Skip to main content

Integrate the Lacework Inline Scanner with CI Pipelines

Overview

The Lacework inline scanner supports integration with Continuous Integration (CI) tooling to scan container images as part of the build process.

The Lacework inline scanner is written in Go and runs on Linux, macOS and Windows. For more information on installing and configuring the Lacework inline scanner, see Integrate Inline Scanner.

CI/CD with Lacework Inline Scanner

You can track your Continuous Integration runs by adding the build ID or build plan to your assessment reports:

lw-scanner image evaluate debian 10 --build-id YOUR_BUILD_ID --build-plan YOUR_BUILD_PLAN

You can find the build id and build plan values as Environment tags in the Lacework Console.

Upgrades

When installing a new version of the inline scanner, be aware of the following:

Existing configuration will not be overwritten, including environment variables. As such, any new default behavior will not become active unless you explicitly configure it after upgrading.

For example, from v0.2.4 onwards, language libraries are scanned by default. If this feature was previously disabled in your configuration, it will remain disabled. Use the LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=false environment variable to enable it.

Deleting Existing Configuration (Optional)

If you wish to install a new version of the inline scanner and remove any previous configuration, use the configure reset command before installing.

Saving Evaluation Results to Lacework Console

After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.

To keep the same behavior as before, perform one of the following options:

  • Run the configure data command and enter true for Save results in platform.
  • Use the LW_SCANNER_SAVE_RESULTS=true environment variable on your local or CI/CD system.
  • Use the --save flag when running the image evaluate or image scan commands.

Support for Proxy Server

The Lacework inline scanner needs to communicate with the Lacework SaaS to evaluate images. The communication can be done via a proxy server. The scanner follows the HTTP_PROXY and HTTPS_PROXY environment variables if set in your Continuous Integration system.

Support for Language Library Packages

This feature is enabled by default. Find out more about this feature in the Language Libraries Support section.

note

Prior to v0.2.4, inline scanner releases do not have this feature enabled by default.

Disable Language Library Scanning

To disable scanning of language libraries, use the following environment variable or command flag (with image evaluate) in your CI/CD system:

Environment variable
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=true
Command flag
--disable-library-package-scanning

Sample Container Vulnerability Data from the Lacework Inline Scanner

Data returned from the Lacework inline scanner provides a wealth of information about vulnerabilities found in images, their severity, and what is fixable. The Lacework inline scanner is designed for individuals or teams responsible for tracking and remediating vulnerabilities. It provides relevant data to help with prioritization through the ability to sort assessments by what is actively running in the environment and by filtering vulnerabilities that have fixes.

The following example is the human-readable output of a container vulnerability assessment with 20 vulnerabilities from which only one of the vulnerabilities could be fixed.

lw-scanner-darwin-amd64 image evaluate debian 10 --fixable

CONTAINER IMAGE DETAILS VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
ID sha256:4a7a1f4017349067a21bd2de060dcf8b41e49fabf61b0dc3cf86a87e1f6dba9d SEVERITY COUNT FIXABLE
Digest sha256:acf7795dc91df17e10effee064bd229580a9c34213b4dba578d64768af5d8c51 -----------+-------+----------
Registry remote_scanner Critical 0 0
Repository debian High 3 1
Size 108.8 MB Medium 9 0
Created At 2021-05-12T01:21:03.936Z Low 13 0
Tags 10 Info 39 0

CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION INTRODUCED IN LAYER
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------
CVE-2021-3520 High lz4 1.8.3-1 1.8.3-1+deb10u1 ADD
file:1a1eae7a82c66d673971436ce2605e97d107e2934b7cdec876c64923ae6f4f85
in /
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------

info

You can switch the output of the inline scanner command to JSON format with the flag -v=false. You can also use the --html flag to generate a report in HTML format.

Configuration Options

The CI system examples use the image evaluate command to provide a human-readable output of container vulnerabilities. You can also use image scan command depending on your requirements.

Add additional flags to these command to suit your needs, see Image Evaluate Command and Image Scan Command for details about each flag.

Configuration using Environment Variables

Alternatively to command flags, set environment variables on your CI/CD system. The following table displays the available environment variables:

Variable NameValueDefault
LW_ACCOUNT_NAME (*)Your Lacework account name. Example:
If your login URL is 'mycompany.lacework.net', the account name is mycompany.
N/A
LW_ACCESS_TOKEN (*)Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console.N/A
LW_SCANNER_SAVE_RESULTSWhen set to true, this will save evaluation results to the Lacework Console. This is not available for image scan.false
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNINGWhen set to true, this will disable image evaluations for non-OS library packages.false
LW_SCANNER_DISABLE_UPDATESWhen set to true, this will disable the update prompt at the end of the output if there is a new version of the Lacework scanner available.false

(*) = required variable.

