This topic contains the following sections.
Lacework provides the ability to assess, identify, and report vulnerabilities found in the operating system software packages in a Docker container image before the container image is deployed. This means you can identify and take action on software vulnerabilities in your risky container images and manage that risk proactively. In addition, Lacework automatically correlates assessed images to active containers in your monitored environment, so you have continuous visibility into your software vulnerability risk. For information about vulnerability alerts that could be reported, see Default Policies.
Operating System Support
| Operating System | Versions |
|---|---|
| Alpine Linux | 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14 |
| Amazon Linux | 2 |
| Amazon Linux AMI | 2014.09, 2015.03, 2015.09, 2016.03, 2016.09, 2017.03, 2017.09, 2018.03 |
| CentOS | 5, 6, 7 |
| Debian | 7, 8, 9, 10, unstable |
| Redhat Enterprise Linux | 5, 6, 7, 8 Minimal OS images are not supported |
| Ubuntu | 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 19.04, 19.10, 20.04, snap |
Container Registry Support
You must integrate the container registry that contains repositories with the container images that you want to assess for vulnerabilities.
Lacework supports the following container registries (only image manifest V2, schema 2 is supported) and scan types.
| Registry | Support |
|---|---|
| Amazon Container Registry (ECR) | Auto polling On-demand scans |
| Azure Container Registry as Docker V2 Registry | Registry notification On-demand scans |
| Docker Hub | Auto polling On-demand scans |
| Docker V2-based authentication registries | On-demand scans |
| Docker V2 Registry | Registry notification On-demand scans |
| GitHub Container Registry | Registry notification On-demand scans |
| GitLab as Docker V2 Registry | On-demand scans |
| Google Artifact Registry (GAR) | Auto polling On-demand scans |
| Google Container Registry (GCR) | Auto polling On-demand scans |
| JFrog as Docker V2 Registry | Registry notification On-demand scans |
Package Assessment Support
Lacework assesses the packages listed in the following table.
| Linux Distribution | Severity Attribution | CVSS Score Attribution | Links |
|---|---|---|---|
| Alpine Linux | NVD Score (CVSS v3 supersedes CVSS v2) | NVD | https://github.com/alpinelinux/aports.git |
| Amazon Linux | Distro | N/A | See Amazon Linux CVSS Scores |
| CentOS | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Debian | Distro (Security Tracker) | NVD | https://security-tracker.debian.org/tracker/data/json |
| Redhat Enterprise Linux | Distro | NVD | https://www.redhat.com/security/data/oval/v2/ |
| Ubuntu | Distro (Canonical) | NVD | https://git.launchpad.net/ubuntu-cve-tracker |
Lacework receives vulnerability and package data in a timely manner directly from the vendors and the NIST National Vulnerability Database (NVD).
Severity Attribution
Vulnerability assessment displays a Common Vulnerability Scoring System (CVSS) score and severity for each CVE. Scores range from 0 to 10. Severities can be Info, Low, Medium, High, or Critical.
For each CVE, the National Vulnerability Database (NVD) provides a base score for CVSS v3.x (if available) and CVSS v2.0. Lacework displays the provided CVSS v3 score or the CVSS v2 score if the v3 score is not available.
Lacework assigns severities to CVEs based on the following criteria in the following order of preference:
- The operating system distribution vendor (such as CentOS, Ubuntu, Alpine, etc.) provides a severity
- Lacework converts the CVSS v3 score to a severity
- Lacework converts the CVSS v2 score to a severity
Amazon Linux CVSS Scores
AMI security advisories combine CVEs. This results in no CVSS score or multiple CVSS scores from the Amazon Linux Security Center. Lacework shows N/A when a CVSS score is not available.
Vulnerability Assessment
When container registries support auto polling, Lacework assesses for vulnerabilities when the container registry is initially integrated. After the initial integration, Lacework completes the following actions at the listed schedule.
- Lacework polls the integrated registries for new container images every 15 minutes.
- Lacework assesses all images for vulnerabilities as soon as they are polled. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVEs) database once a day.
Lacework assesses for vulnerabilities using the following steps:
- Lacework assesses the registries that are integrated with Lacework and finds all repositories (or only a subset of repositories, if specified) in each registry that Lacework has permissions to access.
- Lacework finds the newest container images found in each repository up to the limit. When Lacework initially assesses a repository, it finds the newest container images up to the limit of 10 per repository. After the initial assessment, Lacework polls the integrated repositories at a regular time interval for the newest container images up to the limit of 200 container images per repository. There is also an hourly limit of 500 container images per Lacework account, with any other images being assessed the next hour.
- Lacework assesses all software packages in the found container images.
- Lacework searches the common vulnerabilities and exposures (CVEs) database for software packages in the container images and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses existing image assessments for newly identified risks. Lacework reassesses images based on CVE information for a known package and version.
Assessment Example
These assessment steps are illustrated in the following example:
- You register the Docker Hub registry in Lacework.
- Lacework finds all the repositories in the Docker Hub registry.
