Integrate GitHub Container Registry
Container Registry Support
GitHub Container Registry integrations support:
- Registry notification - scans occur for each image push.
- On-demand scans via the API.
Integration Setup Overview
Integration setup consists of the following steps:
- Create a container registry integration in the Lacework Console.
- Choose one of the following options:
Navigate to GitHub Container Registry Integration
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container registries.
- Click + Add New.
- Select GitHub Container Registry.
- Click Next.
- Follow the steps in the next section.
Integrate with GitHub Container Registry
To integrate GitHub Container Registry with Lacework, follow these steps:
- Configure the registry and complete any optional settings.
- Click Save. The integration status displays Integration Successful only after its first assessment completes.
- If you subscribed to notifications, go to Registry Notification. Otherwise, go to Set Up Image Assessment through the API to set up on-demand scans.
Configure Registry
| Setting Name | Description |
|---|---|
| Name | Specify a unique name for the container registry in the Lacework Console. |
| Username | Specify a user that has permissions to pull the images for assessment from the container registry. |
| Password | Specify the GitHub token. To generate a new token, go to your organization and navigate to Settings > Developer settings > Personal access tokens > Generate new token. The required permission is read:packages. |
| SSL | Select True if the registry uses SSL. You can use either a valid SSL certificate issued by a trusted Certificate Authority (CA) or a self-signed certificate. If you select False, you use an unencrypted communication channel. |
| Registry Domain | Displays a drop-down with the field ghcr.io for the GitHub Container Registry. |
| Subscribe to Registry Notifications | Optionally select True to subscribe to notifications. |
Optional Settings
| Setting Name | Description |
|---|---|
| Limit Image Tags | If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND. Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz). |
| Limit Image Labels | If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND. |
| Limit Repositories | If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period. NOTE: Do not include the registry in the repository name(s). |
| Images per Repo | Set the maximum number of newest container images to discover/scan per repository. See Platform Scanner - Default Scanning Quotas for the maximum setting. |
| Non-OS Package Support | This feature is enabled by default. Select No if you want to disable scanning of language libraries. |
Registry Notification
Lacework can receive notifications that the registry sends in response to events that happen within the registry. When Lacework receives manifest push notifications, Lacework performs an assessment.
When the integration subscribes to notifications, you must add a webhook that includes additional information from Lacework.
When you create or edit the integration, the following additional information is available:
- Listener URL
- Authorization Token - an integration-specific, long running server token.
The listener URL and token are available on the Container Registry page. Click the integration name and copy both items from the details pane. This information is required for the next steps.
Each integration can have one token. If the integration unsubscribes from notifications and then subscribes again, Lacework uses the same token.
Add a Webhook to GitHub
If you subscribed to notifications, you must add a webhook to your organization and then add the notification listener URL and authorization token.
- In GitHub, navigate to the organization where you want to add a webhook. note
You must use an organization webhook. Repository webhooks cannot be used.
- Click Webhooks.
- Click Add webhook.
- For Payload URL, paste the integration's URL from the Lacework Console, such as:
https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR - For Content type, select application/json.
- For Secret, paste the integration's authorization token.
- For Which events would you like to trigger this webhook?, click Let me select individual events.
Then select registry_package from the list of events. - Click Active.
- Click Add webhook.
Set Up Image Assessment through the API
If you did not subscribe to notifications, you can, for example, make an API call each time an image is built so that Lacework assesses it:
POST https://YourLacework.lacework.net/api/v2/Webhooks/Signatures/GithubCR
For information about setting up container image assessment, see the Vulnerabilities section in the Lacework API (v2) documentation.