See also Global Flags using Environment Variables.

info

The Lacework scanner will honor the standard Linux HTTP_PROXY and HTTPS_PROXY environment variables if they are set in your CI system.

Integrate with CI systems

The following are examples of integrating the Lacework inline scanner command into a few popular CI systems:

Integrate with Jenkins

The following is an example of Jenkins pipeline using Docker to pull an image and the Lacework inline scanner to evaluate the image.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

This simple Jenkins pipeline takes IMAGE_NAME, IMAGE_TAG, and BUILD_ID as inputs.

Every Jenkins slave that executes this pipeline must have the following installed:

  • curl
  • docker cli

Add the following variables to your Jenkins Credentials as Secret Text:

pipeline {
agent any

environment {
LW_ACCESS_TOKEN = credentials('LW_ACCESS_TOKEN')
LW_ACCOUNT_NAME = credentials('LW_ACCOUNT_NAME')
}

parameters {
string (name: 'IMAGE_NAME',
description: "Specify Image Name",
defaultValue: '')
string (name: 'IMAGE_TAG',
description: "Specify Image Tag",
defaultValue: '')
}

stages {
stage('Pull') {
steps {
echo 'Pulling image ...'
sh "docker pull ${IMAGE_NAME}:${IMAGE_TAG}" //Pull the image to scan
}
}
stage('Scan') {
steps {
echo 'Scanning image ...'
sh "curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner"
sh "chmod +x lw-scanner"
sh "./lw-scanner image evaluate ${IMAGE_NAME} ${IMAGE_TAG} --build-id ${BUILD_ID}"
}
}
}
}

Optionally, you can implement the exit codes to prevent container images from being deployed due to a policy violation, see Exit codes for Policy Violations

You need to create container vulnerability policies before implementing the exit codes. To create vulnerability policies, see Vulnerability Policy Management

For more details on integrating Lacework with Jenkins, see the blog post Up and Running with Lacework and Jenkins.

Integrate with Azure DevOps

This sample azure-pipelines.yml file demonstrates building a sample image azure.devops/app:latest and scanning it with Lacework:

trigger:
- up_and_running

pool:
vmImage: 'ubuntu-latest'

steps:
- script: |
docker build -t azure.devops/app:latest .
displayName: 'Build a docker image'
- script: |
apt-get update
apt-get -y install curl
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
chmod u+x lw-scanner
./lw-scanner image evaluate azure.devops/app latest
displayName: 'Scan the image'
env:
LW_ACCESS_TOKEN: $(LW_ACCESS_TOKEN)
LW_ACCOUNT_NAME: $(LW_ACCOUNT_NAME)

Add the variables LW_ACCESS_TOKEN and LW_ACCOUNT_NAME to your pipeline in Azure DevOps. See Integrate Inline Scanner to retrieve the values.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

Integrate with TravisCI

This sample .travis.yml file demonstrates scanning an image with Lacework.

Default daemon socket

This example sets the /var/run/docker.sock default option, which is not generally recommended.

Consider adjusting the daemon socket option to suit your environment.

services:
- docker

# Environment variables. These can be set up once in Travis instead of .travis.yml
env:
global:
- LW_ACCESS_TOKEN=YourAccessToken
- LW_ACCOUNT_NAME=YourAccountName

script: ->
docker run
-e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME
-e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
-v /var/run/docker.sock:/var/run/docker.sock
lacework/lacework-inline-scanner:latest image evaluate YourImageNameToScan YourImageTagToScan
--build-id $TRAVIS_BUILD_ID --build-plan $TRAVIS_JOB_NAME

Integrate with GitHub Actions

You can use the Inline Scanner executable or the Docker Image for Inline Scanner with GitHub Actions.

Add the variables LW_ACCESS_TOKEN and LW_ACCOUNT_NAME to your pipeline in GitHub Actions. See Configuration Using Environment Variables for guidance on these parameters.

Example
jobs:
build:
steps:
- uses: lacework/lw-scanner-action@v1.4.0
name: Scan container images for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: myRepositoryName/myImageName
IMAGE_TAG: v1.0.0

For more information about other available options, see GitHub Action for the Lacework Inline Scanner.

Policy Exit Code Blocking for GitHub Actions

By default, the GitHub Action for the Lacework Inline Scanner returns an exit code of 1 if any enabled container vulnerability policy fails and is set to block mode.

You may want to automatically output the results from the scan to a GitHub PR comment, so that they can be easily read in GitHub.

