Integrate Proxy Scanner with JFrog Registry - Notification/On-demand
Deploy a proxy scanner that integrates with your JFrog registry using a webhook (for registry notifications) or on-demand scans to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Proxy Scanner and click Next.
- Complete the required settings.
- Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner. - Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.
Configure the JFrog Registry Repository
- Navigate to the Administration module and click Repositories.
- Create a new local Docker repository and provide a Repository Key (for example:
docker-quickstart-local
). - Leave the remaining options on their default settings.
- Click Save & Finish.
Configure the Proxy Scanner
Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.
Select the repository key that you created in Configure the JFrog Registry Repository (for example:
docker-quickstart-local
).Use the configuration details from this repository to help create a
config.yml
file that will be used by the proxy scanner.Examplescan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: lacework-account
integration_access_token: authorization-token
registries:
- domain: DOMAIN_NAME:PORT/artifactory/apt/docker/REGISTRY_NAME
name: JFrog-integration
ssl: true
auto_poll: false
is_public: false
credentials:
user_name: "userinregistry"
password: "password"
notification_type: jfrog
disable_non_os_package_scanning: false
go_binary_scanning:
enable: trueAdjust the values for the following settings to match your repository and environment:
account_name:
Your Lacework account name. This can be found as part of the URL used to access your Lacework Console (for example:https://specializedsoftware.lacework.net
). However, do not include the.lacework.net
orhttps://
portions when entering the account name.integration_access_token:
The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.domain:
Adjust the domain and registry name to your JFrog environment. Use the URL to file entry from JFrog.- Use the same domain that you use for Docker login. For example:
- If you log into Docker using
dockerHost:Port
, usedomain = dockerHost:Port
. - If you log into Docker using
dockerHost
, usedomain = dockerHost
.
- If you log into Docker using
- Use the same domain that you use for Docker login. For example:
name:
Add a unique name for the registry integration.ssl:
Set totrue
if your JFrog registry is configured with HTTPS. If it's an SSL/HTTPS based registry, do not add port 443 but check theSSL
checkbox.auto_poll:
Set tofalse
or omit this field from your config (as the proxy scanner is being configured for registry notification).credentials:
user_name:
Provide your JFrog registry username.password:
Provide your JFrog registry user password or access token.
disable_non_os_package_scanning:
Change totrue
if you want to disable scanning of Language Libraries (non-OS packages).go_binary_scanning:
enable:
- Set tofalse
if you want to disable scanning of Go binaries.
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.
Using the Docker client CLI, pull the Lacework image:
docker pull lacework/lacework-proxy-scanner:latest
Create a writeable container layer and start the image:
docker run \
--mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache \
-v `pwd`/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scannerwhere
"$(pwd)"/cache
is the persistent storage location where you want to store cache
`pwd`/config.yml
is your configuration file locationExampledocker run \
--mount type=bind,source=/YourHostDirectoryPath/cache,target=/opt/lacework/cache \
-v /YourHostDirectoryPath/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scanner:latestFor debugging purposes, add
-e LOG_LEVEL=debug
:docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
error|warn|debug
Configure the JFrog Registry Webhook (for Optional Notifications)
For JFrog to send webhooks, turn off Artifactory Webhook Validation.
Create a new webhook and provide the following details:
Name: Provide a name for the webhook (for example:
LWProxyscanner
)URL: Specify the URL that the webhook invokes.
Example<ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
Use following options in the webhook URL:
<ProxyScannerHost>
Modify this to point to your proxy scanner instance. This should be the FQDN or IP of your proxy scanner.<RegistryNameFromYourConfig.yml>
Modify this to be the JFrog registryname
that was entered when configuring the Proxy Scanner.
Event: Select
Docker Tag was pushed
and/orDocker Tag was promoted
.Add Repositories: Select a specific repository (for example:
docker-quickstart-local
) or Any Local Repository.
Click Create or Save once complete.
Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).
Check Scanning Results
Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).