Skip to main content

Different Types of Scanning

Lacework offers a variety of integration points to scan container images. Use these integrations to secure your build and deployment pipelines and ensure all container images are assessed for vulnerabilities.

The Lacework Vulnerability Scanner is available in different forms to make integration easier. These forms are described in the following sections.

Public Registry Scanning

Integrate your internet-accessible container registries with the Lacework Platform Scanner. Lacework can scan all images as they are added to the registry.

important

If your registry is behind a restricted firewall, ensure you have allowlisted the Lacework Outbound IPs.

Lacework offers different methods to pull images from a registry depending on the type of registry:

  • Registry notification: The registry sends an event to Lacework whenever a new image has been uploaded.
  • Auto-polling: Lacework automatically discovers the list of repositories and new images available in the registry.
  • On-demand: Manually request the scan of a container using the Lacework Console or Lacework CLI.

In each registry guide, the Container Registry Support section will list the methods available for the registry type.

Create a registry integration to start automatically scanning your images.

Private Registry Scanning

If your registry is not accessible from the internet, set up the Lacework Proxy Scanner in your environment to pull images from your network.

The Lacework Proxy Scanner supports the same methods as the Lacework Platform Scanner to scan a registry:

  • Registry notification: The registry sends an event to Lacework whenever a new image has been uploaded
  • Auto-polling: Lacework automatically discovers the list of repositories and new images available in the registry.
  • On-demand: Manually request the scan of a container using the Lacework CLI.

See the Proxy Scanner Support section for the methods available for each registry type.

Create a registry integration to set up a Proxy Scanner.

Continuous Integration (CI) Scanning

The Lacework Inline Scanner can be integrated to a CI or Build system such as Jenkins, Travis CI, Github Actions, etc. See CI Integration for more details.

Continuous Deployment (CD) Scanning

The Lacework Admission Controller Webhook and Proxy Scanner can be deployed in each Kubernetes cluster to inspect new images prior to deployment. See Integrate with Kubernetes Admission Controller for more details.

Local Scanning

Use the Lacework Inline Scanner to scan your images without requiring access to the Lacework Console. The Inline Scanner is available for Windows, Mac and Linux. See Local Scanning for more information.

Agentless Workload Scanning

Integrate your cloud account with Agentless Workload Scanning to scan any container images located on your cloud resources (for example: running EC2 instances).