The following is an example of how to achieve this using the actions-comment-pull-request GitHub Action:

GitHub Action - PR comment example for Lacework Inline Scanner results
      - uses: lacework/lw-scanner-action@v1.4.0
name: Scan container image for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
IMAGE_TAG: ${{ env.GHA_SHA }}
SAVE_RESULTS_IN_LACEWORK: true
RESULTS_IN_GITHUB_SUMMARY: true

- name: Change formatting for PR
run: |
echo "# Lacework Inline Scanner Result" > pr-results.md
echo "<pre>" >> pr-results.md
cat results.stdout >> pr-results.md
echo "</pre>" >> pr-results.md

- name: Comment PR
uses: thollander/actions-comment-pull-request@v2
with:
filePath: pr-results.md

Integrate with Gitlab

The following is an example of a gitlab.yaml file using Docker to build an image and the Lacework inline scanner to evaluate the image.

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

stages:
- build
docker:image:
stage: build
image: docker:1.11
services:
- docker:dind
script:
- docker build -t image_name:tag .
- apk update &&
- apk add --no-cache curl &&
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
- chmod u+x lw-scanner &&
- ./lw-scanner image evaluate image_name tag
- echo "Performing Vulnerability Scan powered by Lacework"
  1. Add the following variables to your Gitlab project through the Gitlab console.
  2. Go to your project’s Settings > CI/CD and select Variables.
  3. Click Add Variable.
  4. Add LW_ACCESS_TOKEN with the token value.
  5. Add LW_ACCOUNT_NAME with the name value.

Integrate with Bitbucket Pipelines

The Lacework Scan Bitbucket Pipe lets you integrate Lacework container security capabilities into your Bitbucket Pipeline's CI/CD. It allows you to scan and assess Docker container images and software packages for vulnerabilities during the build stage. Optionally, you can stop and fail the build when issues are detected to prevent vulnerable software from being deployed.

Container vulnerability policies must be set in Lacework in order to block CI/CD builds. Learn how to create a policy and attach the policy to the inline scanner integration.

Lacework Console CI/CD Example Policy

Here's a full example Bitbucket Pipeline using the Lacework Scan pipe.

Add the following snippet to the script section of your bitbucket-pipelines.yml file:

script:
- pipe: lacework/lacework-scan:1.2.0
variables:
LW_ACCOUNT_NAME: "<string>" # Required
LW_ACCESS_TOKEN: "<string>" # Required
IMAGE_NAME: "<string>" # Required
IMAGE_TAG: "<string>" # Required

(You can also use lacework/lacework-scan:latest)

Pipe Variables

Use the following variables to control the Lacework Scan Bitbucket pipe behavior.

VariableUsage
LW_ACCOUNT_NAME (*)Your Lacework account name. For example, if your login URL is mycompany.lacework.net, the account name is mycompany.
LW_ACCESS_TOKEN (*)Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console.
IMAGE_NAME (*)The local Docker image to scan.
IMAGE_TAG (*)The local Docker image tag.

(*) = required variable.

Integrate with AWS CodeBuild

AWS CodeBuild is a fully managed cloud CI service that can build your source code and test and deploy your applications. You can integrate the Lacework inline scanner into the AWS CodeBuild build stage to discover software vulnerabilities. Optionally, you can use AWS CodeBuild with AWS CodePipeline to orchestrate multiple AWS CodeBuild projects that build and deploy. An example of using Lacework with AWS CodePipeline and CodeBuild can be found in this repository.

To add the Lacework inline scanner to your AWS CodeBuild project, follow this AWS CodeBuild buildspec example that performs a Docker build, Lacework vulnerability scan and then a Docker push to Amazon Elastic Container Registry (ECR).

You can use the executable or the Docker container. See Docker Image for Inline Scanner.

This example shows you how to pull the Lacework inline scanner account and token from the SSM parameter store, set environment variables, and install and run the Lacework inline scanner. Vulnerability results appear in the AWS CodeBuild build logs.

version: 0.2
env:
parameter-store:
LW_ACCOUNT_NAME: "LWAccountName" # pull Lacework inline scanner parameters from SSM parameter store
LW_ACCESS_TOKEN: "InlineScannerToken"
phases:
build:
commands:
- docker build -t "$DOCKER_REG/$IMAGE_NAME:$CODEBUILD_BUILD_NUMBER" -t "$DOCKER_REG/$IMAGE_NAME:latest" .
post_build:
commands:
- export LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME #Set Lacework inline scanner environment variables
- export LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
- export LW_SCANNER_DISABLE_UPDATES=true
- export LW_SCANNER_SAVE_RESULTS=true
- rm -rf ./evaluations/$IMAGE_NAME/$CODEBUILD_BUILD_NUMBER/evaluation_*.json || true
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner # install
- chmod +x lw-scanner
- ./lw-scanner image evaluate $DOCKER_REG/$IMAGE_NAME $CODEBUILD_BUILD_NUMBER --build-id $CODEBUILD_BUILD_NUMBER --data-directory . # execute
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $DOCKER_REG
- docker image push -a "$DOCKER_REG/$IMAGE_NAME"

Integrate with CircleCI

CircleCI is a continuous integration and delivery platform that you can use to implement DevOps practices.

