Integrate Proxy Scanner with JFrog Registry
Deploy a proxy scanner that integrates with your JFrog registry to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Proxy Scanner and click Next.
- Complete the required settings.
- Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner. - Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.
Configure the JFrog Registry Repository
- Navigate to the Administration module and click Repositories.
- Create a new local Docker repository and provide a Repository Key (for example:
docker-quickstart-local
). - Leave the remaining options on their default settings.
- Click Save & Finish.
Configure the Proxy Scanner
Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.
Select the repository key that you created in Configure the JFrog Registry Repository (for example:
docker-quickstart-local
).Use the configuration details from this repository to help create a
config.yml
file that will be used by the proxy scanner.Examplescan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: lacework-account
integration_access_token: authorization-token
registries:
- domain: JFROG-FQDN:PORT
name: JFrog
ssl: true
auto_poll: false
is_public: false
credentials:
user_name: "userinregistry"
password: "password"
notification_type: jfrog
disable_non_os_package_scanning: false
go_binary_scanning:
enable: trueAdjust the values for the following settings to match your repository and environment:
account_name:
Your Lacework account in the format: customer.availabilityzone. For this setting, customer is the identifier for your account and the availabilityzone specifies the logical data center for that region. For example, a customer named "Specialized Software" running in the European Lacework cloud in Frankfurt has the account namespecializedsoftware.fra
.integration_access_token:
The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.domain:
Adjust the domain to your environment. Use the URL to file entry from JFrog.- Use the same domain that you use for Docker login. For example:
- If you log into Docker using
dockerHost:Port
, usedomain = dockerHost:Port
. - If you log into Docker using
dockerHost
, usedomain = dockerHost
.
- If you log into Docker using
- Use the same domain that you use for Docker login. For example:
ssl:
Set totrue
if your JFrog registry is configured with HTTPS. If it's an SSL/HTTPS based registry, do not add port 443 but check theSSL
checkbox.auto_poll:
Set tofalse
or omit this field from your config (as the proxy scanner is being configured for registry notification).user_name:
Provide your JFrog registry username.password:
Provide your JFrog registry username's password.disable_non_os_package_scanning:
Change totrue
if you want to disable scanning of Language Libraries (non-OS packages).go_binary_scanning
- Set toenable
if you want to scan for Go binaries.
Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you have set up a host machine with Docker installed.
Pull the latest Lacework proxy scanner image:
docker pull lacework/lacework-proxy-scanner:latest
Create a persistent storage location for the Lacework proxy scanner cache and change the ownership:
mkdir cache
chown -R 1000:65533 cacheStart the Lacework proxy scanner:
docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner
For debugging purposes, add
-e LOG_LEVEL=debug
:docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
error|warn|debug
Configure the JFrog Registry Webhook (for Optional Notifications)
note
For JFrog to send webhooks, turn off Artifactory Webhook Validation.
Navigate to the JFrog Administration Module > General > Webhooks
Create a new webhook and provide the following details:
Name: Provide a name for the webhook (for example:
LWProxyscanner
)URL: Specify the URL that the webhook invokes.
Example
<ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
Use following options in the webhook URL:
<ProxyScannerHost>
Modify this to point to your proxy scanner instance. This should be the FQDN or IP of your proxy scanner.
Events: Select
Docker Tag was pushed
and/orDocker Tag was promoted
.Add Repositories: Select a specific repository (for example:
docker-quickstart-local
) or Any Local Repository.
Click Create or Save once complete.
Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).