Skip to main content

FAQs - Agentless Workload Scanning

Which cloud providers are supported for agentless scanning?

See Supported Cloud Providers.

It will be supported on Azure in the future.

Which operating systems are supported for agentless scanning?

See Supported Operating Systems.

What container image formats are supported by agentless?

See Supported Container Image Formats.

Which file systems are supported for agentless scanning?

See Supported File Systems.

See the following sections:

What is the minimum CPU and memory required for agentless scanning?

Agentless scanning does not require CPU and memory from your active workloads. It uses its own serverless cluster and configures its own CPU and memory limits that are optimized for cost-savings.

What is the maximum supported volume size for agentless scanning?

There is no limit on the volume size.

Is scanning supported for a specific type of workload?

You can specify a Lacework Query Language (LQL) query to select or filter workloads when you configure or edit your agentless workload scanning integration in the Lacework console at Settings > Integrations > Cloud accounts.

In the future, we plan to support example queries for targeting tags and other types of identifiers.

Does agentless scanning support container vulnerabilities?

Yes, any container images located on your cloud resources (such as running EC2 instances) are scanned for vulnerabilities.

This only applies to Agentless integrations with the Scan containers option set to true.

How can I change the agentless scanning frequency?

  1. In Settings > Integrations > Cloud accounts, select your agentless scanning integration. This displays the details of the integration.
  2. Click the Edit button.
  3. Change the frequency in the Scan Frequency (hours) field.

More frequent scans can result in higher AWS costs for snapshotting and periodic scanning.

How can I view the host scan results?

  1. Select Vulnerabilities > Hosts to view host vulnerabilities in your environment.
  2. Apply the Scanner Type: Agentless filter (when Group by Host is active) to view host scan results from agentless workload scanning integrations.

How can I view the container scan results?

  1. Select Vulnerabilities > Container to view container vulnerabilities in your environment.
  2. Apply the Scanner Type: Agentless filter (when Group by Image ID is active) to view image scan results from Agentless Workload Scanning integrations.

Is the AWS Scanning Account also scanned when integrating an AWS Organization?

Yes, currently the AWS Scanning Account (Scanning AWS Account ID during CloudFormation integrations) is also included for Agentless Workload Scanning.

This nuance applies to Organization integrations where the list of Monitored Accounts is provided. The AWS Scanning Account is currently monitored by default, but this behavior will change in the future.

Is the GCP Scanning Project also scanned when integrating a GCP Organization?

For project integrations, the GCP Scanning Project is not included by default for Agentless Workload Scanning unless it is explicitly mentioned in the monitored projects list.

For organization integrations, the GCP Scanning Project is included but can be excluded explicitly via the filter list.

Does agentless scanning detect active container images?

It depends, agentless scanning will attempt to detect whether your container images are active or not. This is done by examining the container configuration files on disk and comparing the start and finished times for the containers. If that time is within the most recent scan period, then the associated image will be considered active. Note that there are situations where container runtimes will not persist a container configuration after the container is finished, and thus the agentless scan will miss information about that image.

Lacework will detect active images on a host with high fidelity if you have an Agent installed.

Does agentless scanning on container images detect host operating system kernel packages?

Yes, Agentless scanning currently detects vulnerabilities on host operating system kernel packages.

This is different to regular container scanning (through Platform, Proxy, or Inline Scanners) where these packages are excluded from scans.

How do I upgrade the agentless scanning service?

Agentless scanning is a SaaS feature. As such, upgrades are automatic.

What is the default agentless scanning frequency?

The default scanning frequency is defined when configuring the Agentless Workload Scanning integration in the Lacework Console (Single Account or Organization).

Hosts and Container images are assessed for vulnerabilities every 24 hours, so increasing the scanning frequency beyond that is not currently recommended.

Does agentless scan Kubernetes persistent volumes?

No, agentless does not yet scan persistent volumes in Kubernetes, namely those volumes tagged with

What volumes does agentless scan on a host?

Agentless only scans the root volume of a host for vulnerabilities.

How does Lacework scan encrypted volumes?

The scanning infrastructure runs in your account, so you can securely delegate key management privileges to the role that is invoked to run the scan.

Which storage drivers for Docker are supported by agentless?

Currently, only the recommended storage driver (overlay2) is supported for Docker container images.

Can agentless scanning add custom tags to the snapshots it creates?

Yes, see the installation method and cloud provider specific documents for how custom tags are used.

For AWS integrations, how are the VPC and VPC Internet Gateway used?

During scanning, the VPC allows connections to the Lacework API to send diagnostic information and check for changes to the scanning configuration. Changes might include an update to the scanning frequency or if the scan filter is updated.

Connections to the Lacework API are also used to stream on-demand scanning requests made from the Lacework Console or CLI. The security group and network ACLs deny public access from the Internet through the VPC and internet gateway.

The VPC CIDR block can also be customized within CloudFormation or Terraform.