Container Registry Support
Docker Hub integrations support:
- Auto polling - polling occurs every 15 minutes
- On-demand scans via the API
- Only v2 format is supported
Navigate to Docker Hub Integration
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container registries.
- Click + Add New.
- Click Docker Hub.
- Click Next.
- Follow the steps in the next section.
Integrate with Docker Hub
To integrate Docker Hub with Lacework, follow these steps:
- Configure the registry and complete any optional settings.
- Click Save. The integration status displays Integration Successful only after its first assessment completes.
- Verify that assessments have started by viewing the table in Vulnerabilities > Containers.
After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.
|Name||Specify a unique name for the container registry in the Lacework Console.|
|User Name||Specify a Docker user that has at least read-only permissions to the Docker Hub container repositories that you want to assess for vulnerabilities. NOTE: This must be in username format and not your email address. |
Docker uses organizations and teams to grant permissions. The following example explains how to grant permissions in Docker:
1) Create a Docker organization called MyCompany and in that organization create a team called MyGroup.
2) Add the user to the MyGroup team.
3) For all the repositories that have container images that you want to assess for vulnerabilities give at least read-only permissions to the MyGroup team.
For more information, see the following topics in the Docker documentation: Create and manage organizations, Create and manage users, and Create and manage teams in https://docs.docker.com/.
|Password||Specify the password for the specified Docker Hub user. Alternatively, you can use personal access tokens to access Hub images from the Docker CLI. For details, see Managing Access Tokens.|
|Registry Domain||This field is prepopulated with the URL of Docker Hub, index.docker.io.|
|Limit Image Tags||If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. |
Single wildcards are also supported and can be used to match multiple image tags (for example:
|Limit Image Labels||If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: |
|Limit Repositories||If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.|
|Images per Repo||Select the maximum number of newest container images to discover/assess per repository. |
NOTE: Do not include the registry in the repository name(s).
|Non-OS Package Support||This feature is enabled by default. Select No if you want to disable scanning of language libraries.|