- Lacework assesses a container image in a repository.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the container image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.
Found Vulnerabilities
Found vulnerabilities are reported in the Vulnerability Assessment page. To navigate to the Vulnerability Assessment page, select Vulnerability > Container in the Lacework Console.
At the top of the Vulnerability Assessment page, there are two drop-downs that control the output displayed on this entire page. Lacework reports on a container image only if Lacework has permission to access the image.
- The left drop-down filters the displayed container images.
- By selecting All Registries from the drop-down, you can view all container images found in all the repositories for the container registries that have been registered on this Lacework platform. Lacework reports on a container image only if Lacework has permission to access the image. A registry is listed in this drop-down only if it was scanned during your selected time range.
- By selecting a registry type such as dockerhub, you can narrow the results reported to a particular registry type.
- The right drop-down controls the range of days to report on. After an image is assessed, Lacework reports its results in the table. Select the Last 24 hours option above the table to view assessment results.
Only information found during assessment of the specified date range is reported. For example, if 9 days ago a container image is removed from a container repository in the registry and the specified date range is 7 days, this container image is not listed in the table.
Under these drop-downs are overview statistics about container images and vulnerabilities found in registry repositories.
Assessment Summary
Below the overview is the Assessment Summary table.
Above the right side of the table, the following icons are available.
| Icon | Label | Description |
|---|---|---|
 |
Add filter | Click the Add filter icon to filter on the following: 1) CVE—Filter the returned container images based on the specified Common Vulnerabilities and Exposure (CVE) ID, such as CVE-2019-9948. 2) Image Repository—Filter the returned container images based on the specified repository name. You can add multiple filters that are ANDed together to produce a single result, for example, a filter that returns all container images that have the CVE-2019-9948 vulnerability but are not in the api-server repository.  You can use the * wildcard to match strings. Click X to remove the filters. |
 |
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
 |
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. Note that the Creation Date, Digest, and Image Size columns are not displayed by default and are optionally available from the Select Columns drop-down. |
 |
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Assessment Summary table are described below. Each row in the Assessment Summary table represents a container image. A row for a container image is listed even if the container image has no vulnerabilities.
| Column | Description |
|---|---|
| Registry | Displays the Docker registry of the container image. A registry is a storage location where container images are stored. |
| Repository | Displays the repository where the current container image is stored. A single repository contains multiple images of the same container. These multiple images are different versions of the same container over time and have unique image IDs and tags. If Lacework detects that this container image is running, the repository where this container is stored is displayed as a blue link. Click the link for detailed data about the running containers in this repository. |
| Image Tags | Lists the tag or label that was assigned to the current container image. |
| Last Run | Lists the last time an assessment was run on this container image. |
| Status | Displays the status of the container image assessment. 1) Success—The assessment occurred without error. 2) Error—The assessment failed. Mouse over the Error field to see the reason why the assessment failed. |
| Vulnerabilities | Displays a snapshot of the vulnerabilities associated with this container image for the specified date range. To get details about vulnerabilities, hover the cursor over the right side of the Vulnerabilities column until the View Report button appears. Click View Report to view detailed information about a single container image as described in the next section.  You can also mouse over the text in this field to view the total number of vulnerabilities. |
| Containers | Displays the total number of unique containers that ran for this image. This includes currently active containers plus any containers that have been started and subsequently stopped or killed. This number can exceed your number of containers. NOTE: The Lacework agent must be installed on the container image to be reported. |
| Image ID | Displays the sha256 hash that Docker generated for this image. Each row in the Assessment Summary table represents a container image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard icon. Click the image ID to view detailed information about a single container image. |
| Image Created Time | Displays when the container image was created in the repository. This column is displayed only if selected in the Select display columns drop-down. |
| Digest | Displays the sha256 hash that Docker generated for the manifest of this image. This column is displayed only if selected in the Select display columns drop-down. |
| Image Size | Reports the size of the container image. This column is displayed only if selected in the Select display columns drop-down. |
| Environment Tags | Lists the tags assigned to the container image's environment. This column is displayed only if selected in the Select display columns drop-down. |
Vulnerability Assessment Image Details
When you click View Report in the Vulnerabilities column or an Image ID in the Assessment Summary table, the Vulnerability Assessment Image page displays. This page provides details about a container image that was collected in a single assessment run. An assessment is when Lacework assesses and reports on vulnerabilities in a container image.
The drop-down at the top of the Vulnerability Assessment Image page controls the assessment that is reported on the rest of the page.
