Skip to main content

Local Scanning Quickstart

Overview

There are many steps involved in building and deploying a containerized application, a complete container image lifecycle approach is key to managing software supply chain risks. The Lacework inline scanner allows you to integrate Lacework security capabilities deeply into your software supply chain workflows by allowing you to scan and assess Docker container images for vulnerabilities without checking them into a container registry.

How It Works

The inline scanner container registry integration performs an inline scan outside of Lacework. You can then configure the inline scanner to send a request to Lacework to assess the collected data. After you create an inline scanner integration in the Lacework Console, you can download and deploy the inline scanner as a binary within your development tool chain.

The inline scanner is triggered on an on-demand basis within build chain workflows. The trigger could be, for example, the start of a new container image build in the CI pipeline or a developer wants to assess a build on their local machine. The inline scanner collects data about the container image using your configured settings about what data to collect. Using the associated server token that was created when you integrated the inline scanner in the Lacework Console, the inline scanner initiates an API request for assessment by Lacework. After the token is authorized, Lacework assesses the file data. View the results on the Vulnerability Assessment page in the Lacework Console. You can configure additional output types.

You can download the inline scanner software from the Lacework GitHub Repository.

Upgrades

After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.

To keep the same behavior as before, perform one of the following options:

  • Run the configure data command and enter true for the "Save results in platform" option.
  • Use the LW_SCANNER_SAVE_RESULTS=true environment variable on your local or CI/CD system.
  • Use the --save flag when running the image evaluate or image scan commands.

Inline Scanner Operating System Support

The inline scanner can be run on the following operating systems:

For information about package assessment, see the Package Assessment Support section.

Lacework CLI Support for Inline Scanner

The inline scanner can also be run through the Lacework CLI by installing the vuln-scanner component.

See Get Started with the Lacework CLI for guidance.

Before you Begin

The Lacework inline scanner pulls and then scans an image locally (getting the list of OS packages and library languages in the image). The scanner sends the metadata to Lacework to generate the list of vulnerabilities and, optionally, to save the assessment report in your account.

Access to Lacework requires a valid access token and account name. Follow the instructions in Create an Inline Scanner Integration in Lacework to get this information.

Create an Inline Scanner Integration in Lacework

Creating an integration in the Lacework Console is the first step in setting up the inline scanner. To create an integration, follow these steps:

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Navigate to Settings > Container Registries.
  3. Click + Add New.
  4. From the Registry Type drop-down, select Inline Scanner and click Next.
  5. Name the integration and click Next.
  6. Complete any optional settings and click Save.
    This displays a window that provides the inline scanner’s download URL and authorization token.
  7. Click the URL’s Copy to clipboard icon and paste it into a new browser window.
    This is where you download the inline scanner.
  8. Click the Authorization Token’s Copy to clipboard icon.
    This is the integration’s associated token. You need this to configure the inline scanner.

After you save the integration, its name displays on the Integrations Container Registry page.

note

Inline Scanner Limits can be increased upon request.

Inline Scanner Settings

Setting NameDescription
Registry TypeSpecify the registry type selected from the drop-down, in this case, select Inline Scanner.
NameSpecify a unique name to display for the integration in the Lacework Console.
Limit Number of Scans for this IntegrationSelect the maximum number of scans per hour that this integration can perform.
Identifier TagsSpecify tags as key:value pairs.

Get Started on Linux

This section guides you through the installation, configuration and first scan of the container image on Linux using the terminal. First, ensure the following prerequisites are met:

  1. Docker is running. Check that Docker is running by using:

    docker --version

  2. Your access token and account name. See create a registry integration for the Lacework Inline Scanner.

Installation (Linux)

  1. Download the latest version of the Lacework inline scanner and save it as lw-scanner:

    info

    Download the version that matches your processor type.

    curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-386 -o lw-scanner

  2. Make lw-scanner executable by the user:

    chmod u+x lw-scanner

  3. Run the scanner:

    ./lw-scanner version

Get Started on Mac

This section guides you through the installation, configuration and first scan of a container image on a Mac OS X using the terminal. First, ensure the following prerequisites are met:

  1. Docker is running on your Mac. If you use Homebrew, install Docker with the following command:

    brew install --cask docker

    Check that Docker is running:

    docker --version

    If the command above shows an error, look for Docker in Spotlight or in the application folder in Finder and run it.

  2. Your access token and account name. See create a registry integration for the Lacework Inline Scanner.

Installation (Mac)

  1. Download the latest version of the Lacework inline scanner and save it as lw-scanner:

    curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-darwin-amd64 -o lw-scanner

  2. Make lw-scanner executable by the user:

    chmod u+x lw-scanner

  3. Run the scanner:

    ./lw-scanner version

    You may have to authorize the lw-scanner to run since it was downloaded from the internet.

Configuration on Linux / Mac

Authentication (Linux/Mac)

Configure the inline scanner to communicate with Lacework.

The authentication credentials access token and account name can be provided to inline scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:

./lw-scanner configure auth

You will be prompted for your account name and access token.

View Current Configuration (Linux/Mac)

Use this command to view your current configuration:

./lw-scanner configure view

Save Assessment Reports to Lacework Console (Linux/Mac)

By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:

./lw-scanner configure data

Enter true for Save results in platform:

Example
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true

Enable Language Library Scanning (Linux/Mac)

To change whether language libraries are scanned or not, run:

./lw-scanner configure scanner

Override Default Configuration (Linux/Mac)

At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.

