Skip to main content

Integrate the Lacework Inline Scanner with CI Pipelines

Overview

The Lacework inline scanner supports integration with Continuous Integration (CI) tooling to scan container images as part of the build process.

The Lacework inline scanner is written in Go and runs on Linux, macOS and Windows. For more information on installing and configuring the Lacework inline scanner, see Integrate Inline Scanner.

ci_cd.png

You can track your Continuous Integration runs by adding the build ID or build plan to your assessment reports:

lw-scanner image evaluate debian 10 --build-id YOUR_BUILD_ID --build-plan YOUR_BUILD_PLAN

You can find the build id and build plan values as Environment tags in the Lacework Console.

Upgrades

When installing a new version of the inline scanner, be aware of the following:

Existing configuration will not be overwritten, including environment variables. As such, any new default behavior will not become active unless you explicitly configure it after upgrading.

For example, from v0.2.4 onwards, language libraries are scanned by default. If this feature was previously disabled in your configuration, it will remain disabled. Use the LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=false environment variable to enable it.

Deleting Existing Configuration (Optional)

If you wish to install a new version of the inline scanner and remove any previous configuration, use the configure reset command before installing.

Saving Evaluation Results to Lacework Console

After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.

To keep the same behavior as before, perform one of the following options:

  • Run the configure data command and enter true for Save results in platform.
  • Use the LW_SCANNER_SAVE_RESULTS=true environment variable on your local or CI/CD system.
  • Use the --save flag when running the image evaluate or image scan commands.

Support for Proxy Server

The Lacework inline scanner needs to communicate with the Lacework SaaS to evaluate images. The communication can be done via a proxy server. The scanner follows the HTTP_PROXY and HTTPS_PROXY environment variables if set in your Continuous Integration system.

Support for Language Library Packages

This feature is enabled by default. Find out more about this feature in the Language Libraries Support section.

note

Prior to v0.2.4, inline scanner releases do not have this feature enabled by default.

Disable Language Library Scanning

To disable scanning of language libraries, use the following environment variable or command flag (with image evaluate) in your CI/CD system:

Environment variable
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=true
Command flag
--disable-library-package-scanning

Sample Container Vulnerability Data from the Lacework Inline Scanner

Data returned from the Lacework inline scanner provides a wealth of information about vulnerabilities found in images, their severity, and what is fixable. The Lacework inline scanner is designed for individuals or teams responsible for tracking and remediating vulnerabilities. It provides relevant data to help with prioritization through the ability to sort assessments by what is actively running in the environment and by filtering vulnerabilities that have fixes.

The following example is the human-readable output of a container vulnerability assessment with 20 vulnerabilities from which only one of the vulnerabilities could be fixed.

lw-scanner-darwin-amd64 image evaluate debian 10 --fixable

CONTAINER IMAGE DETAILS VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
ID sha256:4a7a1f4017349067a21bd2de060dcf8b41e49fabf61b0dc3cf86a87e1f6dba9d SEVERITY COUNT FIXABLE
Digest sha256:acf7795dc91df17e10effee064bd229580a9c34213b4dba578d64768af5d8c51 -----------+-------+----------
Registry remote_scanner Critical 0 0
Repository debian High 3 1
Size 108.8 MB Medium 9 0
Created At 2021-05-12T01:21:03.936Z Low 13 0
Tags 10 Info 39 0

CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION INTRODUCED IN LAYER
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------
CVE-2021-3520 High lz4 1.8.3-1 1.8.3-1+deb10u1 ADD
file:1a1eae7a82c66d673971436ce2605e97d107e2934b7cdec876c64923ae6f4f85
in /
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------

info

You can switch the output of the inline scanner command to JSON format with the flag -v=false. You can also use the --html flag to generate a report in HTML format.

Configuration Options

The CI system examples use the image evaluate command to provide a human-readable output of container vulnerabilities. You can also use image scan command depending on your requirements.

Add additional flags to these command to suit your needs, see Image Evaluate Command and Image Scan Command for details about each flag.

