Local Scanning Quickstart
Overview
There are many steps involved in building and deploying a containerized application, a complete container image lifecycle approach is key to managing software supply chain risks. The Lacework inline scanner allows you to integrate Lacework security capabilities deeply into your software supply chain workflows by allowing you to scan and assess Docker container images for vulnerabilities without checking them into a container registry.
The inline scanner container registry integration performs an inline scan outside of Lacework. You can then configure the inline scanner to send a request to Lacework to assess the collected data. After you create an inline scanner integration in the Lacework Console, you can download and deploy the inline scanner as a binary within your development tool chain.
The inline scanner is triggered on an on demand basis within build chain workflows. The trigger could be, for example, the start of a new container image build in the CI pipeline or a developer wants to assess a build on their local machine. The inline scanner collects data about the container image using your configured settings about what data to collect. Using the associated server token that was created when you integrated the inline scanner in the Lacework Console, the inline scanner initiates an API request for assessment by Lacework. After the token is authorized, Lacework assesses the file data. View the results on the Vulnerability Assessment page in the Lacework Console. You can configure additional output types.
You can download the inline scanner software from the Lacework GitHub Repository.
Upgrades
After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.
To keep the same behavior as before, perform one of the following options:
- Run the
configure data
command and entertrue
for the "Save results in platform" option. - Use the
LW_SCANNER_SAVE_RESULTS=true
environment variable on your local or CI/CD system. - Use the
--save
flag when running theimage evaluate
orimage scan
commands.
Before you Begin
The Lacework Inline Scanner pulls and then scans an image locally (getting the list of OS packages and library languages in the image). The scanner sends the metadata to Lacework to generate the list of vulnerabilities and, optionally, to save the assessment report in your account.
Access to Lacework requires a valid access token and account name. Follow the instructions in Create an Inline Scanner Integration in Lacework to get this information.
Create an Inline Scanner Integration in Lacework
Creating an integration in the Lacework Console is the first step in setting up the inline scanner. To create an integration, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Inline Scanner and click Next.
- Name the integration and click Next.
- Complete any optional settings and click Save.
This displays a window that provides the inline scanner’s download URL and authorization token. - Click the URL’s Copy to clipboard icon and paste it into a new browser window.
This is where you download the inline scanner. - Click the Authorization Token’s Copy to clipboard icon.
This is the integration’s associated token. You need this to configure the inline scanner.
After you save the integration, its name displays on the Integrations Container Registry page.
note
Inline Scanner Limits can be increased upon request.
Inline Scanner Settings
Setting Name | Description |
---|---|
Registry Type | Specify the registry type selected from the drop-down, in this case, select Inline Scanner. |
Name | Specify a unique name to display for the integration in the Lacework Console. |
Limit Number of Scans for this Integration | Select the maximum number of scans per hour that this integration can perform. |
Identifier Tags | Specify tags as key:value pairs. |
Inline Scanner Support
The inline scanner can be run on the following operating systems:
For information about package assessment, see the Package Assessment Support section.
Get Started on Linux
This section guides you through the installation, configuration and first scan of the container image on Linux using the terminal. First, ensure the following prerequisites are met:
Docker is running. Check that Docker is running by using:
docker --version
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Linux)
Download the latest version of the Lacework Inline Scanner and save it as
lw-scanner
:important
Download the version that matches your processor type.
386curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-386 -o lw-scanner
AMD64curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
ARMcurl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-arm -o lw-scanner
ARM64curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-arm64 -o lw-scanner
Make
lw-scanner
executable by the user:chmod u+x lw-scanner
Run the scanner:
./lw-scanner version
Get Started on Mac
This section guides you through the installation, configuration and first scan of a container image on a Mac OS X using the terminal. First, ensure the following prerequisites are met:
Docker is running on your Mac. If you use Homebrew, install Docker with the following command:
brew install --cask docker
Check that Docker is running:
docker --version
If the command above shows an error, look for Docker in Spotlight or in the application folder in Finder and run it.
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Mac)
Download the latest version of the Lacework Inline Scanner and save it as
lw-scanner
:curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-darwin-amd64 -o lw-scanner
Make
lw-scanner
executable by the user:chmod u+x lw-scanner
Run the scanner:
./lw-scanner version
You may have to authorize the
lw-scanner
to run since it was downloaded from the internet.
Configuration on Linux / Mac
Authentication (Linux/Mac)
Configure the Inline Scanner to communicate with Lacework.
