Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. This means you can identify and take action on software vulnerabilities in your risky container images and manage that risk proactively. In addition, Lacework automatically correlates assessed images to active containers in your monitored environment, so you have continuous visibility into your software vulnerability risk. For information about alerts, see Policies.
After integrating a container registry in Lacework, Lacework finds all container images in the registry repositories, assesses those container images for software packages with known vulnerabilities, and reports them. For each container image found in the repositories, Lacework also checks and reports the number of running containers found in the current workload for the current container image.
Lacework also provides APIs for container vulnerability assessment that can be integrated into continuous integration pipelines such as Jenkins, Circle-CI, GitHub Actions, and more. For more information, see Integrate Lacework APIs with Continuous Integration (CI) Pipelines.
Container Registry and Package Assessment Support
You must integrate the container registry that contains repositories with the container images that you want to assess for vulnerabilities.
Lacework currently supports the following types of container registries (only image manifest V2, schema 2 is supported). Integration instructions for each supported container registry type:
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
|---|---|---|---|
| Amazon Linux | Distro | N/A | See Amazon Linux CVSS Scores |
| Alpine Linux | NVD Score (CVSS v3 supersedes CVSS v2) | NVD | https://github.com/alpinelinux/aports.git |
| CentOS (10/11/2019) | Distro | NVD | None |
| CentOS/RHA/CoreOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| RHEL (10/11/2019) | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Amazon Linux CVSS Scores
AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.
Vulnerability Assessment
Lacework assesses for vulnerabilities when the container registry is initially integrated. After the initial integration, Lacework completes the following actions at the listed schedule.
- Lacework polls the integrated registries for new container images every 15 minutes.
- Lacework assesses all images for vulnerabilities as soon as they are polled. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVEs) database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses the registries that are integrated with Lacework and finds all repositories (or only a subset of repositories, if specified) in each registry that Lacework has permissions to access.
- Lacework finds the newest container images found in each repository up to the limit. When Lacework initially assesses a repository, it finds the newest container images up to the limit of 10 per repository. After the initial assessment, Lacework polls the integrated repositories at a regular time interval for the newest container images up to the limit of 200 container images per repository.
- Lacework assesses all software packages in the found container images.
- Lacework searches the common vulnerabilities and exposures (CVEs) database for software packages in the container images and reports them.
When new CVE updates are released, Lacework assesses existing image assessments for newly identified risks. Lacework reassesses images based on CVE information for a known package and version.
These assessment steps are illustrated in the following example:
- You register the Docker Hub registry in Lacework.
- Lacework finds all the repositories in the Docker Hub registry.
- Lacework assesses a container image in a repository.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the container image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
Found vulnerabilities are reported in the Vulnerability Assessment page. To navigate to the Vulnerability Assessment page, select Container > Vulnerability Assessment in the Lacework Console.
At the top of the Vulnerability Assessment page, there are two drop-downs that control the output displayed on this entire page. Lacework reports on a container image only if Lacework has permission to access the image.
- The left drop-down filters the displayed container images.
- By selecting All Registries from the drop-down, you can view all container images found in all the repositories for the container registries that have been registered on this Lacework platform. Lacework reports on a container image only if Lacework has permission to access the image.
- By selecting a registry type such as dockerhub, you can narrow the results reported to a particular registry type.
- The right drop-down controls the range of days to report on. After an image is assessed, Lacework reports its results in the table. Select the Last 24 hours option above the table to view assessment results.
Only information found during assessment of the specified date range is reported. For example, if 9 days ago a container image is removed from a container repository in the registry and the specified date range is 7 days, this container image is not listed in the table.
Under these drop-downs are overview statistics about container images and vulnerabilities found in registry repositories.
Assessment Summary
Below the overview is the Assessment Summary table.
Above the right side of the table, the following icons are available.
| Icon | Label | Description |
|---|---|---|
 |
Add filter | Click the Add filter icon to filter on the following: 1) CVE—Filter the returned container images based on the specified Common Vulnerabilities and Exposure (CVE) ID, such as CVE-2019-9948. 2) Image Repository—Filter the returned container images based on the specified repository name. You can add multiple filters that are ANDed together to produce a single result, for example, a filter that returns all container images that have the CVE-2019-9948 vulnerability but are not in the api-server repository.  You can use the * wildcard to match strings. Click X to remove the filters. |
 |
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 |
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that the Creation Date, Digest, and Image Size columns are not displayed by default and are optionally available from the Select Columns drop-down. |
 |
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Assessment Summary table are described below. Each row in the Assessment Summary table represents a container image. A row for a container image is listed even if the container image has no vulnerabilities.