Configuration using Environment Variables

Alternatively to command flags, set environment variables on your CI/CD system. The following table displays the available environment variables:

Variable NameValueDefault
LW_ACCOUNT_NAME (*)Your Lacework account name. Examples:
If your login URL is 'mycompany.lacework.net', the account name is mycompany.
If your login URL is 'mycompany.fra.lacework.net', the account name is mycompany.fra.
N/A
LW_ACCESS_TOKEN (*)Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console.N/A
LW_SCANNER_SAVE_RESULTSWhen set to true, this will save evaluation results to the Lacework Console. This is not available for image scan.false
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNINGWhen set to true, this will disable image evaluations for non-OS library packages.false
LW_SCANNER_DISABLE_UPDATESWhen set to true, this will disable the update prompt at the end of the output if there is a new version of the Lacework scanner available.false

(*) = required variable.

See also Global Flags using Environment Variables.

info

The Lacework scanner will honor the standard Linux HTTP_PROXY and HTTPS_PROXY environment variables if they are set in your CI system.

Integrate with CI systems

The following are examples of integrating the Lacework inline scanner command into a few popular CI systems:

Integrate with Jenkins

The following is an example of Jenkins pipeline using Docker to pull an image and the Lacework inline scanner to evaluate the image.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

This simple Jenkins pipeline takes IMAGE_NAME, IMAGE_TAG, and BUILD_ID as inputs.

Every Jenkins slave that executes this pipeline must have the following installed:

  • curl
  • docker cli

Add the following variables to your Jenkins Credentials as Secret Text:

pipeline {
agent any

environment {
LW_ACCESS_TOKEN = credentials('LW_ACCESS_TOKEN')
LW_ACCOUNT_NAME = credentials('LW_ACCOUNT_NAME')
}

parameters {
string (name: 'IMAGE_NAME',
description: "Specify Image Name",
defaultValue: '')
string (name: 'IMAGE_TAG',
description: "Specify Image Tag",
defaultValue: '')
}

stages {
stage('Pull') {
steps {
echo 'Pulling image ...'
sh "docker pull ${IMAGE_NAME}:${IMAGE_TAG}" //Pull the image to scan
}
}
stage('Scan') {
steps {
echo 'Scanning image ...'
sh "curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner"
sh "chmod +x lw-scanner"
sh "./lw-scanner image evaluate ${IMAGE_NAME} ${IMAGE_TAG} --build-id ${BUILD_ID}"
}
}
}
}

Optionally, you can implement the exit codes to prevent container images from being deployed due to a policy violation, see Exit codes for Policy Violations

You need to create container vulnerability policies before implementing the exit codes. To create vulnerability policies, see Vulnerability Policy Management

For more details on integrating Lacework with Jenkins, see the blog post Up and Running with Lacework and Jenkins.

Integrate with Azure DevOps

This sample azure-pipelines.yml file demonstrates building a sample image azure.devops/app:latest and scanning it with Lacework:

trigger:
- up_and_running

pool:
vmImage: 'ubuntu-latest'

steps:
- script: |
docker build -t azure.devops/app:latest .
displayName: 'Build a docker image'
- script: |
apt-get update
apt-get -y install curl
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
chmod u+x lw-scanner
./lw-scanner image evaluate azure.devops/app latest
displayName: 'Scan the image'
env:
LW_ACCESS_TOKEN: $(LW_ACCESS_TOKEN)
LW_ACCOUNT_NAME: $(LW_ACCOUNT_NAME)

Add the variables LW_ACCESS_TOKEN and LW_ACCOUNT_NAME to your pipeline in Azure DevOps. See Integrate Inline Scanner to retrieve the values.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

Integrate with TravisCI

This sample .travis.yml file demonstrates scanning an image with Lacework.

services:
- docker

# Environment variables. These can be set up once in Travis instead of .travis.yml
env:
global:
- LW_ACCESS_TOKEN=YourAccessToken
- LW_ACCOUNT_NAME=YourAccountName

script: ->
docker run
-e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME
-e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
-v /var/run/docker.sock:/var/run/docker.sock
lacework/lacework-inline-scanner:latest image evaluate YourImageNameToScan YourImageTagToScan
--build-id $TRAVIS_BUILD_ID --build-plan $TRAVIS_JOB_NAME