The following fields are available at the top of the page.
| Field | Description |
|---|---|
| Repository | Displays the fully qualified path to the repository where the container image was found. |
| ID | Displays the sha256 hash that Docker generated for this image. You can copy the container image ID to the clipboard by clicking the Copy to clipboard icon. |
| Digest | Displays the sha256 hash that Docker generated for the manifest of this image. You can copy the Digest to the clipboard by clicking the Copy to clipboard icon. |
| Image Creation Time | Reports when the container image was created in the repository. |
| num Image Size | Reports the size of the container image. |
| Image Tags | Lists the tag or label that was assigned to the current container image. |
| Environment Tags | Lists the tags assigned to the container image's environment. |
| num unique vulnerabilities were detected in this assessment | Displays the number of unique vulnerabilities detected in this container image during this assessment. |
| num fixed versions available | Displays how many fixed versions (software patches) are available that address the detected vulnerabilities in this container image during this assessment. |
Under num fixed versions available is a bar chart that shows the number of total vulnerabilities detected per severity rankings in the container image. You can use this bar chart to filter the vulnerabilities by severity rankings that are listed in the Vulnerabilities table. For example, you can click the critical (dark red) and high (bright red) sections of the bar chart to filter by critical and high severity vulnerabilities. Note that the chart’s critical and high section widths become wider to indicate current filter conditions.
Select the Show only fixable option to update the chart and table to show only fixable vulnerabilities. If the option is selected, the CSV download includes only fixable CVEs. The PDF always includes all CVEs.
Below the bar chart is a search bar. You can enter text to add an additional filter for the vulnerabilities listed in the table. You can search for text in any of the table columns as described in the following examples:
- Enter CVE-2018 to limit the list of vulnerabilities to only those CVEs that were found in the year 2018.
- Enter openssl to view all open SSL vulnerabilities.
To the right of the search bar, the following icons are available.
| Icon | Label | Description |
|---|---|---|
 |
Download Report | Click the Download Report icon to download a PDF version of the Vulnerability Assessment report. |
|
Download in CSV format | Click the Download in CSV format icon to get a comma-separated file of the table contents. |
|
Select display columns | Click the Select display columns icon to hide or show the set of columns that are displayed in the table. |
|
Full screen | Click the Full screen icon to show the table on the entire screen. |
The columns in the Vulnerabilities table are described below.
| Column | Description |
|---|---|
| CVE | Displays the common vulnerabilities and exposures (CVEs) code assigned to this vulnerability by the CVE Numbering Authority. Click the arrow next to the CVE number to view a description and vectors about the CVE. In the description drop-down, click the More Details  icon to open a web page that provides details about the CVE. |
| Severity | Displays the severity ranking assigned to the CVE. For more information about severity attribution, see Vulnerability Severity Attribution. |
| Score | Displays the CVSS (Common Vulnerability Scoring System) severity rankings score for the vulnerability. For both CVSS 3.x and CVSS 2.0, the severity ranking is a scale from 0 - 10, where 10 is the highest severity. Defaults to CVSSv3 scores or CVSSv2 if v3 scores are not available. N/A means the CVSS is not available. |
| Package Name | Displays the software package that contains the vulnerability. |
| Current Version | Displays the current version of the software package that contains the vulnerability. |
| Fix Version | Displays the version (patch) of the software package that contains the patch for the vulnerability when a patch is available. |
| Image Layer | Displays the sha256 hash generated by Docker for the layer that contains the vulnerability. Each Docker container image is made up of a series of layers. You can copy the image layer ID to the clipboard by clicking the Copy to clipboard icon. This column is displayed only if selected in the Select display columns drop-down. |
| Introduced In Layer | Displays the Docker file command that applied the package onto the current Docker image. Each Docker container image is made up of a series of layers and each layer is the result of a command. |
| OS Distro | Displays the distro that provided the listed package. This column is displayed only if selected in the Select display columns drop-down. |
Vulnerability Continuous Assessment
Lacework continuously reassesses container images for new vulnerabilities. Lacework lets you control what images are continually reevaluated. You can globally override the default option and configure what images should be assessed.
- Go to Settings > General Settings in the Lacework Console to display the General Settings page.
- Scroll down to the bottom of the page to configure Continuous Assessments.
- Move the slider to select Continuous Assessments.
- Select what images are monitored for changes in vulnerabilities for a period of 30 days. Select one of the following options:
- Reassess active images: Reassesses only images active in the past 24 hours. This is the default option.
- Reassess images with a specific tag or label: Reassesses images for 30 days based on the tags, labels, and repositories that you specify. This option ignores whether the image is active or inactive.
Vulnerability FAQs
How does Lacework's registry-based scanning work?
Lacework uses Docker V2-compatible APIs to derive image layer manifests and their composition to assess the packages within them. Though Lacework uses the docker pull implementation, Lacework consumes only the manifest; Lacework does not store or cache the images.
How does Lacework handle initial scanning for different registry services?
Behavior can be categorized into managed registries and unmanaged registries. Managed registries (ECR, GCR, GitHub) offer efficiencies for automatic initial scans and periodic polling completely through APIs without your running additional infrastructure on your side. This provides maximum value with least effort, allowing you to set your credentials and make it work. Unmanaged registries do not offer this functionality within their APIs and span the spectrum in regards to conformance with the Docker V2 API standard. This requires additional workflows. Lacework supports automated scanning via registry notifications as new images are built, but to seed existing images, Lacework requires manual image scans via CLI or API.