Integrate Proxy Scanner
Overview
The Lacework proxy scanner integration allows Lacework to perform container vulnerability assessments for your on-premises Docker container image registries without exposing them to external connectivity. The Lacework proxy scanner assesses the images stored within registries, extracts image manifest data as necessary for assessment, and sends the application metadata to the Lacework platform. Additionally, the bandwidth transfer costs for container registry assessment are optimized when using the Lacework proxy scanner for vulnerability assessment.
After creating a proxy scanner integration through the Lacework Console settings, you deploy the proxy scanner as a Docker application or Kubernetes workload in your environment as a continuous running entity. The proxy scanner continuously fetches new images from your environment and collects the required image metadata for vulnerability assessments. Using the associated integration token that was created when you integrated the proxy scanner in the Lacework Console, the proxy scanner initiates an API request for assessment by Lacework. After the token is authorized, Lacework assesses the image meta data and provides risk assessments for the container images. You can view the results on the Vulnerability Assessment page in the Lacework Console.
Default Scanning Quotas
- The proxy scanner supports a maximum of 2000 image assessments per hour for each Lacework account.
- For Kubernetes Admission Controller integrations, the limit is 1000.
- For each integration, there is a maximum of 50 image assessments per hour for each repository.
Private Registry Scanning
If your registry is not accessible from the internet, you must create a registry integration and then set up the Lacework Proxy Scanner in your environment to pull images from your network.
The Lacework Proxy Scanner supports the same methods as the Lacework Platform Scanner to scan a registry:
- Registry notification: The registry sends an event to Lacework whenever a new image has been uploaded.
- Auto-polling: Lacework automatically discovers the list of repositories and new images available in the registry.
- On-demand: Manually request the scan of a container using the Lacework CLI.
Proxy Scanner Support
The proxy scanner is currently packaged in Linux.
For information about package assessment, see the Package Assessment Support section.
The proxy scanner supports the following container registries and scan types.
Registry | Support |
---|---|
Docker V2 API-compatible registries with these APIs: /v2/_catalog /v2/{name}/tags/list | Auto polling On-demand scans |
Amazon Elastic Container Registry (ECR) | Auto polling On-demand scans |
Azure Container Registry (as Docker V2 Registry) | Auto polling Registry notification On-demand scans |
Docker Hub | Registry notification On-demand scans |
Docker Trusted Registry | Registry notification On-demand scans |
Docker V2-based authentication registries | Registry notification On-demand scans |
GitHub Container Registry | Registry notification On-demand scans |
Google Container Registry (GCR) | Auto polling On-demand scans |
Harbor | Registry notification On-demand scans |
JFrog | Registry notification On-demand scans |
Red Hat Quay | Auto polling On-demand scans |
Multi-Architecture Image Support
The Lacework proxy scanner supports multi-architecture container images during scans. Multi-architecture images are supported by scanning manifests that list multiple platform versions of the image.
An example of a manifest list for a multi-architecture image can be found here.
Lacework scans the first platform architecture version found in the following order:
- AMD64
- ARM64
- ARM32
Integration Setup Overview
Integration setup consists of the following steps:
- Create a proxy scanner integration in the Lacework Console
- Create a configuration yaml file and configure it for:
- Deploy the proxy scanner
- (On-demand scans only) Run a curl command to initiate a scan.
Navigate to Proxy Scanner Integration
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container registries.
- Click + Add New.
- Click Proxy Scanner.
- Click Next.
- Follow the steps in the next section.
Create a Proxy Scanner Integration in Lacework
Creating an integration in the Lacework Console is the first step in setting up a proxy scanner. To create an integration, follow these steps:
- Name the integration and complete any optional settings.
- Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner. - Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.
After you save the integration, its name displays on the Integrations Container Registry page. For next steps, continue to Configure the Proxy Scanner.
Proxy Scanner Settings
Setting Name | Description |
---|---|
Name | Specify a unique name to display for the integration in the Lacework Console. |
CI / CD Policies | Associate Policies with a Registry Integration. |
note
See Environment Variables for Auto Polling for additional options relating to scanning and tags. Only applicable if you are configuring the Proxy Scanner for Auto polling.
Configure the Proxy Scanner
To configure the proxy scanner, you must create a configuration yaml file (config.yml
). See the following sections for specific configuration information and examples for each scan type.
