This topic contains the following sections.
Overview
There are many steps involved in building and deploying a containerized application, a complete container image lifecycle approach is key to managing software supply chain risks. The Lacework inline remote scanner allows you to integrate Lacework security capabilities deeply into your software supply chain workflows by allowing you to scan and assess Docker container images for vulnerabilities without checking them into a container registry.
The remote scanner container registry integration functions differently from Lacework's other container registry integrations. Instead of continuous scans and assessments both occurring within Lacework, an inline scan occurs outside Lacework and then a request is sent to Lacework to assess the collected data. After you create a remote scanner integration in the Lacework Console, you can download and deploy the inline remote scanner as a binary within your development tool chain.
The inline remote scanner is triggered on an on demand basis within build chain workflows. The trigger could be, for example, the start of a new container image build in the CI pipeline or a developer wants to assess a build on their local machine. The remote scanner collects data about the container image using your configured settings about what data to collect. Using the associated server token that was created when you integrated the remote scanner in the Lacework Console, the remote scanner initiates an API request for assessment by Lacework. After the token is authorized, file data is assessed by Lacework. The results can be viewed on the Vulnerability Assessment page in the Lacework Console and through stdout. You can configure additional output types.
Remote Scanner Support
The remote scanner can be run on the following operating systems:
- Linux
- Mac
- Windows
For information about vulnerability support, see the Container Registry and Package Assessment Support section in Container Vulnerability Assessment Overview
Create a Remote Scanner Integration in Lacework
Creating an integration in the Lacework Console is the first step in setting up the remote scanner. To create an integration, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Container Registry.
- Click + Create New.
- From the Registry Type drop-down, select Remote Scanner and click Next.
- Complete the required settings.
- Click Save.
This displays a window that provides the remote scanner binary’s download URL and authorization token. - Click the URL’s Copy to clipboard icon and paste it into a new browser window.
This is where you download the remote scanner binary from. - Click the Authorization Token’s Copy to clipboard icon.
This is the integration’s associated token. You need this to configure the remote scanner.
After the integration is saved, its name displays on the Integrations Container Registry page. Continue to the Configure the Remote Scanner section.
Remote Scanner Settings
| Setting Name | Description |
|---|---|
| Registry Type | Specify the registry type selected from the drop-down, in this case, select Remote Scanner |
| Name | Specify a unique name to display for the integration in the Lacework Console. |
| Limit Number of Scans for this Integration | Select the maximum number of scans per hour that this integration can perform. |
Obtain the Remote Scanner and Authorization Token
If you need the remote scanner binary’s download URL and the integration’s server authorization token (for example, you didn’t copy them immediately after creating the integration), follow these steps:
- Navigate to Settings > Integrations > Container Registry.
- Click the name of the remote scanner integration.
This opens the integration’s details. - Click the URL’s Copy to clipboard icon and paste it into a new browser window.
This is where you download the remote scanner binary from. - Click the Authorization Token’s Copy to clipboard icon.
This is the integration’s associated token. You need this to configure the remote scanner.
Configure the Remote Scanner
After you download the remote scanner binary, place it in a location of your choice, and make it executable, run this command to configure authentication:
lw-scanner config auth
Provide the following information:
- Lacework account name
For example, if your login URL is mycompany.lacework.net, the account name is mycompany. - Authorization token
Paste the token that you copied from the Lacework Console.
This completes the minimum required remote scanner configuration. See Configuration Commands for information about additional configuration commands.
Configuration Commands
This section provides information about the available configuration commands. In the command line the values that display inside parentheses represent your current configuration settings.
config auth
After you create the remote scanner integration, you must run the config auth command once. You can run this command again later if you need to update the configuration. To configuration authentication, run this command:
lw-scanner config auth
Provide the following information:
- Lacework account name
For example, if your login URL is mycompany.lacework.net, the account name is mycompany. - Authorization token
Copy and paste the token from the remote scanner integration created in the Lacework Console.
config data
The config data command configures how the remote scanner handles data, such as where to store data and whether to save output in a file. To configure data handling, run this command:
lw-scanner config data [flags]
Provide the following information:
- Data storage directory
Enter the directory where you want to store all remote scanner command output. Note that the-d, --data-directoryglobal flag overrides the directory defined here. - Store evaluation in file - true/false
True stores assessment data in a file.
False (default) does not store assessment data in a file. - Store manifest in file - true/false
True stores manifest data in a file.
False (default) stores manifest data in a file.
config logging
The config logging command configures how the remote scanner handles logging data, such as where to store logs and the logging level. To configure logging, run this command:
lw-scanner config logging
- Log eval - debug/info/warn/error
Enter the minimum vulnerability level to log. For example, if set to info, then info, warning, and error level vulnerabilities are logged. - Log file directory
Enter the directory where you want to store remote scanner logs. Note that the-l, --log-directoryglobal flag overrides the directory defined here.
config reset
The config reset command resets all remote scanner configuration settings. To reset configuration settings, run this command:
lw-scanner config reset
config view
The config view command displays all remote scanner configuration information. To view the current configuration, run this command:
lw-scanner config view
Example configuration output:
Current config :
{
"auth": {
"account_name": "myaccountname",
"integration_access_token": "_0ab9abc8de7f6fake54ab3c2de12345f"
},
"logging": {
"log_level": "error",
"log_file_directory_path": ""
},
"tags": {
"build_id": "dev_build",
"build_plan": "dev_machine",
"hostname": "My-MacBook-Pro.local",
"source": "lacework_remote_scanner",
"user": "Firstname Lastname"
},
"data": {
"data_file_directory": "",
"store_evaluations_in_file": false,
"store_manifest_in_file": false,
"output_format": "json"
}
}
Global Flags
The remote scanner provides the following global flags:
-d, --data-directory stringspecify the directory path to store command outputs. Note that this flag overrides the directory set by theconfig datacommand.--debugcreates a debug log file and enables debug logging.-l, --log-directory stringspecify the directory path to store remote scanner logs. Note that this flag overrides the directory set by theconfig loggingcommand.
