The Docker V2 Registry integration functions differently than Lacework's other container registry integrations. This integration performs on-demand image assessment via the API, while the other integrations automatically assess images at regular intervals.
Use the Docker V2 Registry integration for private Docker V2 registries only. For Docker Hub, ECR, and GCR, use their corresponding container registry types to integrate with Lacework. Supported Docker V2 registries:
|Azure Container Registry||n/a|
|GitLab||On prem 12.8 and cloud|
|JFrog Artifactory||On prem 7.2.1 and cloud|
|JFrog Platform||On prem 7.2.1 and cloud|
Integration setup consists of the following steps:
- Connect to the Docker V2 registry through the Lacework Console
- Set up image assessment through the Lacework API
- Whitelist Lacework IPs
Connect the Registry to Lacework
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Container Registry.
- Click + Create New.
- From the Registry Type drop-down, select Docker V2 Registry and click Next.
- Complete the required settings and click Save.
NOTE: The user must have access to pull the images requested via the API server.
|Registry Type||Specify the registry type from the drop-down, in this case, select Docker V2 Registry.|
|Name||Specify a unique name for the container registry in the Lacework Console.|
|Username||Specify a user that has permissions to pull from the container registry the images to be assessed.|
|Password||Specify the password for the specified user.|
|SSL||Select the checkbox if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If this is unselected, you are using an unencrypted communication channel.|
|Registry Domain||Specify a domain using one of these formats: ip:port or domain:port|
|Limit by Tag (optional)||If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext*, or mytext. Only one * wildcard is supported.|
|Limit by Label (optional)||If you do not want to assess all images in this registry, specify text from an image label so that only images with matching label text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. If you specify tag and label limits, they function as an AND. Supported field input: mytext*mytext, *mytext, mytext*, or mytext. Only one * wildcard is supported.|
The Docker V2 Registry status displays Integration Successful only after its first assessment completes.
Set Up Image Assessment
You can, for example, make an API call each time an image is built so that Lacework assesses it.
For information about setting up container image assessment, see the Vulnerability API section in the Lacework API documentation.
Whitelist Lacework IPs
You must whitelist the following Lacework IPs to allow the vulnerability scanner to communicate with your private registries: