Integrate Proxy Scanner with JFrog Registry - Auto Polling
Deploy a proxy scanner that integrates with your JFrog registry using auto polling to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Proxy Scanner and click Next.
- Complete the required settings.
- Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner. - Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.
Configure the Proxy Scanner
All repositories and images within the Artifactory domain will be scanned using this configuration.
Use the template below to create a config.yml
file that will be used by the proxy scanner.
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: <my-lacework-account-name>
integration_access_token: <my-lacework-access-token>
registries:
- domain: <my-jfrog-artifactory-domain>>
name: <name-for-registry-integration>
ssl: true
auto_poll: true
credentials:
user_name: "jfrog-user-name"
password: "jfrog-user-password"
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Adjust the values for the following settings to match your repository and environment:
account_name:
Your Lacework account name. This can be found as part of the URL used to access your Lacework Console (for example:https://specializedsoftware.lacework.net
). However, do not include the.lacework.net
orhttps://
portions when entering the account name.integration_access_token:
The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.domain:
Adjust the domain to your JFrog environment. Do not include thehttp(s)://
portion in the domain.- Use the same domain that you use for Docker login. For example:
- If you log into Docker using
dockerHost:Port
, usedomain: dockerHost:Port
. - If you log into Docker using
dockerHost
, usedomain: dockerHost
.
- If you log into Docker using
- Use the same domain that you use for Docker login. For example:
name:
Add a unique name for the registry integration.ssl:
Set totrue
if your JFrog domain is configured with HTTPS, orfalse
if configured with HTTP.auto_poll:
Set totrue
as the proxy scanner is being configured for auto polling.credentials:
user_name:
Provide your JFrog registry username.password:
Provide your JFrog registry user password or access token.
poll_frequency_minutes:
Set the auto poll frequency in minutes. Minimum frequency is 20 minutes.disable_non_os_package_scanning:
Change totrue
if you want to disable scanning of Language Libraries (non-OS packages).go_binary_scanning:
enable:
- Set tofalse
if you want to disable scanning of Go binaries.
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.
Using the Docker client CLI, pull the Lacework image:
docker pull lacework/lacework-proxy-scanner:latest
Create a writeable container layer and start the image:
docker run \
--mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache \
-v `pwd`/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scannerwhere
"$(pwd)"/cache
is the persistent storage location where you want to store cache
`pwd`/config.yml
is your configuration file locationExampledocker run \
--mount type=bind,source=/YourHostDirectoryPath/cache,target=/opt/lacework/cache \
-v /YourHostDirectoryPath/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scanner:latestFor debugging purposes, add
-e LOG_LEVEL=debug
:docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
error|warn|debug
Check Scanning Results
Check the scan results in the Lacework Console - Container Vulnerability (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.