Integrate Proxy Scanner with JFrog Registry - Auto Polling

Deploy a proxy scanner that integrates with your JFrog registry using auto polling to provide container vulnerability assessments.

Create a Proxy Scanner Integration in Lacework

To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:

1. Log in to the Lacework Console with an account with admin permissions.
2. Navigate to Settings > Integrations > Container Registries.
3. Click + Add New.
4. From the Registry Type drop-down, select Proxy Scanner and click Next.
5. Complete the required settings.
6. Click Save.
   Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner.
7. Click the Authorization Token’s copy to clipboard icon.
   This is the integration’s associated token. You need this to configure the proxy scanner.

Configure the Proxy Scanner

Scanning behavior

All repositories and images within the Artifactory domain will be scanned using this configuration.

Use the template below to create a config.yml file that will be used by the proxy scanner.

Template for two JFrog Artifactory Docker repositories

scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
  account_name: <my-lacework-account-name>
  integration_access_token: <my-lacework-access-token>
registries:
  - domain: <my-jfrog-artifactory-domain>>
    name: <name-for-registry-integration>
    ssl: true
    auto_poll: true
    credentials:
      user_name: "jfrog-user-name"
      password: "jfrog-user-password"
    poll_frequency_minutes: 20
    disable_non_os_package_scanning: false
    go_binary_scanning: 
      enable: true

Adjust the values for the following settings to match your repository and environment:

• account_name: Your Lacework account name. This can be found as part of the URL used to access your Lacework Console (for example: https://specializedsoftware.lacework.net). However, do not include the .lacework.net or https:// portions when entering the account name.
• integration_access_token: The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.
• domain: Adjust the domain to your JFrog environment. Do not include the http(s):// portion in the domain.
  • Use the same domain that you use for Docker login. For example:
    • If you log into Docker using dockerHost:Port, use domain: dockerHost:Port.
    • If you log into Docker using dockerHost, use domain: dockerHost.
• name: Add a unique name for the registry integration.
• ssl: Set to true if your JFrog domain is configured with HTTPS, or false if configured with HTTP.
• auto_poll: Set to true as the proxy scanner is being configured for auto polling.
• credentials:
  • user_name: Provide your JFrog registry username.
  • password: Provide your JFrog registry user password or access token.
• poll_frequency_minutes: Set the auto poll frequency in minutes. Minimum frequency is 20 minutes.
• disable_non_os_package_scanning: Change to true if you want to disable scanning of Language Libraries (non-OS packages).
• go_binary_scanning:
  • enable: - Set to false if you want to disable scanning of Go binaries.

Deploy the Proxy Scanner

Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.

1. Using the Docker client CLI, pull the Lacework image:

   docker pull lacework/lacework-proxy-scanner:latest

2. Create a writeable container layer and start the image:

   docker run \
   --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache \
   -v `pwd`/config.yml:/opt/lacework/config/config.yml \
   -p 8080:8080 \
   lacework/lacework-proxy-scanner

   where
   "$(pwd)"/cache is the persistent storage location where you want to store cache
   `pwd`/config.yml is your configuration file location

   Example

   docker run \
   --mount type=bind,source=/YourHostDirectoryPath/cache,target=/opt/lacework/cache \
   -v /YourHostDirectoryPath/config.yml:/opt/lacework/config/config.yml \
   -p 8080:8080 \
   lacework/lacework-proxy-scanner:latest

   For debugging purposes, add -e LOG_LEVEL=debug:

   docker run -e LOG_LEVEL=debug -d --mount ...

   Available LOG_LEVEL options = error|warn|debug

Check Scanning Results

Check the scan results in the Lacework Console - Container Vulnerability (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.