The config.yml
configuration file contains the following fields:
scan_public_registries: Enter true (or omit the field) if you want to scan images from public registries. Enter false if not.
static_cache_location: The static file mount location. The recommended path is /opt/lacework.
disable_expand_env: Enter true (or omit the field) if you want to allow special characters to be used in the config (such as $).
default_registry: Provide the default registry. This must match the domain value.
lacework:
account_name: Lacework account name.
integration_access_token: The integration's access token from the Lacework Console.
existingSecret: Only relevant if using Kubernetes Helm Charts. See relevant section below for details.
key: The Kubernetes secret key for Inline Scanner, for example: "lw-scanner-token".
name: The Kubernetes secret name for Inline Scanner, for example: "lw-scanner-secret".
registry_secret_name: Only relevant if using Kubernetes Helm Charts. See relevant section below for details.
registries:
- domain: The registry domain using one of these formats: IP:Port, Domain:Port, or a public domain.
image_filter: Limit scanning to a specified list of repositories/images that you want to assess. See relevant section below for details.
name: Unique registry name
auth_header_name: Provide NoAuth if the registry does not require authentication. Not required for public registries.
auth_type: Enter gcr|ecr/quay if the registry type is GCR, ECR, or Quay respectively.
is_public: Enter true if the registry does not require credentials.
ssl: Whether the registry uses SSL, enter true|false.
auto_poll: If supported, whether to auto poll the registry, enter true|false.
credentials: This field varies depending on the type of authentication required for the registry.
poll_frequency_minutes: Polling frequency to fetch new images, 20 is the minimum value. Not used for registry notification or on-demand scans.
disable_non_os_package_scanning: Whether the scanner will search for non-OS library packages. Enter true|false.
go_binary_scanning: Whether the scanner will search for Go binary executables.
enable: true|false
scan_directory_path: Restrict Go binary scanning to a specified directory in the image, for example: "/usr/bin".
notification_type: If using registry notification, enter the notification type: acr|dtr|ghcr|hub|jfrog|v2_registry.
The sections below provide more detail on how to use these fields.
Amazon ECR integrations
If you are running the Proxy Scanner on an EC2/ECS instance, see Automated Configuration for Private Amazon ECRs as only minimal configuration is required.
scan_public_registries
Set scan_public_registries: true
if you are scanning images from registries that are publicly accessible (the default is true
if the field is omitted).
This will allow for anonymous pulling of images unless is_public: false
.
static_cache_location
The static file mount location used by the Proxy Scanner. The recommended path is /opt/lacework
.
disable_expand_env
Set disable_expand_env: true
if you want to use special characters (such as $
) within the config.yml
.
For example, if your user_name
is "$robotci"
, you must include this config property and set it to true.
default_registry
Specify a default registry if you don't want to include the registry in curl commands for on-demand scans.
note
The default_registry
and domain
values need to match.
static_cache_location: /opt/lacework
default_registry: index.docker.io
lacework:
account_name: myAccountName
integration_access_token: MyAccessToken
registries:
- domain: index.docker.io
name: myRegistry
ssl: true
is_public: true
auto_poll: false
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
account_name
account_name
specifies your Lacework account in the format: customer.availabilityzone. For this configuration field, customer is the identifier for your account and the availabilityzone specifies the logical data center for that region.
For example, a company named Specialized Software hosted in Frankfurt has the account name specializedsoftware.fra
.
tip
This can be found as part of the URL used to access your Lacework Console (for example: https://specializedsoftware.fra.lacework.net
). However, do not include the .lacework.net
portion when entering the account name.
integration_access_token
The integration_access_token
is available in the Lacework Console after Creating a Proxy Scanner Integration.
existingSecret
important
This is an optional field for when you don't want the access token details displayed in plain text in the config.yml
file.
This field is only relevant when using Kubernetes Helm Charts to deploy the Proxy Scanner.
Optionally, store the Lacework access token outside of Helm by using the existingSecret
fields to reference the Kubernetes secrets for the Inline Scanner.
Create your Kubernetes Secret by creating a Config file to contain the necessary data.