Integrate with GitHub Actions

Add the variables LW_ACCESS_TOKEN and LW_ACCOUNT_NAME to your pipeline in GitHub Actions. See Configure Authentication Using Environment Variables and GitHub Environments Documentation

- uses: lacework/lw-scanner-action@v1.0.0
name: Scan container image for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: YourImageName
IMAGE_TAG: YourImageTag

For more information about other available options, see Github Action for using the Lacework inline scanner.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

Integrate with Gitlab

The following is an example of a gitlab.yaml file using Docker to build an image and the Lacework inline scanner to evaluate the image.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

stages:
- build
docker:image:
stage: build
image: docker:1.11
services:
- docker:dind
script:
- docker build -t image_name:tag .
- apt-get update &&
- apt-get -y install curl &&
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
- chmod u+x lw-scanner &&
- ./lw-scanner image evaluate image_name tag
- echo "Performing Vulnerability Scan powered by Lacework"
  1. Add the following variables to your Gitlab project through the Gitlab console.
  2. Go to your project’s Settings > CI/CD and select Variables.
  3. Click Add Variable.
  4. Add LW_ACCESS_TOKEN with the token value.
  5. Add LW_ACCOUNT_NAME with the name value.

Integrate with Bitbucket Pipelines

The Lacework Scan Bitbucket Pipe lets you integrate Lacework container security capabilities into your Bitbucket Pipeline's CI/CD. It allows you to scan and assess Docker container images and software packages for vulnerabilities during the build stage. Optionally, you can stop and fail the build when issues are detected to prevent vulnerable software from being deployed.

Container vulnerability policies must be set in Lacework in order to block CI/CD builds. Learn how to create a policy and attach the policy to the inline scanner integration.

Lacework Console CI/CD Example Policy

Here's a full example Bitbucket Pipeline using the Lacework Scan pipe.

Add the following snippet to the script section of your bitbucket-pipelines.yml file:

script:
- pipe: lacework/lacework-scan:1.1.6
variables:
LW_ACCOUNT_NAME: "<string>" # Required
LW_ACCESS_TOKEN: "<string>" # Required
IMAGE_NAME: "<string>" # Required
IMAGE_TAG: "<string>" # Required

Pipe Variables

Use the following variables to control the Lacework Scan Bitbucket pipe behavior.

VariableUsage
LW_ACCOUNT_NAME (*)Your Lacework account name. For example, if your login URL is mycompany.lacework.net, the account name is mycompany.
LW_ACCESS_TOKEN (*)Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console.
IMAGE_NAME (*)The local Docker image to scan.
IMAGE_TAG (*)The local Docker image tag .

(*) = required variable.

Integrate with AWS CodeBuild

AWS CodeBuild is a fully managed cloud CI service that can build your source code and test and deploy your applications. You can integrate the Lacework inline scanner into the AWS CodeBuild build stage to discover software vulnerabilities. Optionally, you can use AWS CodeBuild with AWS CodePipeline to orchestrate multiple AWS CodeBuild projects that build and deploy. An example of using Lacework with AWS CodePipeline and CodeBuild can be found in this repository.

To add the Lacework inline scanner to your AWS CodeBuild project, follow this AWS CodeBuild buildspec example that performs a Docker build, Lacework vulnerability scan and then a Docker push to Amazon Elastic Container Registry (ECR).

