Platform Scanner Overview
Public Registry Scanning
Integrate your internet-accessible container registries with the Lacework Platform Scanner. Lacework can scan all images as they are added to the registry.
Lacework offers different methods to pull images from a registry depending on the type of registry:
- Registry notification: The registry sends an event to Lacework whenever a new image has been uploaded.
- Auto-polling: Lacework automatically discovers the list of repositories and new images available in the registry.
- On-demand: Manually request the scan of a container using the Lacework Console or Lacework CLI.
In each registry guide, the Container Registry Support section lists the methods available for the registry type.
Create a registry integration to start automatically scanning your images.
Container Registry Support
You must integrate the container registry that contains repositories with the container images that you want to assess for vulnerabilities.
Lacework supports the following container registries (only image manifest V2, schema 2 is supported) and scan types.
Registry | Support |
---|---|
Amazon Elastic Container Registry (ECR) | Auto polling On-demand scans |
Azure Container Registry as Docker V2 Registry | Registry notification On-demand scans |
Docker Hub | Auto polling On-demand scans |
Docker V2-based authentication registries | On-demand scans |
Docker V2 Registry | Registry notification On-demand scans |
GitHub Container Registry | Registry notification On-demand scans |
GitLab as Docker V2 Registry | Registry notification On-demand scans |
Google Artifact Registry (GAR) | Auto polling On-demand scans |
Google Container Registry (GCR) | Auto polling On-demand scans |
JFrog as Docker V2 Registry | Registry notification On-demand scans |
Multi-Architecture Image Support
The Lacework platform scanner supports multi-architecture container images during scans. Multi-architecture images are supported by scanning manifests that list multiple platform versions of the image.
An example of a manifest list for a multi-architecture image can be found here.
Lacework scans the first platform architecture version found in the following order:
- AMD64
- ARM64
- ARM32
Auto-polling vs Registry Notification
There are 2 ways to scan new images as they are uploaded to your registry:
Registry notification: Set up notifications in your registry to send an event to the Lacework Cloud Scanner every time a new image has been uploaded. After it receives a notification, Lacework automatically pulls the image and initiates a scan. The results will be available in the Lacework console.
Auto-polling: Every 15 minutes, Lacework will discover the list of registries and images newly uploaded. Lacework then automatically pulls the image and initiates a scan. The results will be available in the Lacework console.
Both methods enable the scanning of new images. Auto-polling adds the ability to scan some of the images that already existed in the registry when the Registry integration with Lacework was created. On-demand scans through the CLI can also be used to trigger scans for existing images.
note
Auto-polling and registry notification have to be managed differently for most registries, for example, with different authentication schemes and APIs. Therefore, Lacework may not support either feature for your registry. Please refer to the table of supported registries and features.
Docker API v2
The Docker API v2 is a list of APIs used to pull images. Kubernetes uses the Docker API v2 to pull images for any registry.
All registries allow the API Docker v2 to pull a single image based on the repository, image name and tag or image ID. However, many registries use a different set of APIs to discover repositories and images (used for auto-polling) or have different authentication schemes for registry notification.
If you choose to create a Docker V2 Registry Integration, ensure that it uses the Docker V2 authentication scheme to support registry notification and the standard sets of Docker v2 API for repository and image discovery to support auto-polling.
Auto Polling
When container registries support auto polling, Lacework assesses for vulnerabilities when the container registry is initially integrated. After the initial integration, Lacework completes the following actions:
- Lacework polls the integrated registries for new container images every 15 minutes.
- Lacework assesses all images for vulnerabilities as soon as they are polled. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new common vulnerabilities and exposures (CVEs) and updates the Lacework CVEs database once a day.
Lacework assesses for vulnerabilities using the following steps:
Lacework assesses the registries that are integrated with Lacework and finds all repositories (or only a subset of repositories, if specified) in each registry that Lacework has permissions to access.
Lacework finds the newest container images found in each repository up to the limit (see Default Scanning Quotas). After the initial assessment, Lacework polls the integrated repositories at a regular time interval for the newest container images.
Lacework assesses all software packages in the found container images.
Lacework searches the common vulnerabilities and exposures (CVEs) database for software packages in the container images and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses existing image assessments for newly identified risks. Lacework reassesses images based on CVE information for a known package and version.
Default Scanning Quotas
The platform scanner supports a maximum of 2000 repositories per registry integration.
- Amazon ECR's limit is 1000 repositories due to set limitations with the Docker V2 APIs.
For each registry integration, the platform scanner performs a maximum of 100 image assessments per hour for each repository. The 50 image limit also applies to the initial assessment after integration.
The platform scanner supports a default of 700 container image assessments per hour for each Lacework account with any remaining images being assessed the next hour.
note
Contact Lacework Support if you need to increase these limits.
Assessment Example
The following is an example of Lacework's assessment steps:
- You register the Docker Hub registry in Lacework.
- Lacework finds all the repositories in the Docker Hub registry.
- Lacework assesses a container image in a repository.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the container image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.