See Lacework Orb for CircleCI for guidance on running on-demand vulnerability scans and other operations within your CI/CD pipeline.

note

Integrate with Atlassian Bamboo

The following is an example of a simple pipeline in Atlassian Bamboo, in which the Lacework Inline Scanner is used to evaluate the image.

1. Set the Environment Variables

Set the Lacework Account Name and Access Token as environment variables in Atlassian Bamboo, so that the Inline Scanner can authenticate to Lacework when it scans your images.

  1. Go to Global Variables.

  2. Add the following new environment variables:

    LW_ACCOUNT_NAME = <lacework-account-name>
    LW_ACCESS_TOKEN = <inline-scanner-access-token>

2. Add a Stage for the Inline Scanner into your Plan Configuration

  1. Go to your plan's configuration.

  2. Edit or create a stage where you want to insert a new step for the Lacework Inline Scanner.

  3. Choose from one of the following implementation examples below to add your task.

    note

    In both examples, the build is set to fail if a Lacework policy violation is detected during a scan. See Exit Codes for Policy Violations for different flags that can be used.

    1. Option 1 - Binary implementation:

      • Task type = Script

      • Task description = a simple description for your task. Example “Scan image with Lacework”.

      • Interpreter = Shell

      • Script location = Inline

      • Script Body:

        curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
        chmod +x lw-scanner
        ./lw-scanner image evaluate ${bamboo.REGISTRY}/${bamboo.IMAGE_NAME} latest --build-id ${bamboo.buildNumber} --tags mytag=myvalue --save --policy --fail-on-violation-exit-code 1
      • Environment Variables:

        LW_ACCOUNT_NAME=<lacework-account-name> LW_ACCESS_TOKEN=<inline-scanner-access-token>
    2. Option 2 - Docker Container Image implementation.

      • Task type = Docker

      • Task description = a simple description for your task. Example “Scan image with Lacework”.

      • Command = Run a Docker container

      • Docker image:

        lacework/lacework-inline-scanner:latest
      • Container environment Variables:

        LW_ACCESS_TOKEN="${bamboo.LW_ACCESS_TOKEN}" LW_ACCOUNT_NAME="${bamboo.LW_ACCOUNT_NAME}"
      • Container command:

        image evaluate ${bamboo.REGISTRY}/${bamboo.IMAGE_NAME} latest --build-id ${bamboo.buildNumber} --tags mytag=myvalue --save --policy --fail-on-violation-exit-code 1
  4. Save your task/stage once complete.

Results from the scans can be found in the Lacework Console (as long as the --save flag is used as per these examples). Scan output can also be found in the Bamboo build logs for the build results.

Docker Image for Inline Scanner

The inline scanner is also distributed in a Docker image. You can use it as an alternative to the binary in CI systems.

Run the Docker image to start a Docker daemon on your host using the default daemon socket (/var/run/docker.sock).

Daemon socket

The Inline Scanner docker image uses the host's docker daemon to pull images as it doesn’t have its own docker daemon.

This creates a single container that can perform the following commands:

All other commands are disabled.

info

If you want to run the Docker image inside another Docker image, ensure that the host image is running Docker before deployment.

CPU and Memory Resources

See Inline Scanner - CPU and Memory Resources for resource recommendations.

Download the Image

Pull the image from the Lacework repository:

docker pull lacework/lacework-inline-scanner:latest

Use the Image

The configure commands are disabled for the Docker image. See Configuration using Environment Variables for environmental configuration options.

note

LW_SCANNER_DISABLE_UPDATES is set to true by default for the docker image which provides a cleaner output.

image evaluate

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest \
--build-id myBuildId123 --build-plan myBuildPlan

Add or remove image evaluate flags depending on your requirements.

image scan

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest

Add or remove image scan flags depending on your requirements.

version

Provide the LW_ACCOUNT_NAME and LW_ACCESS_TOKEN environment variables to authenticate with Lacework.

Example
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-e LW_SCANNER_DISABLE_UPDATES=false \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
version

In this example, setting LW_SCANNER_DISABLE_UPDATES=false prompts you if a new version of the inline scanner is available.