Skip to main content

Integrate Proxy Scanner with Sonatype Nexus Registry

Deploy a proxy scanner that integrates with your Nexus registry to provide container vulnerability assessments.

Create a Proxy Scanner Integration in Lacework

Creating an integration in the Lacework Console is the first step in setting up the proxy scanner. To create an integration, follow these steps:

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Go to Settings > Integrations > Container Registries.
  3. Click + Add New.
  4. From the Registry Type drop-down, select Proxy Scanner and click Next.
  5. Complete the required settings.
  6. Click Save.
    Do not download the proxy scanner from the provided URL; you can pull the image from Docker Hub as described in Deploy the Proxy Scanner.
  7. Click the Authorization Token’s copy to clipboard icon.
    This is the integration’s associated token. You need this to configure the proxy scanner.

Configure the Nexus Registry Repository

  1. Go to the Administration module, and select Repositories, and Repositories.
  2. Create a new hosted Docker repository or copy the name of the existing hosted Docker repository (for example: my-nexus-repo-name).

Configure the Proxy Scanner

  1. Go to the Nexus Browse/Welcome page > Browse.

  2. Select the repository key that you created in Configure the Nexus Registry Repository (for example: my-nexus-repo-name).

  3. Use the configuration details from this repository to help create a config.yml file that will be used by proxy scanner.

    Example
    scan_public_registries: false
    static_cache_location: /opt/lacework
    default_registry: 
    lacework:
      account_name: lacework-account
      integration_access_token: authorization-token
    registries:
      - domain: NEXUS-FQDN:PORT
        name: my-nexus-repo-name
        ssl: true
        is_public: false
        credentials:
          user_name: "userinregistry"
          password: "password"
        notification_type: nexus
        disable_non_os_package_scanning: false
        go_binary_scanning:
          enable: true

    Adjust the values for the following settings to match your repository and environment:

    • account_name: Your Lacework account, in the format: customer.availabilityzone. For this setting, customer is the identifier for your account, and the availabilityzone specifies the logical data center for that region. For example, a customer named Specialized Software located in France has the account name specializedsoftware.fra.
    • integration_access_token: The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework.
    • domain: Adjust the domain to your environment.
      • Use the same domain that you use for Docker login. For example:
        • If you log into Docker using dockerHost:Port, use domain = dockerHost:Port.
        • If you log into Docker using dockerHost, use domain = dockerHost.
    • ssl: Set to true if your Nexus registry is configured with HTTPS.
      note

      If it's an SSL/HTTPS-based registry, do not add port 443 but check the SSL checkbox.

    • user_name: Provide your Nexus registry username.
    • password: Provide your Nexus registry password.
    • notification_type: Enter nexus.
    • disable_non_os_package_scanning: Change to true if you want to disable scanning of Language Libraries (non-OS packages).
    • go_binary_scanning - Set to enable if you want to scan for Go binaries.

  4. Check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.

Deploy the Proxy Scanner

Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.

  1. Pull the latest Lacework proxy scanner image:

    docker pull lacework/lacework-proxy-scanner:latest

  2. Create a persistent storage location for the Lacework proxy scanner cache and change the ownership:

    mkdir cache
    chown -R 1000:65533 cache

  3. Start the Lacework proxy scanner:

     docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner

    For debugging purposes, add -e LOG_LEVEL=debug:

    docker run -e LOG_LEVEL=debug -d --mount ...

    Available LOG_LEVEL options = error|warn|debug

Configure the Nexus Registry Webhook (for Notification Option Only)

  1. Go to the Nexus Administration Module > System > Capabilities

  2. Click Create capability and select Webhook:Repository to create a new webhook.

    • Repository: Select the repository from which you want to discriminate events.

    • Event Types: Select Component and click the > button to move to the Selected box.

    • URL: Specify the URL that the webhook invokes. This will be the URL to the proxy scanner. Follow the URL format:

      <ProxyScannerHost>:8080/v1/notification?registry_name=<RegistryNameFromYourConfig.yml>
      Example
      <ProxyScannerHost>:8080/v1/notification?registry_name=my-nexus-repo-name

  3. Click Create capability to save the webhook configuration.

  4. Push a new image to this repository and check the scan results in the Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).

note

You’ll need to create a webhook configuration like this for each Docker repository you have.