| Column | Description |
|---|---|
| Registry | Displays the Docker registry of the container image. A registry is a storage location where container images are stored. |
| Repository | Displays the repository where the current container image is stored. A single repository contains multiple images of the same container. These multiple images are different versions of the same container over time and have unique image IDs and tags. If Lacework detects that this container image is running, the repository where this container is stored is displayed as a blue link. Click the link for detailed data about the running containers in this repository. |
| Tags | Lists the tag or label that was assigned to the current container image. |
| Last Run | Lists the last time an assessment was run on this container image. |
| Status | Displays the status of the container image assessment. 1) Success—The assessment occurred without error. 2) Error—The assessment failed. Mouse over the Error field to see the reason why the assessment failed. |
| Vulnerabilities | Displays a snapshot of the vulnerabilities associated with this container image for the specified date range. To get details about vulnerabilities, hover the cursor over the right side of the Vulnerabilities column until the View Report button appears. Click View Report to view detailed information about a single container image as described in the next section.  You can also mouse over the text in this field to view the total number of vulnerabilities. |
| Containers | Displays the total number of unique containers that ran for this image. This includes currently active containers plus any containers that have been started and subsequently stopped or killed. This number can exceed your number of containers. NOTE: The Lacework agent must be installed on the container image to be reported. |
| Image ID | Displays the sha256 hash that Docker generated for this image. Each row in the Assessment Summary table represents a container image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard icon. Click the image ID to view detailed information about a single container image. |
| Image Created Time | Displays when the container image was created in the repository. This column is displayed only if selected in the Select display columns drop-down. |
| Digest | Displays the sha256 hash that Docker generated for the manifest of this image. This column is displayed only if selected in the Select display columns drop-down. |
| Image Size | Reports the size of the container image. This column is displayed only if selected in the Select display columns drop-down. |
Vulnerability Assessment Image Details
When you click View Report in the Vulnerabilities column or an Image ID in the Assessment Summary table, the Vulnerability Assessment Image page displays. This page provides details about a container image that was collected in a single assessment run. An assessment is when Lacework assesses and reports on vulnerabilities in a container image.
The drop-down at the top of the Vulnerability Assessment Image page controls the assessment that is reported on the rest of the page.
The following fields are available at the top of the page.
| Field | Description |
|---|---|
| Repository | Displays the fully qualified path to the repository where the container image was found. |
| ID | Displays the sha256 hash that Docker generated for this image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard icon. |
| Digest | Displays the sha256 hash that Docker generated for the manifest of this image. You can copy the Digest to the clipboard by clicking the Copy to clipboard icon. |
| Image Creation Time | Reports when the container image was created in the repository. |
| num ImageSize | Reports the size of the container image. |
| Tags | Lists the tag or label that was assigned to the current container image. |
| num unique vulnerabilities were detected in this assessment | Displays the number of unique vulnerabilities detected in this container image during this assessment. |
| num fixed versions available | Displays how many fixed versions (software patches) are available that address the detected vulnerabilities in this container image during this assessment. |
Under num fixed versions available is a bar chart that shows the number of total vulnerabilities detected per severity rankings in the container image. You can use this bar chart to filter the vulnerabilities by severity rankings that are listed in the Vulnerabilities table. For example, you can click the critical (dark red) and high (bright red) sections of the bar chart to filter by critical and high severity vulnerabilities. Note that the chart’s critical and high section widths become wider to indicate current filter conditions.
Select the Show only fixable option to update the chart and table to show only fixable vulnerabilities. If the option is selected, the CSV download includes only fixable CVEs. The PDF always includes all CVEs.
Below the bar chart is a search bar. You can enter text to add an additional filter for the vulnerabilities listed in the table. You can search for text in any of the table columns as described in the following examples:
- Enter CVE-2018 to limit the list of vulnerabilities to only those CVEs that were found in the year 2018.
- Enter openssl to view all open SSL vulnerabilities.
To the right of the search bar, the following icons are available.
| Icon | Label | Description |
|---|---|---|
 |
Download Report | Click the Download Report icon to download a PDF version of the Vulnerability Assessment report. |
|
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
|
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. |
|
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Vulnerabilities table are described below.
| Column | Description |
|---|---|
| CVE | Displays the common vulnerabilities and exposures (CVEs) code assigned to this vulnerability by the CVE Numbering Authority. Click the arrow next to the CVE number to view a description and vectors about the CVE. In the description drop-down, click the More Details  icon to open a web page that provides details about the CVE. |
| Severity | Displays the severity ranking assigned to the CVE. For more information about severity attribution, see Vulnerability Severity Attribution. |
| Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. N/A means the CVSS is not available. |
| Package Name | Displays the software package that contains the vulnerability. |
| Current Version | Displays the current version of the software package that contains the vulnerability. |
| Fix Version | Displays the version (patch) of the software package that contains the patch for the vulnerability when a patch is available. |
| Image Layer | Displays the sha256 hash generated by Docker for the layer that contains the vulnerability. Each Docker container image is made up of a series of layers. You can copy the image layer ID to the clipboard by clicking the Copy to clipboard icon. This column is displayed only if selected in the Select display columns drop-down. |
| Introduced In Layer | Displays the Docker file command that applied the package onto the current Docker image. Each Docker container image is made up of a series of layers and each layer is the result of a command. |
| OS Distro | Displays the distro that provided the listed package. This column is displayed only if selected in the Select display columns drop-down. |