on_severity allows you to specify a severity threshold to fail if vulnerabilities are found (available severities are critical, high, medium, low, and info)

Generate Static HTML Vulnerability Assessment

To provide developers with clear, actionable, insights to understand and remediate vulnerabilities, the Lacework CLI has the ability to generate static HTML files of container vulnerability assessments.

Use the flag --html in the following commands:

  • lacework vulnerability container scan
  • lacework vulnerability container show-assessment

The result is a standalone HTML file that you can download and share with other teams without additional artifacts, and which looks exactly like the Lacework Console!