Public Registry Scanning
Integrate your internet-accessible container registries with the Lacework Platform Scanner. Lacework can scan all images as they are added to the registry.
Lacework offers different methods to pull images from a registry depending on the type of registry:
- Registry notification: The registry sends an event to Lacework whenever a new image has been uploaded.
- Auto-polling: Lacework automatically discovers the list of repositories and new images available in the registry.
- On demand: Manually request the scan of a container using the Lacework CLI.
In each registry guide, the Container Registry Support section will list the methods available for the registry type.
Create a registry integration to start automatically scanning your images.
Container Registry Support
You must integrate the container registry that contains repositories with the container images that you want to assess for vulnerabilities.
Lacework supports the following container registries (only image manifest V2, schema 2 is supported) and scan types.
|Amazon Container Registry (ECR)||Auto polling|
|Azure Container Registry as Docker V2 Registry||Registry notification|
|Docker Hub||Auto polling|
|Docker V2-based authentication registries||On-demand scans|
|Docker V2 Registry||Registry notification|
|GitHub Container Registry||Registry notification|
|GitLab as Docker V2 Registry||Registry notification|
|Google Artifact Registry (GAR)||Auto polling|
|Google Container Registry (GCR)||Auto polling|
|JFrog as Docker V2 Registry||Registry notification|
Auto-polling vs Registry Notification
There are 2 ways to scan new images as they are uploaded to your registry:
Registry notification: Set up notifications in your registry to send an event to the Lacework Cloud Scanner every time a new image has been uploaded. After it receives a notification, Lacework pulls the image and initiates a scan. The results will be available in the Lacework console.
Auto-polling: Every 15 minutes, Lacework will discover the list of registries and images newly uploaded. Lacework pulls the image and initiates a scan. The results will be available in the Lacework console.
Both methods enable the scanning of new images. Auto-polling adds the ability to scan some of the images that already existed in the registry when the Registry integration with Lacework was created. On-demand scans through the CLI can also be used to trigger scans for existing images.
Auto-polling and registry notification have to be managed differently for most registries, with different authentication schemes, different APIs, etc. Therefore, Lacework may not support either feature for your registry. Please refer to the table of supported registries and features.
Docker API v2
The Docker API v2 is a list of APIs used to pull images. Kubernetes uses the Docker API v2 to pull images for any registry.
All registries support the API Docker v2 to pull a single image based on the repository, image name and tag or image ID. However, many registries use a different set of APIs to discover repositories and images (used for auto-polling), or different authentication schemes used for registry notification.
If you choose to create a Docker V2 Registry Integration, ensure that it uses the Docker V2 authentication scheme to support registry notification, and the standard sets of Docker v2 API for repository and image discovery to support auto-polling.
When container registries support auto polling, Lacework assesses for vulnerabilities when the container registry is initially integrated. After the initial integration, Lacework completes the following actions at the listed schedule.
- Lacework polls the integrated registries for new container images every 15 minutes.
- Lacework assesses all images for vulnerabilities as soon as they are polled. The results of the new assessment are available for viewing on the Lacework Console.
- Lacework tracks multiple CVE Numbering Authorities looking for new CVEs and updates the Lacework common vulnerabilities and exposures (CVEs) database once a day.
Lacework assesses for vulnerabilities using the following steps:
Lacework assesses the registries that are integrated with Lacework and finds all repositories (or only a subset of repositories, if specified) in each registry that Lacework has permissions to access.
Lacework finds the newest container images found in each repository up to the limit (see Scanning Quotas). After the initial assessment, Lacework polls the integrated repositories at a regular time interval for the newest container images.
Lacework assesses all software packages in the found container images.
Lacework searches the common vulnerabilities and exposures (CVEs) database for software packages in the container images and reports them. Lacework filters out rejected CVEs for Ubuntu and Debian.
When new CVE updates are released, Lacework assesses existing image assessments for newly identified risks. Lacework reassesses images based on CVE information for a known package and version.
- The platform scanner supports a limit of 2000 repositories per registry integration.
Amazon ECR's limit is 1000 repositories due to set limititations with the Docker V2 APIs.
- For each registry integration, the platform scanner performs a maximum of 50 image assessments per hour for each repository. The 50 image limit also applies to the initial assessment after integration.
- The platform scanner supports a maximum of 700 container image assessments per hour for each Lacework account, with any other images being assessed the next hour.
The following is an example of the assessment steps:
- You register the Docker Hub registry in Lacework.
- Lacework finds all the repositories in the Docker Hub registry.
- Lacework assesses a container image in a repository.
- Lacework determines that the Python 3.6 package (3.6.7-1~18.04) is in the container image.
- Lacework searches the Lacework CVE database for common vulnerabilities and exposures (CVEs) for the Python 3.6 package.
- Lacework reports all known CVEs associated with the Python 3.6 package such as CVE-2019-9947, CVE-2019-9740, CVE-2018-1000030, etc.