Example contents of Kubernetes Secret Config file for lw-scanner-tokenapiVersion: v1
kind: Secret
metadata:
name: lw-scanner-secret
namespace: default
type: Opaque
data:
lw-scanner-token: _123456789abcdef123456789abcdUse an existing secret in your Lacework Helm charts by choosing one of the following options:
Enter a command such as:
Example for Combined Helm Charts--set proxy-scanner.config.lacework.integration_access_token.existingSecret.key="lw-scanner-token"
--set proxy-scanner.config.lacework.integration_access_token.existingSecret.name="lw-scanner-secret"Example for Separate Helm Charts--set config.lacework.integration_access_token.existingSecret.key="lw-scanner-token"
--set config.lacework.integration_access_token.existingSecret.name="lw-scanner-secret"Add the
key
andname
values into the Proxy Scanner config:Examplelacework:
account_name: YourLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secretExamples of Proxy Scanner configurations for Kubernetes Admission Controller using:
registry_secret_name
important
This is an optional field for when you don't want the registry details displayed in plain text in the config.yml
file.
This field is only relevant when using Kubernetes Helm Charts to deploy the Proxy Scanner.
Store all configuration information in registries
in a base64 string and then create a Kubernetes secrets to contain this info.
This can then be referenced in the Proxy Scanner config as a Kubernetes secret (instead of listing registry details and credentials in plain text).
Create the
registries
section for your Proxy Scanner config. The example below has details for two different registries.Example for registries- domain: gcr.io
name: test-gcr
ssl: true
auth_type: gcr
credentials:
client_email: my@emailaddress.iam.gserviceaccount.com
client_id: 123
private_key_id: 12345
private_key: 12345
go_binary_scanning:
enable: true
- domain: 12345.dkr.ecr.us-west-2.amazonaws.com
name: test-ecr
ssl: true
auth_type: ecr
credentials:
access_key_id: 12345
secret_access_key: 12345
go_binary_scanning:
enable: trueConvert the
registries
section to base64.Examplecat <registries-config> | base64
Use the output for the Kubernetes Secret in the next step.
Create your Kubernetes Secret. One way to do this is by creating a Config file to contain the necessary data.
Example contents of Kubernetes Secret Config file for registriesapiVersion: v1
kind: Secret
metadata:
name: scanner-registry-secrets
labels:
tier: monitoring
app: lacework-proxy-scanner
type: Opaque
data:
registries: <b64 encoded string from previous step>important
The key within
data
has to be namedregistries
for the configuration to be correctly applied.Save this as a YAML file to be referenced in the next step.
Run the following command to apply the configuration.
Examplekubectl apply -f <secret-config-file-for-registries>.yaml
Set your Proxy Scanner config to reference the registries secret (
scanner-registry-secrets
in this case):note
These examples also use the
existingSecret
option for the Lacework Access Token.Example for Combined Helm Chartproxy-scanner:
config:
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registry_secret_name: scanner-registry-secretsExample for Separate Helm Chartsconfig:
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registry_secret_name: scanner-registry-secretsSee also the following examples for Proxy Scanner configurations for Kubernetes Admission Controller using:
registries
You can add more registries by repeating the series of fields under registries:
. Each defined registry can use a different scan type.
note
Accessing multiple registries by using the same domain name (domain: xyz
) is not supported.
To access multiple registries within the same domain, set up separate config files and Proxy Scanner deployments.
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: YourLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: FirstDomain:8080
name: Registry1
ssl: true
is_public: false
auto_poll: true
credentials:
user_name: "UserName1"
password: "Password1"
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
- domain: SecondDomain:8080
name: Registry2
ssl: true
is_public: false
auto_poll: false
credentials:
user_name: "UserName2"
password: "Password2"
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
domain
The registry domain in one of these formats:
IP:Port
Domain:Port
- A Public Domain (for example:
index.docker.io
)
image_filter
If you do not want to assess all images in this registry, use the image filter option to specify a list of repositories/images, tags, and/or labels to discover and assess.
...
- domain: index.docker.io
image_filter:
repository:
- myRepository/image_to_scan
- myRepository/another_image_to_scan
tags:
- prod
labels:
- key: env
value: prod
...
repository
Specify a list of repositories/images to discover and assess.
...
- domain: index.docker.io
image_filter:
repository:
- myRepository/image_to_scan
- myRepository/another_image_to_scan
...
tags
Specify a list of image tags to discover and assess.
...
- domain: index.docker.io
image_filter:
tags:
- prod
...
labels
Specify a list of image labels to discover and assess.
...
- domain: index.docker.io
image_filter:
labels:
- key: env
value: prod
...
name
The registry name available in the specified domain
.
auth_header_name
important
If connecting to a public registry, use the scan_public_registries: true
field and value instead of this.