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

This example shows you how to pull the Lacework inline scanner account and token from the SSM parameter store, set environment variables, and install and run the Lacework inline scanner. Vulnerability results appear in the AWS CodeBuild build logs.

version: 0.2
env:
parameter-store:
LW_ACCOUNT_NAME: "LWAccountName" # pull Lacework inline scanner parameters from SSM parameter store
LW_ACCESS_TOKEN: "InlineScannerToken"
phases:
build:
commands:
- docker build -t "$DOCKER_REG/$IMAGE_NAME:$CODEBUILD_BUILD_NUMBER" -t "$DOCKER_REG/$IMAGE_NAME:latest" .
post_build:
commands:
- export LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME #Set Lacework inline scanner environment variables
- export LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
- export LW_SCANNER_DISABLE_UPDATES=true
- export LW_SCANNER_SAVE_RESULTS=true
- rm -rf ./evaluations/$IMAGE_NAME/$CODEBUILD_BUILD_NUMBER/evaluation_*.json || true
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner # install
- chmod +x lw-scanner
- ./lw-scanner image evaluate $DOCKER_REG/$IMAGE_NAME $CODEBUILD_BUILD_NUMBER --build-id $CODEBUILD_BUILD_NUMBER --data-directory . # execute
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $DOCKER_REG
- docker image push -a "$DOCKER_REG/$IMAGE_NAME"

Integrate with Circle CI

CircleCI is a continuous integration and delivery platform that you can use to implement DevOps practices.

The following example shows you how to run a container vulnerability scan with Lacework.

orbs:
lacework: lacework/lacework@x.y
version: 2.1
workflows:
scan_my_container:
jobs:
- lacework/ctr-vuln-scan:
registry: index.docker.io
repository: lacework/lacework-cli

The following example shows you how to generate the container vulnerability assessment in HTML format and store the artifact automatically with Lacework.

orbs:
lacework: lacework/lacework@x.y
version: 2.1
workflows:
scan_container_and_generate_html_artifact:
jobs:
- lacework/ctr-vuln-scan:
html: true
registry: index.docker.io
repository: lacework/lacework-cli

Optionally, you can implement exist codes to stop the pipelines when the scan returns fixable vulnerabilities, see Exit codes for Policy Violations.

To enable the exit codes, set fail_on_fixable attribute to true.

orbs:
lacework: lacework/lacework@x.y
version: 2.1
workflows:
scan_container_and_terminate_pipeline_on_fixable_vuln:
jobs:
- lacework/ctr-vuln-scan:
fail_on_fixable: true
html: true
registry: index.docker.io
repository: lacework/lacework-cli

The following example shows you how to scan an image with Lacework.

orbs:
lacework: lacework/lacework@x.y
version: 2.1
workflows:
scan_my_container:
jobs:
- lacework/inline-scanner-scan:
image_name: lacework/lacework-cli
image_tag: latest

The following example shows you how to scan a package manifest with Lacework.

orbs:
lacework: lacework/lacework@x.y
version: 2.1
workflows:
scan_my_container:
jobs:
- lacework/scan-pkg-manifest:
manifest: >-
{ "os_pkg_info_list": [ { "os":"Ubuntu", "os_ver":"18.04", "pkg":
"openssl", "pkg_ver": "1.1.1-1ubuntu2.1~18.04.5" } ] }

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

Docker Image for Inline Scanner

The inline scanner is also distributed in a Docker image and you can use it as an alternative to the binary in CI systems.

Run the Docker image to start a Docker daemon on your host using the default daemon socket (/var/run/docker.sock). This creates a single container that can perform the following commands:

All other commands are disabled.

info

If you want to run the Docker image inside another Docker image, ensure that the host image is running Docker before deployment.

CPU and Memory Resources

See Inline Scanner - CPU and Memory Resources for resource recommendations.

Download the Image

Pull the image from the Lacework repository:

docker pull lacework/lacework-inline-scanner:latest

Use the Image

The configure commands are disabled for the Docker image. See Configuration using Environment Variables for environmental configuration options.

note

LW_SCANNER_DISABLE_UPDATES is set to true by default for the docker image which provides a cleaner output.

image evaluate

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest \
--build-id myBuildId123 --build-plan myBuildPlan

Add or remove image evaluate flags depending on your requirements.

image scan

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest

Add or remove image scan flags depending on your requirements.

version

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-e LW_SCANNER_DISABLE_UPDATES=false \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
version

In this example, setting LW_SCANNER_DISABLE_UPDATES=false prompts you if a new version of the inline scanner is available.