Skip to main content

Container Vulnerability

The Lacework Platform provides the capability to scan container images for vulnerabilities at both build time and runtime. The Lacework CLI provides the lacework vulnerability container sub-command with a number of capabilities to retrieve data about container vulnerability assessments, which is designed for individuals or teams responsible for tracking and remediating vulnerabilities by providing relevant data to help with prioritization through the ability to sort assessments by what is actively running in the environment, and by filtering on vulnerabilities that have available fixes.

To view all of the container vulnerability assessments for your Lacework account for the last 7 days (default).

lacework vulnerability container list-assessments

Additionally, you can filter results with the following flags:

  • --active displays only vulnerabilities that are active within your environment
  • --fixable displays only vulnerabilities with fixes
  • --repository displays assessments for the specific repository
    Note: You may pass this flag multiple times to filter on multiple repositories
  • --registry displays assessments for the specific registry
  • --start specifies the start of the time range in UTC (format: yyyy-MM-ddTHH:mm:ssZ)
  • --end specifies the end of the time range in UTC (format: yyyy-MM-ddTHH:mm:ssZ)

To view all of the containers active in your environment with vulnerabilities that have fixes.

lacework vulnerability container list-assessments --active --fixable

To request an on-demand container vulnerability scan.

lacework vulnerability container scan <registry> <repository> <tag|digest>

Where:

  • <registry> is the container registry where the container image has been published
  • <repository> is the repository name that contains the container image
  • <tag|digest> could be, either a tag or an image digest to scan (digest format: sha256:1ee...1d3b)
note

Scans can take up to 15 minutes to return results.

To verify the status of a container vulnerability scan and view the assessment results.

lacework vulnerability container scan-status <request_id>

The following is an example of integrating the lacework vulnerability container command into a CI pipeline. The specific example requests an on-demand container vulnerability scan and waits for the scan to complete (results will be displayed in the terminal):

lacework vulnerability container scan <registry> <repository> <tag|digest> --poll --noninteractive

The --noninteractive flag disables interactive progress bars. ⏲️

When the flag --poll is specified, there are a few other flags you can use to modify the output of the assessment:

  • --fixable displays only fixable vulnerabilities
  • --packages modifies the output format to show a list of packages with CVE count
  • --html generates a vulnerability assessment in HTML format
  • --fail_on_fixable returns a non-zero exit code if the assessed container has fixable vulnerabilities
  • --fail_on_severity allows you to specify a severity threshold to fail (return a non-zero exit code) if vulnerabilities are found
    (available severities are critical, high, medium, low, and info)

To view a specific container vulnerability assessment use the command.

lacework vulnerability container show-assessment <sha256:hash>

By default, this command expects a sha256 image digest or a tag. To look up an assessment by its image ID, use the flag --image_id followed by the sha256 image ID.

You can extend the details of a vulnerability assessment by providing the flag --details.

Additionally, there are a few more flags you can use to modify the output of the assessment:

  • --fixable displays only fixable vulnerabilities
  • --packages modifies the output format to show a list of packages with CVE count
  • --html generates a vulnerability assessment in HTML format
  • --csv outputs the assessment in CSV format
  • --fail_on_fixable helps automated pipelines to fail if the assessed container has fixable vulnerabilities
  • --fail_on_severity allows you to specify a severity threshold to fail if vulnerabilities are found (available severities are critical, high, medium, low, and info)

Generate Static HTML Vulnerability Assessment

To provide developers with clear, actionable, insights to understand and remediate vulnerabilities, the Lacework CLI has the ability to generate static HTML files of container vulnerability assessments.

Use the flag --html in the following commands:

  • lacework vulnerability container scan
  • lacework vulnerability container scan-status
  • lacework vulnerability container show-assessment

The result is a standalone HTML file that can be downloaded and shared with other teams without additional artifacts, it looks exactly like the Lacework Console! 🖥️