If you are not providing credentials, some registries may require the following value set for the auth_header_name
:
auth_header_name: NoAuth
Omit the field from the configuration if you are providing credentials or if the registry does not require a NoAuth
header.
auth_type
Provide this field if you are integrating with Amazon ECR (public or private), GCR (private only), or Red Hat Quay.
The value for this field depends on the registry type:
- For Amazon ECR, use
auth_type: ecr
. - For GCR, use
auth_type: gcr
. - For Red Hat Quay, use
auth_type: quay
.
Provide credentials for your registry type when including this field, unless is_public: true
has been set.
is_public
Enter is_public: true
if you are integrating with a registry that doesn't require credentials (the default is false
if this field is omitted).
Set to false
or omit this field if you are providing credentials.
ssl
Whether the registry domain uses SSL/TLS (https://
), enter true
or false
.
auto_poll
Set to true
if you are configuring for Auto Polling. Default is false
.
Check that your registry type supports Auto Polling.
credentials
This field will vary depending on the registry type and the authentication method(s) supported by the registry.
Basic Authentication
For basic authentication methods (such as for Docker V2 or Red Hat Quay authentication), use the following template:
credentials:
user_name: User name to connect to the registry
password: Password to connect to the registry
Ensure to encase the values in double quotes:
credentials:
user_name: "MyUsername"
password: "MyPassword"
GCR Authentication
important
Ensure auth_type
has been set to gcr
.
For GCR authentication, use the following template:
credentials:
client_email: Google Cloud email address for GCR access
client_id: Google Cloud ID for GCR access
private_key_id: Private Key ID for GCR access
private_key: Base64 encoded private key for GCR access
Format for private_key
The private_key
value must be in base64 format.
For GCP service account keys, the JSON can be converted to the correct base64 format by using the following command:
cat <gcp-service-account-key-file>.json | jq -r ".private_key" | base64
Use this value for the private_key:
field.
Ensure to encase the values in double quotes:
credentials:
client_email: "my-service-account@project-id.iam.gserviceaccount.com"
client_id: "112233445566778899001"
private_key_id: "1a2b3c4d5f6a7b3x4mp132a3b4c5d6e7f0a1b2c"
private_key: "BASE64_ENCODED_STRING"
Amazon ECR Authentication
important
Ensure auth_type
has been set to ecr
.
tip
If you are running the Proxy Scanner on an EC2/ECS instance, see Automated Configuration for Private Amazon ECRs before proceeding with this section.
Access and Secret Keys
For access and secret keys, use the following template:
credentials:
access_key_id: AWS Access Key for Amazon ECR access
secret_access_key: AWS Secret Key for Amazon ECR access
Ensure to encase the values in double quotes:
credentials:
access_key_id: "MYACCESSKEYIDEXAMPLE"
secret_access_key: "c0nt3ntMYSECRETKEYEXAMPLEc0nt3ntc0nt3ntc"
Local Profile Credentials
For local profile credentials, use the following template:
credentials:
use_local_credentials: true
credentials_profile: AWS credentials profile name
credentials:
use_local_credentials: true
credentials_profile: default
poll_frequency_minutes
Polling frequency to fetch new images in minutes, 20 is the minimum value.
Only applicable for Auto Polling (not used for registry notification or on-demand scans).
disable_non_os_package_scanning
Set the disable_non_os_package_scanning
field to true
if you want to disable the scanning of programming language libraries. When this field is omitted, the default value is false
.
See Language Libraries Support for details on what is scanned.
note
This field replaced scan_non_os_packages
in v4.42.
go_binary_scanning
Enable or disable Go binary scanning by using the fields as demonstrated in the examples below:
go_binary_scanning:
enable: true
go_binary_scanning:
enable: false
scan_directory_path
Restrict Go binary scanning to a specified directory in images by using the following field:
scan_directory_path: ""
In the example below, only Go binaries located in the /usr/bin
directory will be scanned for vulnerabilities.
go_binary_scanning:
enable: true
scan_directory_path: "/usr/bin"
notification_type
The following table lists the value required for each type of registry:
Registry Type | Value |
---|---|
Azure Container Registry | acr |
Docker Trusted Registry | dtr |
GitHub Container Registry | ghcr |
Docker Hub | hub |
JFrog | jfrog |
Docker V2-based authentication registry | v2_registry |
Omit this field if not using registry notification.
