Integrate the Lacework Inline Scanner with CI Pipelines
Overview
The Lacework inline scanner supports integration with Continuous Integration (CI) tooling to scan container images as part of the build process.
The Lacework inline scanner is written in Go and runs on Linux, macOS and Windows. For more information on installing and configuring the Lacework inline scanner, see Integrate Inline Scanner.
You can track your Continuous Integration runs by adding the build ID or build plan to your assessment reports:
lw-scanner image evaluate debian 10 --build-id YOUR_BUILD_ID --build-plan YOUR_BUILD_PLAN
You can find the build id
and build plan
values as Environment tags in the Lacework Console.
Upgrades
When installing a new version of the inline scanner, be aware of the following:
Existing configuration will not be overwritten, including environment variables. As such, any new default behavior will not become active unless you explicitly configure it after upgrading.
For example, from v0.2.4 onwards, language libraries are scanned by default. If this feature was previously disabled in your configuration, it will remain disabled. Use the LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=false
environment variable to enable it.
Deleting Existing Configuration (Optional)
If you wish to install a new version of the inline scanner and remove any previous configuration, use the configure reset
command before installing.
Saving Evaluation Results to Lacework Console
After upgrading the Lacework scanner from 0.1.x to 0.2, the inline scanner no longer saves evaluation results to the Lacework Console by default.
To keep the same behavior as before, perform one of the following options:
- Run the
configure data
command and entertrue
forSave results in platform
. - Use the
LW_SCANNER_SAVE_RESULTS=true
environment variable on your local or CI/CD system. - Use the
--save
flag when running theimage evaluate
orimage scan
commands.
Support for Proxy Server
The Lacework inline scanner needs to communicate with the Lacework SaaS to evaluate images. The communication can be done via a proxy server. The scanner follows the HTTP_PROXY and HTTPS_PROXY environment variables if set in your Continuous Integration system.
Support for Language Library Packages
This feature is enabled by default. Find out more about this feature in the Language Libraries Support section.
Prior to v0.2.4, inline scanner releases do not have this feature enabled by default.
Disable Language Library Scanning
To disable scanning of language libraries, use the following environment variable or command flag (with image evaluate
) in your CI/CD system:
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING=true
--disable-library-package-scanning
Sample Container Vulnerability Data from the Lacework Inline Scanner
Data returned from the Lacework inline scanner provides a wealth of information about vulnerabilities found in images, their severity, and what is fixable. The Lacework inline scanner is designed for individuals or teams responsible for tracking and remediating vulnerabilities. It provides relevant data to help with prioritization through the ability to sort assessments by what is actively running in the environment and by filtering vulnerabilities that have fixes.
The following example is the human-readable output of a container vulnerability assessment with 20 vulnerabilities from which only one of the vulnerabilities could be fixed.
lw-scanner-darwin-amd64 image evaluate debian 10 --fixable
CONTAINER IMAGE DETAILS VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
ID sha256:4a7a1f4017349067a21bd2de060dcf8b41e49fabf61b0dc3cf86a87e1f6dba9d SEVERITY COUNT FIXABLE
Digest sha256:acf7795dc91df17e10effee064bd229580a9c34213b4dba578d64768af5d8c51 -----------+-------+----------
Registry remote_scanner Critical 0 0
Repository debian High 3 1
Size 108.8 MB Medium 9 0
Created At 2021-05-12T01:21:03.936Z Low 13 0
Tags 10 Info 39 0
CVE ID SEVERITY PACKAGE CURRENT VERSION FIX VERSION INTRODUCED IN LAYER
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------
CVE-2021-3520 High lz4 1.8.3-1 1.8.3-1+deb10u1 ADD
file:1a1eae7a82c66d673971436ce2605e97d107e2934b7cdec876c64923ae6f4f85
in /
----------------+----------+---------+-----------------+-----------------+------------------------------------------------------------------------
You can switch the output of the inline scanner command to JSON format with the flag -v=false
. You can also use the --html
flag to generate a report in HTML format.
Configuration Options
The CI system examples use the image evaluate
command to provide a human-readable output of container vulnerabilities. You can also use image scan
command depending on your requirements.