The authentication credentials access token and account name can be provided to Inline Scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:
./lw-scanner configure auth
You will be prompted for your account name and access token.
List Configuration Options (Linux/Mac)
Use this command to list all the configuration options:
./lw-scanner configure view
Save Assessment Reports to Lacework Console (Linux/Mac)
By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:
./lw-scanner configure data
Enable Language Library Scanning (Linux/Mac)
To change whether language libraries are scanned or not, run:
./lw-scanner configure scanner
Override Default Configuration (Linux/Mac)
At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.
Scan a Public Image on Linux / Mac
Once your scanner is configured, you can scan your first image.
In this example, we’ll scan the image ubuntu:18.04
available publicly in Docker Hub:
./lw-scanner image evaluate ubuntu 18.04
Example output:
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!
Since the image did not exist locally, the Inline Scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.
If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:
./lw-scanner image evaluate ubuntu 18.04 --html --html-file=ubuntu.html
You can open ubuntu.html
in your browser to interact with the report.
To see the full list of options, check the inline help:
./lw-scanner image evaluate --help
Scan an Image from your Own Registry on Linux / Mac
In the example above, we pulled the image to scan from a public registry that did not require credentials. The Inline Scanner can also pull images from registries that require authentication.
There are 2 ways to provide the registry credentials:
- docker login: Log in to your registry with Docker to let the Inline Scanner to pull the image and use your registry as the default source.
- Command arguments: Provide the credentials to your registry through the command line flags:
--docker-username
,--docker-password
, and--docker-server
.
Get Started on Windows
This section guides you through the installation, configuration and first scan of the container image on Windows 10 using the command line. First, ensure the following prerequisites are met:
Docker is running.
Follow the instructions at https://docs.docker.com/desktop/windows/install/ to download and install Docker Desktop for Windows.
Your access token and account name. See create a registry integration for the Lacework Inline Scanner.
Installation (Windows)
Download the latest version of the Lacework Inline Scanner and save it as
lw-scanner
:curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-windows-amd64.exe -o lw-scanner.exe
Run the scanner:
lw-scanner.exe version
Configuration on Windows
Authentication (Windows)
Configure the Inline Scanner to communicate with Lacework.
The authentication credentials (access token and account name) can be provided to Inline Scanner through command line arguments or environment variables. A better option for local scans is to save them in your default configuration. To do so, use this command:
lw-scanner.exe configure auth
You will be prompted for your account name and access token.
List Configuration Options (Windows)
Use this command to list all the configuration options:
lw-scanner.exe configure view
Save Assessment Reports to Lacework Console (Windows)
By default, local assessments are not saved to the Lacework Console. To change the default behavior, run:
lw-scanner.exe configure data
Enable Language Library Scanning (Windows)
To change whether language libraries are scanned or not, run:
lw-scanner.exe configure scanner
Override Default Configuration (Windows)
At any time, you can override the default configuration by using command flags and/or environment variables. See Integrate Inline Scanner for more details on all commands with their environment variable/command flag options.
Scan a Public Image on Windows
Once your scanner is configured, you can scan your first image.
In this example, we’ll scan the image ubuntu:18.04
available publicly in Docker Hub:
lw-scanner.exe image evaluate ubuntu 18.04
Example output:
Pulling image: Done!
Saving image: Done!
Getting image manifest: Done!
Gathering packages: Done!
Packaging image data: Done!
Evaluating image: Done!
Since the image did not exist locally, the Inline Scanner downloaded the image from Docker hub automatically. Then, it retrieves the list of packages and libraries, and sends it to Lacework. Finally, it displays the list of vulnerabilities found.
If you configured the scanner to save the report, the assessment will be available in the Lacework Console. If you don’t have access to the Lacework Console, or do not wish to login, you can generate a similar version of the online assessment locally:
lw-scanner.exe image evaluate ubuntu 18.04 --html --html-file=ubuntu.html
You can open ubuntu.html
in your browser to interact with the report.
To see the full list of options, check the inline help:
lw-scanner.exe image evaluate --help
Scan an Image from your Own Registry on Windows
In the example above, we pulled the image to scan from a public registry that did not require credentials. The Inline Scanner can also pull images from registries that require authentication.
There are 2 ways to provide the registry credentials:
- docker login: Log in to your registry with Docker to let the Inline Scanner to pull the image and use your registry as the default source.
- Command arguments: Provide the credentials to your registry through the command line flags:
--docker-username
,--docker-password
, and--docker-server
.
Next steps
For a list of all available commands and features, see Integrate Inline Scanner.