Automated Configuration for Private Amazon ECRs
If you configure the Proxy Scanner to run on an Amazon EC2/ECS instance, it will attempt to automatically discover and authenticate with the private ECR available to the local IAM role (attached to the instance).
Ensure that the local user running the Proxy Scanner has local profile credentials configured. The local profile should be automatically created once an IAM role is attached to an EC2 instance. This role allows you to read the private ECR repositories associated with the account.
A minimal
config.yml
is still required to deploy the Proxy Scanner:Examplestatic_cache_location: /opt/lacework
lacework:
account_name: myAccountName
integration_access_token: MyAccessTokenOnce you have created the
config.yml
, proceed to Deploy the Proxy Scanner.After deployment, you can then start using curl commands to carry out scans on-demand.
Example Configurations for Different Authentication Types
These are some examples of the config.yml
file for different authentication methods that use the auth_header_name
, auth_type
, is_public
, and credentials
fields.
note
Each example is configured for on-demand scans.
Public Registries Example
This example applies to many public registries that allow anonymous access, such as index.docker.io
, mcr.microsoft.com
, gcr.io
, public.ecr.aws
, etc.
static_cache_location: /opt/lacework
default_registry: index.docker.io
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: index.docker.io
name: myPublicRegistry
is_public: true
ssl: true
auto_poll: false
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Private Docker Hub Example
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: index.docker.io
name: myPrivateRegistry
is_public: false
ssl: true
auto_poll: false
credentials:
user_name: "myUserName"
password: "myPassword"
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Private Red Hat Quay Example
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: quay.io
name: myPrivateRegistry
is_public: false
ssl: true
auto_poll: false
credentials:
user_name: "myUserName"
password: "myPassword"
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Private Google Container Registry (GCR) Example
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: gcr.io
name: myPrivateRegistry
auth_type: gcr
is_public: false
ssl: true
auto_poll: false
credentials:
client_email: "my-service-account@project-id.iam.gserviceaccount.com"
client_id: "112233445566778899001"
private_key_id: "1a2b3c4d5f6a7b3x4mp132a3b4c5d6e7f0a1b2c"
private_key: "BASE64_ENCODED_STRING"
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
note
For the private_key
value, see GCR Authentication for guidance on the correct formatting.
Private Amazon Elastic Container Registry (ECR) Examples
Amazon ECR integrations
If you are running the Proxy Scanner on an EC2/ECS instance, see Automated Configuration for Private Amazon ECRs as only minimal configuration is required.
scan_public_registries: false
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: <aws_account_id>.dkr.ecr.<region>.amazonaws.com
name: myPrivateRegistry
auth_type: ecr
is_public: false
ssl: true
auto_poll: false
credentials:
access_key_id: "MYACCESSKEYIDEXAMPLE"
secret_access_key: "c0nt3ntMYSECRETKEYEXAMPLEc0nt3ntc0nt3ntc"
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
scan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: <aws_account_id>.dkr.ecr.<region>.amazonaws.com
name: myPrivateRegistry
auth_type: ecr
is_public: false
ssl: true
auto_poll: false
credentials:
use_local_credentials: true
credentials_profile: default
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Kubernetes Admission Controller Using Combined Helm Chart Examples
proxy-scanner:
config:
default_registry: index.docker.io
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registries:
- domain: index.docker.io
name: myRegistry
ssl: true
auto_poll: false
is_public: true
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
proxy-scanner:
config:
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registry_secret_name: scanner-registry-secrets
proxy-scanner:
config:
default_registry: index.docker.io
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: index.docker.io
name: myRegistry
ssl: true
auto_poll: false
is_public: true
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Kubernetes Admission Controller Using Separate Helm Charts Examples
config:
default_registry: index.docker.io
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registries:
- domain: index.docker.io
name: myRegistry
ssl: true
auto_poll: false
is_public: true
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
config:
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token:
existingSecret:
key: lw-scanner-token
name: lw-scanner-secret
registry_secret_name: scanner-registry-secrets
config:
default_registry: index.docker.io
static_cache_location: /opt/lacework
lacework:
account_name: myLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: index.docker.io
name: myRegistry
ssl: true
auto_poll: false
is_public: true
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
Configure for Auto Polling
You can configure the proxy scanner for auto polling of new images from the registry if your registry is Docker V2 API-compatible. This means your registry must have the following APIs available:
- /v2/_catalog
- /v2/{name}/tags/list
If your registry doesn't have either of the previous APIs, you can configure the proxy scanner for registry notification or on-demand scans.