Example command:
lw-scanner evaluate image_name image_tag -d=/abc/def/
This example command sets the directory that stores command outputs (such as assessments, manifests) to /abc/def/.
Evaluate Command
The evaluate command scans the container image to collect package information and then assesses the data. Assessment results are available in the Lacework Console, and may also be printed to the command line in tabular format depending on the verbose mode. To perform a scan and assessment, run this command:
lw-scanner evaluate image_name image_tag [flags]
Flags
-i, --build-id stringsets the build ID from the CI system. This is included in the assessment data.-p, --build-plan stringsets the build plan name from the CI system. This is included in the assessment data.-f, --fixableprints and/or saves fixable vulnerabilities only.-v, --verbosesets verbose mode. True (default) prints the following: detailed process data in the command line in human readable format and assessment data in tabular format. False does not print any process data in the command line and prints assessment data in json format.-w, --wideprints and/or saves detailed data in verbose mode (default true).
Example command output (with the default -v=true):
CONTAINER IMAGE DETAILS VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
ID sha256:a123b45678901234fake56bc777e3f99faca8aa2bb8c77cadd8888bbbb666f77 SEVERITY COUNT FIXABLE
Digest sha256:12300e6d3fake30e12345678e901a22a3bb00a77b2d8e66aac2ffe90c1c33333 -----------+-------+----------
Registry remote_scanner Critical 0 0
Repository mysql High 1 0
Size 520.0 MB Medium 8 0
Created At 2020-12-21T20:34:37.951Z Low 13 0
Tags latest Info 46 0
CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION INTRODUCED IN LAYER
-----------------+----------+---------+-----------------+-------------------+------------------------------------------------------------------------
CVE-2020-29361 Medium p11-kit 0.23.15-2 0.23.15-2+deb10u1 ADD
file:3abcef4d123fakec4567fd70a035c130a91b5da001dd99c01b1acd345c0066e9
in /
-----------------+----------+---------+-----------------+-------------------+------------------------------------------------------------------------
CVE-2020-29362 Medium p11-kit 0.23.15-2 0.23.15-2+deb10u1 ADD
file:3abcef4d123fakec4567fd70a035c130a91b5da001dd99c01b1acd345c0066e9
in /
-----------------+----------+---------+-----------------+-------------------+------------------------------------------------------------------------
CVE-2020-29363 Info p11-kit 0.23.15-2 0.23.15-2+deb10u1 ADD
file:3abcef4d123fakec4567fd70a035c130a91b5da001dd99c01b1acd345c0066e9
in /
-----------------+----------+---------+-----------------+-------------------+------------------------------------------------------------------------
Example command output with the -v=false flag:
{
"image": {
"image_info": {
"created_time": "string",
"image_digest": "string",
"image_id": "string",
"registry": "string",
"repository": "string",
"size": 0,
"tags": [
"string"
]
},
"image_layers": [
{
"hash": "string",
"created_by": "string",
"packages": [
{
"name": "string",
"namespace": "string",
"fix_available": "string",
"version": "string",
"vulnerabilities": [
{
"name": "string",
"description": "string",
"link": "string",
"severity": "string",
"metadata": {
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
},
"fix_version": "string"
}
],
"fixed_version": "string",
"host_count": "string",
"severity": "string",
"cve_link": "string",
"cvss_score": "string",
"cvss_v3_score": "string",
"cvss_v2_score": "string",
"status": "New",
"package_status": "string",
"last_updated_time": "string",
"first_seen_time": "string"
}
]
}
]
},
"scan_status": "string",
"total_vulnerabilities": 0,
"critical_vulnerabilities": 0,
"high_vulnerabilities": 0,
"medium_vulnerabilities": 0,
"low_vulnerabilities": 0,
"info_vulnerabilities": 0,
"fixable_vulnerabilities": 0,
"last_evaluation_time": "string"
}
Scan Command
The scan command only collects package information from the container image and saves the data to a manifest; Lacework does not assess the data. This allows the collected data to be examined so that you can verify what data would be sent to Lacework if assessment were to occur. To perform a scan, run this command:
lw-scanner scan image_name image_tag [flags]
Flags
-v, --verbosesets verbose mode. True (default) prints detailed process data in the command line. False does not print any process data in the command line.
Tag Commands
This section provides information about the available tag commands. These commands allow you to add, remove, or view the environment tags associated with the remote scanner.
tags add
The tags add command adds a new tag to the remote scanner. To add a tag, run this command:
lw-scanner tags add
Provide the following information for the tag you want to add:
- Key
- Value
tags remove
The tags remove command removes a tag from the remote scanner. To remove a tag, run this command:
lw-scanner tags remove
Provide the key for the tag you want to remove.
tags view
The tags view command displays currently configured remote scanner tags. To view tags, run this command:
lw-scanner tags view
Example tags output:
{
"build_id": "dev_build",
"build_plan": "dev_machine",
"hostname": "My-MacBook-Pro.local",
"source": "lacework_remote_scanner",
"user": "Firstname Lastname"
}
You can set the build_id and build_plan with the evaluate command’s -i and -p flags, respectively. The hostname and user are based on the local host and user information where the binary is located. The source is hardcoded to lacework_remote_scanner.
Version Command
The version command displays the remote scanner version and data format version. To display versions, run this command:
lw-scanner version