Lacework APIs support integration with continuous integration tooling to scan container images as part of the build process, and to notify developers of vulnerabilities found to make data-driven decisions about security and risk before deployment.
The fastest way to implement vulnerability scanning in CI is by using the Lacework Command Line Interface (CLI) installed and configured directly on job static runners, or by using Lacework CLI docker containers continuously built and tested by Lacework as ephemeral job runners as part of your CI configuration (i.e. Jenkinsfile, Circle-CI, GitHub Actions, GitLab).
The Lacework CLI is written in Go and runs on Linux, macOS, and Windows. For more information on installing and configuring the Lacework CLI see Lacework CLI documentation.
Example Container Vulnerability Data from the Lacework CLI
Data returned from Lacework’s APIs provides a wealth of information about vulnerabilities found in images, their severity, and what is fixable. The Lacework CLI provides a number of capabilities to retrieve data about container vulnerability assessments, it is designed for individuals or teams responsible for tracking and remediating vulnerabilities by providing relevant data to help with prioritization through the ability to sort assessments by what is actively running in the environment, and by filtering on vulnerabilities that have fixes.
The following example is the human-readable output of one container vulnerability assessment with over 50+ vulnerabilities from where only three of the vulnerabilities could be fixed.
$ lacework vulnerability container show-assessment sha256:1947a166f14df8000786a5cd4dca3e4db8da9be20385dcf07b68c861c32b89ae --fixable --details CONTAINER IMAGE DETAILS | VULNERABILITIES ------------------------------------------------------------------------------------------+--------------------------------- ID sha256:66e71b8916323ba88a6d4fdd6acbd124ff2b9b71b052ee60f80a836f89a2ee7c | SEVERITY COUNT FIXABLE Digest sha256:1947a166f14df8000786a5cd4dca3e4db8da9be20385dcf07b68c861c32b89ae | -----------+-------+---------- Registry index.docker.io | Critical 0 0 Repository lacework/lacework-cli | High 0 0 Size 62.4 MB | Medium 2 0 Created At 2020-11-12T22:53:59+0000 | Low 22 3 Tags ubuntu-1804 | Info 11 0 | -----------------+----------+---------+-------------------+-------------------+------------------------------------------------------------------------ CVE | SEVERITY | PACKAGE | CURRENT VERSION | FIX VERSION | INTRODUCED IN LAYER -----------------+----------+---------+-------------------+-------------------+------------------------------------------------------------------------ CVE-2020-10543 | Low | perl | 5.26.1-6ubuntu0.3 | 5.26.1-6ubuntu0.5 | ADD | | | | | file:4974bb5483c392fb54a35f3799802d623d14632747493dce5feb4d435634b4ac | | | | | in / -----------------+----------+---------+-------------------+-------------------+------------------------------------------------------------------------ CVE-2020-12723 | Low | perl | 5.26.1-6ubuntu0.3 | 5.26.1-6ubuntu0.5 | ADD | | | | | file:4974bb5483c392fb54a35f3799802d623d14632747493dce5feb4d435634b4ac | | | | | in / -----------------+----------+---------+-------------------+-------------------+------------------------------------------------------------------------ CVE-2020-10878 | Low | perl | 5.26.1-6ubuntu0.3 | 5.26.1-6ubuntu0.5 | ADD | | | | | file:4974bb5483c392fb54a35f3799802d623d14632747493dce5feb4d435634b4ac | | | | | in / -----------------+----------+---------+-------------------+-------------------+------------------------------------------------------------------------ Try adding '--packages' to show a list of packages with CVE count.
NOTE: The output of any Lacework CLI command can be switched to JSON format with the flag --json
To request on-demand container vulnerability scan of new images, run the command:
$ lacework vulnerability container scan RegistryDomain YourRepository YourTagOrImgDigest A new vulnerability scan has been requested. (request_id: f4cb4e78-f090-4885-8ae9-fee991e89014)
Where:
RegistryDomain
: is the container registry domain where the container image has been publishedYourRepository
: is the repository name that contains the container imageYourTagOrImgDigest
: could be, either a tag or an image digest to scan (digest format:sha256:1ee...1d3b
)
Scans can take up to 15 minutes to return results, to verify the status of the container vulnerability scan and view the assessment results, use the command:
$ lacework vulnerability container scan-status ScanRequestID
When integrating into a CI pipeline, use the following command to request an on-demand container vulnerability scan and wait for the scan to complete:
$ lacework vulnerability container scan run RegistryDomain YourRepository YourTagOrImgDigest --poll --noninteractive
NOTE: The --noninteractive
flag disables interactive progress bars.