Environment Variables for Auto Polling
The Proxy Scanner has certain environment variables that can be set to increase or decrease scanning performance. These are listed in the table below:
Environment Variable | Description | Default Value |
---|---|---|
COOL_OFF_AFTER_TAG_COUNT | The amount of time in milliseconds before the Proxy Scanner will retry scanning the registry for tags. | 1 |
COOL_OFF_MILLISECONDS | The amount of time in milliseconds before the Proxy Scanner will retry scanning the registry. | 10 |
MAX_CONCURRENT_SCANS | The maximum amount of concurrent scans that the Proxy Scanner will perform on the registry. | 20 |
MAX_BOOT_TIME_TAGS | The maximum number of new tags that will be scanned when the Proxy Scanner starts up. | 5 |
MAX_TAGS_PER_REPO | The maximum number of new tags per repository that are scanned by the Proxy Scanner. | 50 |
The environment variables can be set on the Proxy Scanner host. Use the -e
, --env
, and --env-file
flags to set these environment variables in the proxy scanner container. See the docker run document for more details.
export COOL_OFF_AFTER_TAG_COUNT=1 \
export COOL_OFF_MILLISECONDS=10 \
export MAX_CONCURRENT_SCANS=20 \
export MAX_BOOT_TIME_TAGS=5 \
export MAX_TAGS_PER_REPO=50
CPU and Memory Requirements for MAX_CONCURRENT_SCANS
and Image Sizes
When setting the MAX_CONCURRENT_SCANS
value, and depending on your image sizes, the Proxy Scanner service on the host should be allocated the recommended CPU and Memory requirements.
Here are some examples for the CPU and Memory requirements:
MAX_CONCURRENT_SCANS Value | Image Size Range | CPU & Memory Recommendations |
---|---|---|
20 | 100MB - 1.5GB | CPU = 2 Cores, Memory = 4GB |
30 | 100MB - 3GB | CPU = 2 Cores, Memory = 6.5GB |
20 | 100MB - 6GB | CPU = 2 Cores, Memory = 8.5GB |
Memory Calculation
Maximum image size + n
+ 500MB additional headroom.
The value of n
is:
1
ifMAX_CONCURRENT_SCANS
is set to 10 or less.2
ifMAX_CONCURRENT_SCANS
is set between 10 and 20.3
ifMAX_CONCURRENT_SCANS
is set between 20 and 30.
Example: 3GB + 3 + 0.5GB = 6.5GB Memory
CPU Calculation
Maximum of two core CPU is sufficient for most workloads.
For better performance when MAX_CONCURRENT_SCANS
exceeds 30
, add one additional core CPU.
Example config.yml for Auto Polling
scan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: YourLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: YourDomain:8080
name: YourRegistry
ssl: true
is_public: false
auto_poll: true
credentials:
user_name: "YourUserName"
password: "Password1"
poll_frequency_minutes: 20
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
for mac OS
Depending on where you are binding from, Docker might not have permission to access the directory. You can change this by adding Docker under macOS Settings > Security & Privacy > Privacy > Full Disk Access. You must also add the directory to be bind mounted under Docker Settings Resources > File Sharing.
After configuration, deploy the proxy scanner. The proxy scanner scans images and sends the manifest to Lacework for assessment. Within 10 to 15 minutes the Lacework Console displays assessment results.
Configure for Registry Notification
Registry notification is supported for the following registries:
- Azure Container Registry
- Docker Hub
- Docker Trusted Registry
- Docker V2-based authentication registries
- GitHub Container Registry
- Harbor
- JFrog
To use registry notifications:
- You must configure the webhook from your registry, which is different for each supported registry.
- Webhook endpoint URL for proxy scanner:
<ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
. - Http only - Https is not supported.
- SSL verification is not required.
- Configure the webhook to trigger when new images are pushed.
After configuration, Lacework Proxy Scanner can receive notifications that the registry sends in response to the configured image events that happen within the registry. When Lacework Proxy Scanner receives the webhook notifications, it sends the image details to the Lacework cloud to perform an assessment.