Scan a Public Image on Linux / Mac

Once your scanner is configured, you can scan your first image.

In this example, we’ll scan the image ubuntu:18.04 available publicly in Docker Hub:

./lw-scanner image evaluate ubuntu 18.04

Example output:

Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!

Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.

If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:

./lw-scanner image evaluate ubuntu 18.04 --html --html-file=ubuntu.html

You can open ubuntu.html in your browser to interact with the report.

To see the full list of options, check the inline help:

./lw-scanner image evaluate --help

Scan an Image from your Own Registry on Linux / Mac

In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.

There are 2 ways to provide the registry credentials:

  1. docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.

  2. Command arguments: Provide the credentials to your registry through the command line flags: --docker-username, --docker-password, and --docker-server.

    Example
    ./lw-scanner image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>

Get Started on Windows

This section guides you through the installation, configuration and first scan of the container image on Windows 10 using the command line. First, ensure the following prerequisites are met:

  1. Docker is running.

    Follow the instructions at https://docs.docker.com/desktop/windows/install/ to download and install Docker Desktop for Windows.

  2. Your access token and account name. See create a registry integration for the Lacework Inline Scanner.

Installation (Windows)

  1. Download the latest version of the Lacework inline scanner and save it as lw-scanner:

    curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-windows-amd64.exe -o lw-scanner.exe

  2. Run the scanner:

    lw-scanner.exe version

Configuration on Windows

Authentication (Windows)

Configure the inline scanner to communicate with Lacework.

The authentication credentials (access token and account name) can be provided to inline scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:

lw-scanner.exe configure auth

You will be prompted for your account name and access token.

View Current Configuration (Windows)

Use this command to view your current configuration:

lw-scanner.exe configure view

Save Assessment Reports to Lacework Console (Windows)

By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:

lw-scanner.exe configure data

Enter true for Save results in platform:

Example
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true

Enable Language Library Scanning (Windows)

To change whether language libraries are scanned or not, run:

lw-scanner.exe configure scanner

Override Default Configuration (Windows)

At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.

Scan a Public Image on Windows

Once your scanner is configured, you can scan your first image.

In this example, we’ll scan the image ubuntu:18.04 available publicly in Docker Hub:

lw-scanner.exe image evaluate ubuntu 18.04

Example output:

Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!

Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.

If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:

lw-scanner.exe image evaluate ubuntu 18.04 --html --html-file=ubuntu.html

You can open ubuntu.html in your browser to interact with the report.

To see the full list of options, check the inline help:

lw-scanner.exe image evaluate --help

Scan an Image from your Own Registry on Windows

In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.

There are 2 ways to provide the registry credentials:

  1. docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.

  2. Command arguments: Provide the credentials to your registry through the command line flags: --docker-username, --docker-password, and --docker-server.

    Example
    lw-scanner.exe image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>

Get Started with the Lacework CLI

The inline scanner is provided as the vuln-scanner component in the Lacework CLI.

info

Ensure you have installed and configured the Lacework CLI before beginning.

Install the Inline Scanner Component

Run the following command to install the inline scanner component:

lacework component install vuln-scanner

You can check that it's installed by running lacework component list:

$ lacework component list

     STATUS                NAME              VERSION                                   DESCRIPTION
----------------+-------------------------+-----------+----------------------------------------------------------------------------
  Not Installed   vuln-scanner              0.23.2      Lacework inline scanner

Update the Inline Scanner Component

If there is a new version available, you can update the vuln-scanner by running the following command:

lacework component update vuln-scanner

Configuration (CLI)

Authentication (CLI)

You do not need to configure authentication when using the inline scanner through the Lacework CLI, as it is preconfigured.

If you do need to reconfigure, use the following command:

lacework vuln-scanner configure auth

You will then be prompted for your account name and access token.

View Current Configuration (CLI)

Use this command to view your current configuration:

lacework vuln-scanner configure view

Save Assessment Reports to Lacework Console (CLI)

By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:

lacework vuln-scanner configure data

Enter true for Save results in platform:

Example
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true

Enable Language Library Scanning (CLI)

To change whether language libraries are scanned or not, run:

lacework vuln-scanner configure scanner

Enable Exit Codes for Policy Violation (CLI)

To enable Exit Codes for Policy Violations, run:

lacework vuln-scanner configure exit-codes

Help

Run the -h or --help flag after any command to get more context on any of the commands.

Scan a Public Image (CLI)

Once your scanner is configured, you can scan your first image.

In this example, we’ll scan the image ubuntu:18.04 available publicly in Docker Hub:

lacework vuln-scanner image evaluate ubuntu 18.04
Example output 
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!

Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.

If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:

lacework vuln-scanner image evaluate ubuntu 18.04 --html --html-file=ubuntu.html

You can open ubuntu.html in your browser to interact with the report.

To see the full list of options, check the inline help:

lacework vuln-scanner image evaluate --help

Scan an Image from your Own Registry (CLI)

In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.

There are 2 ways to provide the registry credentials:

  1. docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.

  2. Command arguments: Provide the credentials to your registry through the command line flags: --docker-username, --docker-password, and --docker-server.

    Example
    lacework vuln-scanner image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>

Next steps

For a list of all available commands and features, see Integrate Inline Scanner.

Last updated on