Deploy a Proxy Scanner that integrates with your JFrog registry to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
Complete the steps to Create a Proxy Scanner Integration in Lacework in Integrate Proxy Scanner.
After step 7, return to this article and Configure the JFrog Registry Repository.
Configure the JFrog Registry Repository
Navigate to the Administration module, and select Repositories, and Repositories.
Create a new local Docker repository and provide a Repository Key (for example:
Leave the remaining options on their default settings.
Click Save & Finish.
Configure the Proxy Scanner
Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.
Select the repository key that you created in Configure the JFrog Registry Repository (for example:
Use the configuration details from this repository to help create a
config.ymlfile that will be used by Proxy Scanner.
static_cache_location: /opt/lacework/cache lacework: account_name: lacework-account integration_access_token: authorization-token registries: - domain: JFROG-FQDN:PORT/artifactory/api/docker/repository-key name: JFrog ssl: false auto_poll: true/false credentials: user_name: "userinregistry" password: "password" poll_frequency_minutes: 5 notification_type: jfrog
Adjust the values for the following settings to match your repository and environment:
account_name:The Lacework account.
integration_access_token:The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework in Integrate Proxy Scanner.
domain:Adjust the domain to your environment. Use the URL to file entry from JFrog.
trueif your JFrog registry is configured with HTTPS.
trueto enable auto polling of the registry. Set to
falseto use a notification method instead.
user_name:Provide your JFrog registry username.
password:Provide your JFrog registry username's password.
auto_pollis set to
true, adjust this to your desired polling frequency. If
auto_pollis set to
false, this field is unused.
Check the scan results in Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.
If the notification method has been configured (
auto_poll: false), then Configure the JFrog Registry Webhook before checking scan results.
Deploy the Proxy Scanner
Pull the latest Lacework Proxy Scanner image:
docker pull lacework/lacework-proxy-scanner:latest
Create a persistent storage location for the Lacework Proxy Scanner cache and change the ownership:
mkdir cache chown -R 1000:65533 cache
Start the Lacework Proxy Scanner:
docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner
For debugging purposes, add
docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
Configure the JFrog Registry Webhook (for notification option only)
Navigate to the JFrog Administration Module > General > Webhooks
Create a new webhook and provide the following details:
Name: Provide a name for the webhook (for example:
URL: Specify the URL that the webhook invokes.
Use following options in the webhook URL:
Docker Tag was pushedand/or
Docker Tag was promoted.
Add Repositories: Select a specific repository (for example:
docker-quickstart-local) or Any Local Repository.
Custom headers: Add any custom headers that you need.
Click Create or Save once complete.
Push a new image to this repository and check the scan results in Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).