Add additional flags to these command to suit your needs, see Image Evaluate Command and Image Scan Command for details about each flag.
Configuration using Environment Variables
Alternatively to command flags, set environment variables on your CI/CD system. The following table displays the available environment variables:
Variable Name | Value | Default |
---|---|---|
LW_ACCOUNT_NAME (*) | Your Lacework account name. Example: If your login URL is 'mycompany.lacework.net', the account name is mycompany . | N/A |
LW_ACCESS_TOKEN (*) | Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console. | N/A |
LW_SCANNER_SAVE_RESULTS | When set to true , this will save evaluation results to the Lacework Console. This is not available for image scan . | false |
LW_SCANNER_DISABLE_LIBRARY_PACKAGES_SCANNING | When set to true , this will disable image evaluations for non-OS library packages. | false |
LW_SCANNER_DISABLE_UPDATES | When set to true , this will disable the update prompt at the end of the output if there is a new version of the Lacework scanner available. | false |
(*) = required variable.
See also Global Flags using Environment Variables.
The Lacework scanner will honor the standard Linux HTTP_PROXY
and HTTPS_PROXY
environment variables if they are set in your CI system.
Integrate with CI systems
The following are examples of integrating the Lacework inline scanner command into a few popular CI systems:
- Integrate with Jenkins
- Integrate with Azure DevOps
- Integrate with TravisCI
- Integrate with GitHub Actions
- Integrate with Gitlab
- Integrate with Bitbucket Pipelines
- Integrate with AWS CodeBuild
- Integrate with Circle CI
- Integrate with Atlassian Bamboo
Integrate with Jenkins
The following is an example of Jenkins pipeline using Docker to pull an image and the Lacework inline scanner to evaluate the image.
You can use the executable or the Docker container. See Docker Image for Inline Scanner.
This simple Jenkins pipeline takes IMAGE_NAME, IMAGE_TAG, and BUILD_ID as inputs.
Every Jenkins slave that executes this pipeline must have the following installed:
- curl
- docker cli
Add the following variables to your Jenkins Credentials as Secret Text:
- LW_ACCESS_TOKEN: See Integrate Inline Scanner to get your access token.
- LW_ACCOUNT_NAME
pipeline {
agent any
environment {
LW_ACCESS_TOKEN = credentials('LW_ACCESS_TOKEN')
LW_ACCOUNT_NAME = credentials('LW_ACCOUNT_NAME')
}
parameters {
string (name: 'IMAGE_NAME',
description: "Specify Image Name",
defaultValue: '')
string (name: 'IMAGE_TAG',
description: "Specify Image Tag",
defaultValue: '')
}
stages {
stage('Pull') {
steps {
echo 'Pulling image ...'
sh "docker pull ${IMAGE_NAME}:${IMAGE_TAG}" //Pull the image to scan
}
}
stage('Scan') {
steps {
echo 'Scanning image ...'
sh "curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner"
sh "chmod +x lw-scanner"
sh "./lw-scanner image evaluate ${IMAGE_NAME} ${IMAGE_TAG} --build-id ${BUILD_ID}"
}
}
}
}
Optionally, you can implement the exit codes to prevent container images from being deployed due to a policy violation, see Exit codes for Policy Violations
You need to create container vulnerability policies before implementing the exit codes. To create vulnerability policies, see Vulnerability Policy Management
For more details on integrating Lacework with Jenkins, see the blog post Up and Running with Lacework and Jenkins.
Integrate with Azure DevOps
This sample azure-pipelines.yml file demonstrates building a sample image azure.devops/app:latest and scanning it with Lacework:
trigger:
- up_and_running
pool:
vmImage: 'ubuntu-latest'
steps:
- script: |
docker build -t azure.devops/app:latest .
displayName: 'Build a docker image'
- script: |
apt-get update
apt-get -y install curl
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
chmod u+x lw-scanner
./lw-scanner image evaluate azure.devops/app latest
displayName: 'Scan the image'
env:
LW_ACCESS_TOKEN: $(LW_ACCESS_TOKEN)
LW_ACCOUNT_NAME: $(LW_ACCOUNT_NAME)
Add the variables LW_ACCESS_TOKEN and LW_ACCOUNT_NAME to your pipeline in Azure DevOps. See Integrate Inline Scanner to retrieve the values.
