Integrate Proxy Scanner with JFrog Registry

Deploy a proxy scanner that integrates with your JFrog registry to provide container vulnerability assessments.

Create a Proxy Scanner Integration in Lacework

To set up a proxy scanner you must first create an integration in the Lacework Console. To create an integration:

1. Log in to the Lacework Console with an account with admin permissions.
2. Navigate to Settings > Integrations > Container Registries.
3. Click + Add New.
4. From the Registry Type drop-down, select Proxy Scanner and click Next.
5. Complete the required settings.
6. Click Save.
   Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner.
7. Click the Authorization Token’s copy to clipboard icon.
   This is the integration’s associated token. You need this to configure the proxy scanner.

Configure the JFrog Registry Repository

1. Navigate to the Administration module and click Repositories.
2. Create a new local Docker repository and provide a Repository Key (for example: docker-quickstart-local).
3. Leave the remaining options on their default settings.
4. Click Save & Finish.

Configure the Proxy Scanner

1. Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.

2. Select the repository key that you created in Configure the JFrog Registry Repository (for example: docker-quickstart-local).

3. Use the configuration details from this repository to help create a config.yml file that will be used by the proxy scanner.

   Example

   scan_public_registries: false
   static_cache_location: /opt/lacework
   default_registry: 
   lacework:
     account_name: lacework-account
     integration_access_token: authorization-token
   registries:
     - domain: JFROG-FQDN:PORT
       name: JFrog
       ssl: true
       auto_poll: false
       is_public: false
       credentials:
         user_name: "userinregistry"
         password: "password"
       notification_type: jfrog
       disable_non_os_package_scanning: false
       go_binary_scanning:
         enable: true

   Adjust the values for the following settings to match your repository and environment:

   • account_name: Your Lacework account in the format: customer.availabilityzone. For this setting, customer is the identifier for your account and the availabilityzone specifies the logical data center for that region. For example, a customer named "Specialized Software" running in the European Lacework cloud in Frankfurt has the account name specializedsoftware.fra.
   • integration_access_token: The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.
   • domain: Adjust the domain to your environment. Use the URL to file entry from JFrog.
     • Use the same domain that you use for Docker login. For example:
       • If you log into Docker using dockerHost:Port, use domain = dockerHost:Port.
       • If you log into Docker using dockerHost, use domain = dockerHost.
   • ssl: Set to true if your JFrog registry is configured with HTTPS. If it's an SSL/HTTPS based registry, do not add port 443 but check the SSL checkbox.
   • auto_poll: Set to false or omit this field from your config (as the proxy scanner is being configured for registry notification).
   • user_name: Provide your JFrog registry username.
   • password: Provide your JFrog registry username's password.
   • disable_non_os_package_scanning: Change to true if you want to disable scanning of Language Libraries (non-OS packages).
   • go_binary_scanning - Set to enable if you want to scan for Go binaries.

4. Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.

Deploy the Proxy Scanner

Before you deploy the proxy scanner, ensure that you have set up a host machine with Docker installed.

1. Pull the latest Lacework proxy scanner image:

   docker pull lacework/lacework-proxy-scanner:latest

2. Create a persistent storage location for the Lacework proxy scanner cache and change the ownership:

   mkdir cache
   chown -R 1000:65533 cache

3. Start the Lacework proxy scanner:

   docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner

   For debugging purposes, add -e LOG_LEVEL=debug:

   docker run -e LOG_LEVEL=debug -d --mount ...

   Available LOG_LEVEL options = error|warn|debug

Configure the JFrog Registry Webhook (for Optional Notifications)

note

For JFrog to send webhooks, turn off Artifactory Webhook Validation.

1. Navigate to the JFrog Administration Module > General > Webhooks

2. Create a new webhook and provide the following details:

   • Name: Provide a name for the webhook (for example: LWProxyscanner)

   • URL: Specify the URL that the webhook invokes.

     Example

     <ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>

     Use following options in the webhook URL:

     • <ProxyScannerHost> Modify this to point to your proxy scanner instance. This should be the FQDN or IP of your proxy scanner.

   • Events: Select Docker Tag was pushed and/or Docker Tag was promoted.

   • Add Repositories: Select a specific repository (for example: docker-quickstart-local) or Any Local Repository.

3. Click Create or Save once complete.

4. Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).

References

• Add local Docker repositories in JFrog

• Create webhooks in JFrog