Deploy a proxy scanner that integrates with your JFrog registry to provide container vulnerability assessments.
Create a Proxy Scanner Integration in Lacework
Complete the steps to Create a Proxy Scanner Integration in Lacework in Integrate Proxy Scanner.
After step 7, return to this article and Configure the JFrog Registry Repository.
Configure the JFrog Registry Repository
- Navigate to the Administration module, and select Repositories, and Repositories.
- Create a new local Docker repository and provide a Repository Key (for example:
- Leave the remaining options on their default settings.
- Click Save & Finish.
Configure the Proxy Scanner
- Navigate to the JFrog Registry UI > Application > Artifactory > Artifacts.
- Select the repository key that you created in Configure the JFrog Registry Repository (for example:
- Use the configuration details from this repository to help create a
config.ymlfile that will be used by proxy scanner.
static_cache_location: /opt/lacework/cache lacework: account_name: lacework-account integration_access_token: authorization-token registries: - domain: JFROG-FQDN:PORT name: JFrog ssl: false credentials: user_name: "userinregistry" password: "password" notification_type: jfrog
Adjust the values for the following settings to match your repository and environment:
account_name:The Lacework account.
integration_access_token:The authorization token from step 7 in Create a Proxy Scanner Integration in Lacework in Integrate Proxy Scanner.
domain:Adjust the domain to your environment. Use the URL to file entry from JFrog. Use the same domain that you use for Docker login. For example: If you log into Docker using
domain = dockerHost:Port. If you log into Docker using
domain = dockerHost.
trueif your JFrog registry is configured with HTTPS. Note: If it's an SSL/HTTPS based registry, do not add port 443 but check the
user_name:Provide your JFrog registry username.
password:Provide your JFrog registry username's password.
Check the scan results in Lacework container vulnerability assessment dossier (Vulnerabilities > Containers). The poll frequency determines how long it takes for the scan results to show.
Deploy the Proxy Scanner
Before you deploy the proxy scanner, ensure that you set up a host machine with Docker installed.
- Pull the latest Lacework proxy scanner image:
docker pull lacework/lacework-proxy-scanner:latest
- Create a persistent storage location for the Lacework proxy scanner cache and change the ownership:
mkdir cache chown -R 1000:65533 cache
Start the Lacework proxy scanner:
docker run -d --mount type=bind,source="$(pwd)"/cache,target=/opt/lacework/cache -v "$(pwd)"/config.yml:/opt/lacework/config/config.yml -p 8080:8080 lacework/lacework-proxy-scanner
For debugging purposes, add
docker run -e LOG_LEVEL=debug -d --mount ...
Available LOG_LEVEL options =
Configure the JFrog Registry Webhook (for notification option only)
Note: For JFrog to send webhooks, turn off Artifactory Webhook Validation.
- Navigate to the JFrog Administration Module > General > Webhooks
Create a new webhook and provide the following details:
Name: Provide a name for the webhook (for example:
URL: Specify the URL that the webhook invokes.
Use following options in the webhook URL:
JFROG-FQDN:PORT= Modify this to use your JFrog environment. See the
domainfield provided in the
config.ymlwhen Configuring the Proxy Scanner.
Docker Tag was pushedand/or
Docker Tag was promoted.
Add Repositories: Select a specific repository (for example:
docker-quickstart-local) or Any Local Repository.
Custom headers: Add any custom headers that you need.
Click Create or Save once complete.
- Push a new image to this repository and check the scan results in Lacework container vulnerability assessment dossier (Vulnerabilities > Containers).