Integrate Proxy Scanner with Sonatype Nexus Registry
Deploy a proxy scanner that integrates with your Nexus registry to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
Creating an integration in the Lacework Console is the first step in setting up the proxy scanner. To create an integration, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Go to Settings > Integrations > Container Registries.
- Click + Add New.
- From the Registry Type drop-down, select Proxy Scanner and click Next.
- Complete the required settings.
- Click Save.
Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner. - Click the Authorization Token’s copy to clipboard icon.
This is the integration’s associated token. You need this to configure the proxy scanner.
Configure the Nexus Registry Repository
- Go to the Administration module, and select Repositories, and Repositories.
- Create a new hosted Docker repository or copy the name of the existing hosted Docker repository (for example:
my-nexus-repo-name
).
Configure the Proxy Scanner
Go to the Nexus Browse/Welcome page > Browse.
Select the repository key that you created in Configure the Nexus Registry Repository (for example:
my-nexus-repo-name
).Use the configuration details from this repository to help create a
config.yml
file that will be used by proxy scanner.Examplescan_public_registries: false
static_cache_location: /opt/lacework
default_registry:
lacework:
account_name: lacework-account
integration_access_token: authorization-token
registries:
- domain: NEXUS-FQDN:PORT
name: my-nexus-repo-name
ssl: true
is_public: false
credentials:
user_name: "userinregistry"
password: "password"
notification_type: nexus
disable_non_os_package_scanning: false
go_binary_scanning:
enable: trueAdjust the values for the following settings to match your repository and environment:
account_name:
Your Lacework account, in the format: customer.availabilityzone. For this setting, customer is the identifier for your account, and the availabilityzone specifies the logical data center for that region. For example, a customer named Specialized Software located in France has the account namespecializedsoftware.fra
.integration_access_token:
The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.domain:
Adjust the domain to your environment.- Use the same domain that you use for Docker login. For example:
- If you log into Docker using
dockerHost:Port
, usedomain = dockerHost:Port
. - If you log into Docker using
dockerHost
, usedomain = dockerHost
.
- If you log into Docker using
- Use the same domain that you use for Docker login. For example:
ssl:
Set totrue
if your Nexus registry is configured with HTTPS.note
If it's an SSL/HTTPS-based registry, do not add port 443 but check the
SSL
checkbox.user_name:
Provide your Nexus registry username.password:
Provide your Nexus registry password.notification_type:
Enter nexus.disable_non_os_package_scanning:
Change totrue
if you want to disable scanning of Language Libraries (non-OS packages).go_binary_scanning
- Set toenable
if you want to scan for Go binaries.
Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.
Pull the latest Lacework proxy scanner image:
docker pull lacework/lacework-proxy-scanner:latest
Create a persistent storage location for the Lacework proxy scanner cache and change the ownership:
mkdir cache
chown -R 1000:65533 cacheStart the Lacework proxy scanner:
docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner
For debugging purposes, add
-e LOG_LEVEL=debug
:docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
error|warn|debug
Configure the Nexus Registry Webhook (for Notification Option Only)
Go to the Nexus Administration Module > System > Capabilities
Click Create capability and select Webhook:Repository to create a new webhook.
Repository: Select the repository from which you want to discriminate events.
Event Types: Select
Component
and click the > button to move to the Selected box.URL: Specify the URL that the webhook invokes. This will be the URL to the proxy scanner. Follow the URL format:
<ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
Example<ProxyScannerHost>:8080/v1/notification?registry_name=my-nexus-repo-name
Click Create capability to save the webhook configuration.
Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).
note
You’ll need to create a webhook configuration like this for each Docker repository you have.