You can use the executable or the Docker container. See Docker Image for Inline Scanner.
Integrate with TravisCI
This sample .travis.yml
file demonstrates scanning an image with Lacework.
This example sets the /var/run/docker.sock
default option, which is not generally recommended.
Consider adjusting the daemon socket option to suit your environment.
services:
- docker
# Environment variables. These can be set up once in Travis instead of .travis.yml
env:
global:
- LW_ACCESS_TOKEN=YourAccessToken
- LW_ACCOUNT_NAME=YourAccountName
script: ->
docker run
-e LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME
-e LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
-v /var/run/docker.sock:/var/run/docker.sock
lacework/lacework-inline-scanner:latest image evaluate YourImageNameToScan YourImageTagToScan
--build-id $TRAVIS_BUILD_ID --build-plan $TRAVIS_JOB_NAME
Integrate with GitHub Actions
You can use the Inline Scanner executable or the Docker Image for Inline Scanner with GitHub Actions.
Add the variables LW_ACCESS_TOKEN
and LW_ACCOUNT_NAME
to your pipeline in GitHub Actions. See Configuration Using Environment Variables for guidance on these parameters.
jobs:
build:
steps:
- uses: lacework/lw-scanner-action@v1.4.0
name: Scan container images for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: myRepositoryName/myImageName
IMAGE_TAG: v1.0.0
For more information about other available options, see GitHub Action for the Lacework Inline Scanner.
Policy Exit Code Blocking for GitHub Actions
By default, the GitHub Action for the Lacework Inline Scanner returns an exit code of 1
if any enabled container vulnerability policy fails and is set to block mode.
You may want to automatically output the results from the scan to a GitHub PR comment, so that they can be easily read in GitHub.
The following is an example of how to achieve this using the actions-comment-pull-request GitHub Action:
GitHub Action - PR comment example for Lacework Inline Scanner results
- uses: lacework/lw-scanner-action@v1.4.0
name: Scan container image for vulnerabitilies using Lacework
with:
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }}
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }}
IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
IMAGE_TAG: ${{ env.GHA_SHA }}
SAVE_RESULTS_IN_LACEWORK: true
RESULTS_IN_GITHUB_SUMMARY: true
- name: Change formatting for PR
run: |
echo "# Lacework Inline Scanner Result" > pr-results.md
echo "<pre>" >> pr-results.md
cat results.stdout >> pr-results.md
echo "</pre>" >> pr-results.md
- name: Comment PR
uses: thollander/actions-comment-pull-request@v2
with:
filePath: pr-results.md
Integrate with Gitlab
The following is an example of a gitlab.yaml
file using Docker to build an image and the Lacework inline scanner to evaluate the image.
You can use the executable or the Docker container. See Docker Image for Inline Scanner.
stages:
- build
docker:image:
stage: build
image: docker:1.11
services:
- docker:dind
script:
- docker build -t image_name:tag .
- apk update &&
- apk add --no-cache curl &&
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
- chmod u+x lw-scanner &&
- ./lw-scanner image evaluate image_name tag
- echo "Performing Vulnerability Scan powered by Lacework"
- Add the following variables to your Gitlab project through the Gitlab console.
- Go to your project’s Settings > CI/CD and select Variables.
- Click Add Variable.
- Add
LW_ACCESS_TOKEN
with the token value. - Add
LW_ACCOUNT_NAME
with the name value.
Integrate with Bitbucket Pipelines
The Lacework Scan Bitbucket Pipe lets you integrate Lacework container security capabilities into your Bitbucket Pipeline's CI/CD. It allows you to scan and assess Docker container images and software packages for vulnerabilities during the build stage. Optionally, you can stop and fail the build when issues are detected to prevent vulnerable software from being deployed.
Container vulnerability policies must be set in Lacework in order to block CI/CD builds. Learn how to create a policy and attach the policy to the inline scanner integration.