Example config.yml for Registry Notification
scan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: YourLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: YourDomain:8080
name: YourRegistry
ssl: true
is_public: false
auto_poll: false
credentials:
user_name: "YourUserName"
password: "Password1"
# Define the notification type acr|dtr|ghcr|hub|jfrog|v2_registry|harbor that corresponds to your registry
notification_type: harbor
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
_YourRegistry_
is the name of the registry and folder name of the image. For example, if your registry path is docker-hub-remote/library/YourImageName/
the value for _YourRegistry_
is docker-hub-remote/YourImageName/
.
After configuration, deploy the proxy scanner.
Configure for On-Demand Scans
To use on-demand scans, you must create a configuration yaml file, deploy the Proxy Scanner, and use a curl command to initiate a scan.
Example config.yml for On-Demand Scans
scan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: YourLaceworkAccount
integration_access_token: _123456789abcdef123456789abcd
registries:
- domain: YourDomain:8080
name: YourRegistry
ssl: true
is_public: false
auto_poll: false
credentials:
user_name: "YourUserName"
password: "Password1"
disable_non_os_package_scanning: false
go_binary_scanning:
enable: true
_YourRegistry_
is the name of the registry and the folder name of the image. For example, if your registry path is docker-hub-remote/library/YourImageName/
the value for _YourRegistry_
is docker-hub-remote/YourImageName/
.
Deploy the Proxy Scanner for On-Demand Scans
Deploy the Proxy Scanner as instructed in this section.
Curl command for On-Demand Scans
Once you have configured and deployed the Proxy Scanner, use a curl command to carry out scans on-demand.
curl --location --request POST 'YourHost:8080/v1/scan' \
--header 'Content-Type: application/json' \
--data-raw '{
"registry": "YourRegistry",
"image_name": "YourRepository/YourImage",
"tag": "YourValue"
}'
Replace the _Your_
placeholders with your values. Replace YourHost:8080
with your environment's host and port. For example, if you deploy the proxy scanner within EC2, use the IP address provided by AWS.
info
If you are using the default_registry
field in the config.yml, and you are making a call to that registry, you can omit "registry": "YourRegistry",
from the command.
After configuration, you can make an API call whenever an image is built so Lacework can assess it. Within 10 to 15 minutes the Lacework Console displays assessment results.
Response codes:
- 200 - successful scan
- 204 - already scanned
- non 2xx - failure
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.
Using the Docker client [cli], pull the Lacework image:
docker pull lacework/lacework-proxy-scanner:latest
Create a writeable container layer and start the image:
info
If using local profile credentials for Amazon ECR, adjust the deploy command as shown in the section below.
docker run \
--mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache \
-v `pwd`/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scannerwhere
"$(pwd)"/cache
is the persistent storage location where you want to store cache
`pwd`/config.yml
is your configuration file locationExampledocker run \
--mount type=bind,source=/YourHostDirectoryPath/cache,target=/opt/lacework/cache \
-v /YourHostDirectoryPath/config.yml:/opt/lacework/config/config.yml \
-p 8080:8080 \
lacework/lacework-proxy-scanner:latestFor debugging purposes, add
-e LOG_LEVEL=debug
:docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
error|warn|debug
Using Amazon ECR Local Profile Credentials
If you are using local profile credentials for Amazon ECR, add an additional volume mount for the AWS credentials file:
docker run -d \
--mount type=bind,source="$(pwd)",target=/opt/lacework/cache \
-v "$(pwd)"/config.yml:/opt/lacework/config/config.yml \
-v ~/.aws/credentials:/root/.aws/credentials \
-p 8080:8080 \
lacework/lacework-proxy-scanner:latest
Troubleshoot
Scanning Registry Failed with Error 504 Instead of 2xx
important
These troubleshooting steps only apply to a Proxy Scanner configured for Auto Polling.
If the Proxy Scanner log reports errors when trying to scan a registry (such as 504
meaning service not available
), you can slow down the polling rate of the Proxy Scanner requests by using environment variables for auto polling.
The environment variables can be set on the Proxy Scanner host:
export COOL_OFF_AFTER_TAG_COUNT=10 \
export COOL_OFF_MILLISECONDS=100 \
export MAX_CONCURRENT_SCANS=10
Scan Java Images Offline
By default, the Proxy Scanner accesses https://search.maven.org/solrsearch/select when searching for Maven Java dependencies/jars. If this Maven site is down, the Proxy Scanner can fail with EOF
and 504
timeouts.
Use the following environment variable if you want to stop the Proxy Scanner from accessing https://search.maven.org/solrsearch/select for Maven Java dependencies:
JAVA_OFFLINE_MODE=true