Integrate Proxy Scanner with JFrog Registry - Notification/On-demand

Deploy a proxy scanner that integrates with your JFrog registry using a webhook (for registry notifications) or on-demand scans to provide container vulnerability assessments.

Create a Proxy Scanner Integration in Lacework

To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:

Log in to the Lacework Console with an account with admin permissions.
Navigate to Settings > Integrations > Container Registries.
Click + Add New.
From the Registry Type drop-down, select Proxy Scanner and click Next.
Complete the required settings.
Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner.
Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.

Configure the JFrog Registry Repository

Navigate to the Administration module and click Repositories.
Create a new local Docker repository and provide a Repository Key (for example: docker-quickstart-local).
Leave the remaining options on their default settings.
Click Save & Finish.

Configure the Proxy Scanner

Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.
Select the repository key that you created in Configure the JFrog Registry Repository (for example: docker-quickstart-local).
Use the configuration details from this repository to help create a config.yml file that will be used by the proxy scanner.
Example
```
scan_public_registries: false
static_cache_location: /opt/lacework
default_registry: 
lacework:
  account_name: lacework-account
  integration_access_token: authorization-token
registries:
  - domain: DOMAIN_NAME:PORT/artifactory/apt/docker/REGISTRY_NAME
    name: JFrog-integration
    ssl: true
    auto_poll: false
    is_public: false
    credentials:
      user_name: "userinregistry"
      password: "password"
    notification_type: jfrog
    disable_non_os_package_scanning: false
    go_binary_scanning:
      enable: true
```
Adjust the values for the following settings to match your repository and environment:
- account_name: Your Lacework account name. This can be found as part of the URL used to access your Lacework Console (for example: https://specializedsoftware.lacework.net). However, do not include the .lacework.net or https:// portions when entering the account name.
- integration_access_token: The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.
- domain: Adjust the domain and registry name to your JFrog environment. Use the URL to file entry from JFrog.
  - Use the same domain that you use for Docker login. For example:
    - If you log into Docker using dockerHost:Port, use domain = dockerHost:Port.
    - If you log into Docker using dockerHost, use domain = dockerHost.
- name: Add a unique name for the registry integration.
- ssl: Set to true if your JFrog registry is configured with HTTPS. If it's an SSL/HTTPS based registry, do not add port 443 but check the SSL checkbox.
- auto_poll: Set to false or omit this field from your config (as the proxy scanner is being configured for registry notification).
- credentials:
  - user_name: Provide your JFrog registry username.
  - password: Provide your JFrog registry user password or access token.
- disable_non_os_package_scanning: Change to true if you want to disable scanning of Language Libraries (non-OS packages).
- go_binary_scanning:
  - enable: - Set to false if you want to disable scanning of Go binaries.

Deploy the Proxy Scanner

Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.

Using the Docker client CLI, pull the Lacework image:
```
docker pull lacework/lacework-proxy-scanner:latest
```

Create a writeable container layer and start the image:

docker run \
--mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache \
-v `pwd`/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scanner

where
"$(pwd)"/cache is the persistent storage location where you want to store cache
`pwd`/config.yml is your configuration file location

Example
docker run \
--mount type=bind,source=/YourHostDirectoryPath/cache,target=/opt/lacework/cache \
-v /YourHostDirectoryPath/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scanner:latest

For debugging purposes, add -e LOG_LEVEL=debug:

docker run -e LOG_LEVEL=debug -d --mount ...

Available LOG_LEVEL options = error|warn|debug

Configure the JFrog Registry Webhook (for Optional Notifications)

note

For JFrog to send webhooks, turn off Artifactory Webhook Validation.

Create a new webhook and provide the following details:
- Name: Provide a name for the webhook (for example: LWProxyscanner)
- URL: Specify the URL that the webhook invokes.
  Example
```
<ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
```
  Use following options in the webhook URL:
  - <ProxyScannerHost> Modify this to point to your proxy scanner instance. This should be the FQDN or IP of your proxy scanner.
  - <RegistryNameFromYourConfig.yml> Modify this to be the JFrog registry name that was entered when configuring the Proxy Scanner.
- Event: Select Docker Tag was pushed and/or Docker Tag was promoted.
- Add Repositories: Select a specific repository (for example: docker-quickstart-local) or Any Local Repository.
Click Create or Save once complete.
Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).

Check Scanning Results

Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).

Create a Proxy Scanner Integration in Lacework​

Configure the JFrog Registry Repository​

Configure the Proxy Scanner​

Deploy the Proxy Scanner​

Configure the JFrog Registry Webhook (for Optional Notifications)​

Check Scanning Results​