The following are examples of integrating the Lacework CLI vulnerability container command into a few popular CI systems:
- Integrating with Jenkins
- Integrating with CircleCI
- Integrating with GitLab
- Integrating with Azure Pipelines
- Integrating with TravisCI
Integrating with Jenkins
The following is an example Jenkinsfile
using the Lacework CLI container to test a docker image built and published to Dockerhub using Jenkins:
pipeline { agent any stages { stage('Build Docker Image') { when { branch 'master' } steps { script { app = docker.build("$DOCKER_HUB/my-image") app.inside { sh 'echo hello-world' } } } } stage('Push Docker Image') { when { branch 'master' } steps { script { docker.withRegistry('https://registry.hub.docker.com', 'docker_hub') { app.push("${env.BUILD_NUMBER}") app.push("latest") } } } } stage('Lacework Vulnerability Scan') { environment { LW_API_SECRET = credentials('lacework_api_secret') } agent { docker { image 'lacework/lacework-cli:latest'} } when { branch 'master' } steps { echo 'Running Lacework vulnerability scan' sh "lacework vulnerability container scan index.docker.io $DOCKER_HUB/my-image --poll --noninteractive --details" } } } }
For more details on integrating Lacework with Jenkins see the blog post Up and Running with Lacework and Jenkins.
Integrating with CircleCI
Lacework has published and maintains a CircleCI Orb for easy integration with CircleCI pipelines. The following is an example .circleci/config.yml
configuration that uses the Lacework CircleCI Orb:
version: 2.1 orbs: lacework: lacework/lacework@x.y workflows: scan_my_container: jobs: - lacework/ctr-vuln-scan: registry: "index.docker.io" repository: "lacework/lacework-cli"
For more information, check out the Lacework CircleCI Orb Registry.
Integrating with GitLab
GitLab also supports the use of ephemeral docker containers for pipeline stages. The following is an example .gitlab-ci.yml
file that uses the Lacework CLI to scan a container image with GitLab:
image: lacework/lacework-cli:latest build1: stage: build script: - lacework vulnerability container scan index.docker.io $DOCKER_HUB/my-image --poll --noninteractive --details -a $LW_ACCOUNT -k $LW_API_KEY -s $LW_SECRET_KEY
Integrating with Azure Pipelines
The following is an example azure-pipelines.yml
file that leverages the Lacework CLI docker container to scan a container image with Azure Pipelines:
trigger: - master pool: vmImage: 'ubuntu-latest' container: lacework/lacework-cli:latest steps: - script: lacework vulnerability container scan index.docker.io $DOCKER_HUB/my-image --poll --noninteractive --details displayName: 'lacework-cli vulnerability assessment' env: LW_ACCOUNT: $(LW_ACCOUNT) LW_API_KEY: $(LW_API_KEY) LW_API_SECRET: $(LW_API_SECRET)
Integrating with TravisCI
The following example .travis.yml
file demonstrates configuring a docker build/publish image to AWS Elastic Container Registry (ECR), and scanning the image with Lacework.
dist: xenial # OS for sudo: required # Run all commands as root services: - docker # Include Docker packages -- Travis CI specific env: # Environment Variables. Replace YourSomethings with your values. global: - IMAGE_NAME=YOUR_IMAGE_NAME - TAG=YOUR_IMAGE_TAG - AWS_REGION=YOUR_AWS_REGION - LW_ACCOUNT=YOUR_LW_ACCOUNT # Secure credentials - LW_API_KEY=YOUR_LW_API_KEY - LW_SECRET_KEY=YOUR_LW_SECRET_KEY - AWS_ACCESS_KEY=YOUR_AWS_ACCESS_KEY - AWS_SECRET_KEY=YOUR_AWS_SECRET_KEY before_install: - pyenv global 3.7.1 # Change Python env to Python3 - pip install -U pip # Install pip - pip install awscli # Install AWS CLI - curl https://raw.githubusercontent.com/lacework/go-sdk/master/cli/install.sh | sudo bash # Install Lacework CLI - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com # Login to ECR repository script: - docker build -t $IMAGE_NAME:$TAG . # Build Docker container - docker tag $IMAGE_NAME:$TAG $AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_NAME:$TAG # Tag Docker Container after_script: - docker push $AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_NAME:$TAG # Push Docker container to ECR - lacework vulnerability container scan $AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com $IMAGE_NAME $TAG --poll --noninteractive --details -k=$LW_API_KEY -s=$LW_SECRET_KEY -a=$LW_ACCOUNT # Perform scan with Lacework CLI