Local Scanning Quickstart
Overview
There are many steps involved in building and deploying a containerized application, a complete container image lifecycle approach is key to managing software supply chain risks. The Lacework inline scanner allows you to integrate Lacework security capabilities deeply into your software supply chain workflows by allowing you to scan and assess Docker container images for vulnerabilities without checking them into a container registry.
How It Works
The inline scanner container registry integration performs an inline scan outside of Lacework. You can then configure the inline scanner to send a request to Lacework to assess the collected data. After you create an inline scanner integration in the Lacework Console, you can download and deploy the inline scanner as a binary within your development tool chain.
The inline scanner is triggered on an on-demand basis within build chain workflows. The trigger could be, for example, the start of a new container image build in the CI pipeline or a developer wants to assess a build on their local machine. The inline scanner collects data about the container image using your configured settings about what data to collect. Using the associated server token that was created when you integrated the inline scanner in the Lacework Console, the inline scanner initiates an API request for assessment by Lacework. After the token is authorized, Lacework assesses the file data. View the results on the Vulnerability Assessment page in the Lacework Console. You can configure additional output types.
You can download the inline scanner software from the Lacework GitHub Repository.
Upgrades
After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.
To keep the same behavior as before, perform one of the following options:
- Run the
configure data
command and entertrue
for the "Save results in platform" option. - Use the
LW_SCANNER_SAVE_RESULTS=true
environment variable on your local or CI/CD system. - Use the
--save
flag when running theimage evaluate
orimage scan
commands.
Inline Scanner Operating System Support
The inline scanner can be run on the following operating systems:
For information about package assessment, see the Package Assessment Support section.
Lacework CLI Support for Inline Scanner
The inline scanner can also be run through the Lacework CLI by installing the vuln-scanner
component.
See Get Started with the Lacework CLI for guidance.
Before you Begin
The Lacework inline scanner pulls and then scans an image locally (getting the list of OS packages and library languages in the image). The scanner sends the metadata to Lacework to generate the list of vulnerabilities and, optionally, to save the assessment report in your account.
Access to Lacework requires a valid access token and account name. Follow the instructions in Create an Inline Scanner Integration in Lacework to get this information.
Create an Inline Scanner Integration in Lacework
Creating an integration in the Lacework Console is the first step in setting up the inline scanner. To create an integration, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Inline Scanner and click Next.
- Name the integration and click Next.
- Complete any optional settings and click Save.
This displays a window that provides the inline scanner’s download URL and authorization token. - Click the URL’s Copy to clipboard icon and paste it into a new browser window.
This is where you download the inline scanner. - Click the Authorization Token’s Copy to clipboard icon.
This is the integration’s associated token. You need this to configure the inline scanner.
After you save the integration, its name displays on the Integrations Container Registry page.
Inline Scanner Limits can be increased upon request.
Inline Scanner Settings
Setting Name | Description |
---|---|
Registry Type | Specify the registry type selected from the drop-down, in this case, select Inline Scanner. |
Name | Specify a unique name to display for the integration in the Lacework Console. |
Limit Number of Scans for this Integration | Select the maximum number of scans per hour that this integration can perform. |
Identifier Tags | Specify tags as key:value pairs. |
Get Started on Linux
This section guides you through the installation, configuration and first scan of the container image on Linux using the terminal. First, ensure the following prerequisites are met:
Docker is running. Check that Docker is running by using:
docker --version
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Linux)
Download the latest version of the Lacework inline scanner and save it as
lw-scanner
:infoDownload the version that matches your processor type.
- 386
- AMD64
- ARM
- ARM64
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-386 -o lw-scanner
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-arm -o lw-scanner
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-arm64 -o lw-scanner
Make
lw-scanner
executable by the user:chmod u+x lw-scanner
Run the scanner:
./lw-scanner version
Get Started on Mac
This section guides you through the installation, configuration and first scan of a container image on a Mac OS X using the terminal. First, ensure the following prerequisites are met:
Docker is running on your Mac. If you use Homebrew, install Docker with the following command:
brew install --cask docker
Check that Docker is running:
docker --version
If the command above shows an error, look for Docker in Spotlight or in the application folder in Finder and run it.
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Mac)
Download the latest version of the Lacework inline scanner and save it as
lw-scanner
:curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-darwin-amd64 -o lw-scanner
Make
lw-scanner
executable by the user:chmod u+x lw-scanner
Run the scanner:
./lw-scanner version
You may have to authorize the
lw-scanner
to run since it was downloaded from the internet.
Configuration on Linux / Mac
Authentication (Linux/Mac)
Configure the inline scanner to communicate with Lacework.
The authentication credentials access token and account name can be provided to inline scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:
./lw-scanner configure auth
You will be prompted for your account name and access token.
View Current Configuration (Linux/Mac)
Use this command to view your current configuration:
./lw-scanner configure view
Save Assessment Reports to Lacework Console (Linux/Mac)
By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:
./lw-scanner configure data
Enter true
for Save results in platform:
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true
Enable Language Library Scanning (Linux/Mac)
To change whether language libraries are scanned or not, run:
./lw-scanner configure scanner
Override Default Configuration (Linux/Mac)
At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.
Scan a Public Image on Linux / Mac
Once your scanner is configured, you can scan your first image.
In this example, we’ll scan the image ubuntu:18.04
available publicly in Docker Hub:
./lw-scanner image evaluate ubuntu 18.04
Example output:
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!
Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.
If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:
./lw-scanner image evaluate ubuntu 18.04 --html --html-file=ubuntu.html
You can open ubuntu.html
in your browser to interact with the report.
To see the full list of options, check the inline help:
./lw-scanner image evaluate --help
Scan an Image from your Own Registry on Linux / Mac
In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.
There are 2 ways to provide the registry credentials:
docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.
Command arguments: Provide the credentials to your registry through the command line flags:
--docker-username
,--docker-password
, and--docker-server
.Example./lw-scanner image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>
Get Started on Windows
This section guides you through the installation, configuration and first scan of the container image on Windows 10 using the command line. First, ensure the following prerequisites are met:
Docker is running.
Follow the instructions at https://docs.docker.com/desktop/windows/install/ to download and install Docker Desktop for Windows.
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Windows)
Download the latest version of the Lacework inline scanner and save it as
lw-scanner
:curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-windows-amd64.exe -o lw-scanner.exe
Run the scanner:
lw-scanner.exe version
Configuration on Windows
Authentication (Windows)
Configure the inline scanner to communicate with Lacework.
The authentication credentials (access token and account name) can be provided to inline scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:
lw-scanner.exe configure auth
You will be prompted for your account name and access token.
View Current Configuration (Windows)
Use this command to view your current configuration:
lw-scanner.exe configure view
Save Assessment Reports to Lacework Console (Windows)
By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:
lw-scanner.exe configure data
Enter true
for Save results in platform:
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true
Enable Language Library Scanning (Windows)
To change whether language libraries are scanned or not, run:
lw-scanner.exe configure scanner
Override Default Configuration (Windows)
At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.
Scan a Public Image on Windows
Once your scanner is configured, you can scan your first image.
In this example, we’ll scan the image ubuntu:18.04
available publicly in Docker Hub:
lw-scanner.exe image evaluate ubuntu 18.04
Example output:
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!
Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.
If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:
lw-scanner.exe image evaluate ubuntu 18.04 --html --html-file=ubuntu.html
You can open ubuntu.html
in your browser to interact with the report.
To see the full list of options, check the inline help:
lw-scanner.exe image evaluate --help
Scan an Image from your Own Registry on Windows
In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.
There are 2 ways to provide the registry credentials:
docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.
Command arguments: Provide the credentials to your registry through the command line flags:
--docker-username
,--docker-password
, and--docker-server
.Examplelw-scanner.exe image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>
Get Started with the Lacework CLI
The inline scanner is provided as the vuln-scanner
component in the Lacework CLI.
Ensure you have installed and configured the Lacework CLI before beginning.
Install the Inline Scanner Component
Run the following command to install the inline scanner component:
lacework component install vuln-scanner
You can check that it's installed by running lacework component list
:
$ lacework component list
STATUS NAME VERSION DESCRIPTION
----------------+-------------------------+-----------+----------------------------------------------------------------------------
Not Installed vuln-scanner 0.23.2 Lacework inline scanner
Update the Inline Scanner Component
If there is a new version available, you can update the vuln-scanner
by running the following command:
lacework component update vuln-scanner
Configuration (CLI)
Authentication (CLI)
You do not need to configure authentication when using the inline scanner through the Lacework CLI, as it is preconfigured.
If you do need to reconfigure, use the following command:
lacework vuln-scanner configure auth
You will then be prompted for your account name and access token.
View Current Configuration (CLI)
Use this command to view your current configuration:
lacework vuln-scanner configure view
Save Assessment Reports to Lacework Console (CLI)
By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:
lacework vuln-scanner configure data
Enter true
for Save results in platform:
Data storage directory ():
Store Evaluations in file - true/false (false):
Store Manifest in file - true/false (false):
Save results in platform - true/false (false): true
Enable Language Library Scanning (CLI)
To change whether language libraries are scanned or not, run:
lacework vuln-scanner configure scanner
Enable Exit Codes for Policy Violation (CLI)
To enable Exit Codes for Policy Violations, run:
lacework vuln-scanner configure exit-codes
Help
Run the -h
or --help
flag after any command to get more context on any of the commands.
Scan a Public Image (CLI)
Once your scanner is configured, you can scan your first image.
In this example, we’ll scan the image ubuntu:18.04
available publicly in Docker Hub:
lacework vuln-scanner image evaluate ubuntu 18.04
Example output
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!
Since the image did not exist locally, the inline scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.
If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:
lacework vuln-scanner image evaluate ubuntu 18.04 --html --html-file=ubuntu.html
You can open ubuntu.html
in your browser to interact with the report.
To see the full list of options, check the inline help:
lacework vuln-scanner image evaluate --help
Scan an Image from your Own Registry (CLI)
In the example above, we pulled the image to scan from a public registry that did not require credentials. The inline scanner can also pull images from registries that require authentication.
There are 2 ways to provide the registry credentials:
docker login: Log in to your registry with Docker to let the inline scanner to pull the image and use your registry as the default source.
Command arguments: Provide the credentials to your registry through the command line flags:
--docker-username
,--docker-password
, and--docker-server
.Examplelacework vuln-scanner image evaluate <image-name> <image-version> --docker-username <docker-username> --docker-password <docker-password> --docker-server <docker-server-url>
Next steps
For a list of all available commands and features, see Integrate Inline Scanner.