Here's a full example Bitbucket Pipeline using the Lacework Scan pipe.
Add the following snippet to the script section of your bitbucket-pipelines.yml
file:
script:
- pipe: lacework/lacework-scan:1.2.0
variables:
LW_ACCOUNT_NAME: "<string>" # Required
LW_ACCESS_TOKEN: "<string>" # Required
IMAGE_NAME: "<string>" # Required
IMAGE_TAG: "<string>" # Required
(You can also use lacework/lacework-scan:latest
)
Pipe Variables
Use the following variables to control the Lacework Scan Bitbucket pipe behavior.
Variable | Usage |
---|---|
LW_ACCOUNT_NAME (*) | Your Lacework account name. For example, if your login URL is mycompany.lacework.net, the account name is mycompany . |
LW_ACCESS_TOKEN (*) | Authorization token. Copy and paste the token from the inline scanner integration created in the Lacework Console. |
IMAGE_NAME (*) | The local Docker image to scan. |
IMAGE_TAG (*) | The local Docker image tag. |
(*) = required variable.
Integrate with AWS CodeBuild
AWS CodeBuild is a fully managed cloud CI service that can build your source code and test and deploy your applications. You can integrate the Lacework inline scanner into the AWS CodeBuild build stage to discover software vulnerabilities. Optionally, you can use AWS CodeBuild with AWS CodePipeline to orchestrate multiple AWS CodeBuild projects that build and deploy. An example of using Lacework with AWS CodePipeline and CodeBuild can be found in this repository.
To add the Lacework inline scanner to your AWS CodeBuild project, follow this AWS CodeBuild buildspec example that performs a Docker build, Lacework vulnerability scan and then a Docker push to Amazon Elastic Container Registry (ECR).
You can use the executable or the Docker container. See Docker Image for Inline Scanner.
This example shows you how to pull the Lacework inline scanner account and token from the SSM parameter store, set environment variables, and install and run the Lacework inline scanner. Vulnerability results appear in the AWS CodeBuild build logs.
version: 0.2
env:
parameter-store:
LW_ACCOUNT_NAME: "LWAccountName" # pull Lacework inline scanner parameters from SSM parameter store
LW_ACCESS_TOKEN: "InlineScannerToken"
phases:
build:
commands:
- docker build -t "$DOCKER_REG/$IMAGE_NAME:$CODEBUILD_BUILD_NUMBER" -t "$DOCKER_REG/$IMAGE_NAME:latest" .
post_build:
commands:
- export LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME #Set Lacework inline scanner environment variables
- export LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN
- export LW_SCANNER_DISABLE_UPDATES=true
- export LW_SCANNER_SAVE_RESULTS=true
- rm -rf ./evaluations/$IMAGE_NAME/$CODEBUILD_BUILD_NUMBER/evaluation_*.json || true
- curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner # install
- chmod +x lw-scanner
- ./lw-scanner image evaluate $DOCKER_REG/$IMAGE_NAME $CODEBUILD_BUILD_NUMBER --build-id $CODEBUILD_BUILD_NUMBER --data-directory . # execute
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $DOCKER_REG
- docker image push -a "$DOCKER_REG/$IMAGE_NAME"
Integrate with CircleCI
CircleCI is a continuous integration and delivery platform that you can use to implement DevOps practices.
See Lacework Orb for CircleCI for guidance on running on-demand vulnerability scans and other operations within your CI/CD pipeline.
- Some operations require a Lacework API Access Key and Secret as parameter entries.
- The default executor is the Docker container image for Inline Scanner. This as an alternative to the Lacework Inline Scanner executable binary.
Integrate with Atlassian Bamboo
The following is an example of a simple pipeline in Atlassian Bamboo, in which the Lacework Inline Scanner is used to evaluate the image.
1. Set the Environment Variables
Set the Lacework Account Name and Access Token as environment variables in Atlassian Bamboo, so that the Inline Scanner can authenticate to Lacework when it scans your images.
Go to Global Variables.
Add the following new environment variables:
LW_ACCOUNT_NAME =
<lacework-account-name>
LW_ACCESS_TOKEN =<inline-scanner-access-token>
- For your account name, if your login URL is mycompany.lacework.net, the account name is
mycompany
. - You can obtain your access token from the Lacework Console.
- For your account name, if your login URL is mycompany.lacework.net, the account name is
2. Add a Stage for the Inline Scanner into your Plan Configuration
Edit or create a stage where you want to insert a new step for the Lacework Inline Scanner.
Choose from one of the following implementation examples below to add your task.
noteIn both examples, the build is set to fail if a Lacework policy violation is detected during a scan. See Exit Codes for Policy Violations for different flags that can be used.
Option 1 - Binary implementation:
Task type = Script
Task description = a simple description for your task. Example “Scan image with Lacework”.
Interpreter = Shell
Script location = Inline
Script Body:
curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner
chmod +x lw-scanner
./lw-scanner image evaluate ${bamboo.REGISTRY}/${bamboo.IMAGE_NAME} latest --build-id ${bamboo.buildNumber} --tags mytag=myvalue --save --policy --fail-on-violation-exit-code 1Environment Variables:
LW_ACCOUNT_NAME=<lacework-account-name> LW_ACCESS_TOKEN=<inline-scanner-access-token>
Option 2 - Docker Container Image implementation.
Task type = Docker
Task description = a simple description for your task. Example “Scan image with Lacework”.
Command = Run a Docker container
Docker image:
lacework/lacework-inline-scanner:latest
Container environment Variables:
LW_ACCESS_TOKEN="${bamboo.LW_ACCESS_TOKEN}" LW_ACCOUNT_NAME="${bamboo.LW_ACCOUNT_NAME}"
Container command:
image evaluate ${bamboo.REGISTRY}/${bamboo.IMAGE_NAME} latest --build-id ${bamboo.buildNumber} --tags mytag=myvalue --save --policy --fail-on-violation-exit-code 1
Save your task/stage once complete.
Results from the scans can be found in the Lacework Console (as long as the --save
flag is used as per these examples). Scan output can also be found in the Bamboo build logs for the build results.
Docker Image for Inline Scanner
The inline scanner is also distributed in a Docker image. You can use it as an alternative to the binary in CI systems.
Run the Docker image to start a Docker daemon on your host using the default daemon socket (/var/run/docker.sock
).
The Inline Scanner docker image uses the host's docker daemon to pull images as it doesn’t have its own docker daemon.
This creates a single container that can perform the following commands:
All other commands are disabled.
If you want to run the Docker image inside another Docker image, ensure that the host image is running Docker before deployment.
CPU and Memory Resources
See Inline Scanner - CPU and Memory Resources for resource recommendations.
Download the Image
Pull the image from the Lacework repository:
docker pull lacework/lacework-inline-scanner:latest
Use the Image
The configure
commands are disabled for the Docker image. See Configuration using Environment Variables for environmental configuration options.
LW_SCANNER_DISABLE_UPDATES
is set to true
by default for the docker image which provides a cleaner output.
image evaluate
Provide the LW_ACCOUNT_NAME
and LW_ACCESS_TOKEN
environment variables to authenticate with Lacework.
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest \
--build-id myBuildId123 --build-plan myBuildPlan
Add or remove image evaluate flags depending on your requirements.
image scan
Provide the LW_ACCOUNT_NAME
and LW_ACCESS_TOKEN
environment variables to authenticate with Lacework.
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
image evaluate ubuntu latest
Add or remove image scan flags depending on your requirements.
version
Provide the LW_ACCOUNT_NAME
and LW_ACCESS_TOKEN
environment variables to authenticate with Lacework.
docker run \
-e LW_ACCOUNT_NAME=myCompany \
-e LW_ACCESS_TOKEN=_myAccessToken123 \
-e LW_SCANNER_DISABLE_UPDATES=false \
-v /var/run/docker.sock:/var/run/docker.sock \
lacework/lacework-inline-scanner:latest \
version
In this example, setting LW_SCANNER_DISABLE_UPDATES=false
prompts you if a new version of the inline scanner is available.