lacework/container-auto-scan-inline

Verified Publisher

By Lacework Inc

Updated almost 2 years ago

Trigger vulnerability assessments for containers which are active in a Lacework account/organization

Image
Integration & Delivery
Monitoring & Observability
Security

50K+

Build StatusDocker Pulls

The aim of the container-auto-scan project is to make it simple to trigger vulnerability assessments for containers which are active in a Lacework account/organization.

How It Works

  1. The script will load a local scan cache of previously scanned containers - if a container has been scanned within the previous day it will be skipped by default. This can be overwritten with the --rescan flag.
  2. The script will enumerate all integrated container registries, gathering the domains that can be scanned with the Lacework Platform Scanner. This can be overwritten with the --registry <registry_domain> argument.
  3. The script will run a query against the specified Lacework account(s) to gather distinct container repository/tag combinations that have run in the environment over the same "look-back" period.
  4. The script will then issue container scan requests for the un-scanned active containers via the Lacework API, or with the integrated Inline Scanner.
    • If using the Inline Scanner option, the script will try to fall-back to scan active containers without container registry integrations using the Inline Scanner.

The default "look-back" period is 1 day, but can be augmented with the --days <num_of_days> or --hours <num_of_hours> arguments.

How To Run

Local Execution

The easiest way to run this script is by executing it as a container using Lacework API credentials provided from your Lacework CLI configuration:

docker run -v ~/.lacework.toml:/home/user/.lacework.toml lacework/container-auto-scan

This will mount your Lacework CLI credentials into the container and execute the scan on the default profile. You can, of course, pass in a different profile with the -p <profile> argument as outlined here. Or you can provide credentials using the --account, --subaccount, --api-key, --api-secret arguments.

The script can also read the standard Lacework CLI environment variables for authentication as outlined here.

If cloning this repository, rather than using a container, you can run the script with the following usage:

usage: ./auto-scan.py [-h] [--account ACCOUNT] [--subaccount SUBACCOUNT] [--api-key API_KEY] [--api-secret API_SECRET] [-p PROFILE] [--proxy-scanner PROXY_SCANNER] [--cache-timeout] [--days DAYS] [--hours HOURS] [--registry REGISTRY] [--rescan] [--list-only] [--inline-scanner] [--inline-scanner-path INLINE_SCANNER_PATH] [--inline-scanner-access-token INLINE_SCANNER_ACCESS_TOKEN] [--inline-scanner-only] [--inline-scanner-prune] [-d] [--debug]
Inline Scanner Based Scans

As of version 0.3 of this script, scans now support the use of the Lacework Inline Scanner for container assessments. The use case for this is to scan containers which do not have an integrated container registry in a Lacework account. This will also allow scanning of publicly accessible images, as the Inline Scanner will pull them through the local Docker daemon.

The new Inline Scanner functionality can be leveraged either by running the auto_scan.py script with the --inline-scanner argument on a machine with the Inline Scanner installed, or it can be run with a new Docker-in-Docker enabled container.

When executing in this mode, the script will attempt to scan as many container repositories as possible with the Platform scanner, and fall back to the Inline scanner only when required. This behavior can be augmented with the --inline-scanner-only argument which will force all scans through the Inline Scanner.

Due to permissions and dependency requirements for Docker-in-Docker, a new container image has been created (container-auto-scan-inline) which runs as the root user, and installs the necessary components. This also means that the image is much larger than the container-auto-scan image. Both images will follow the same release cycle and tagging conventions.

In order to run the Docker-in-Docker container, you'll execute the following:

docker run -v ~/.lacework.toml:/root/.lacework.toml -v /var/run/docker.sock:/var/run/docker.sock lacework/container-auto-scan-inline --inline-scanner-access-token <SCANNER_ACCESS_TOKEN_HERE>
Inline Scanner Auto Integration

As of version 0.5 of this script, the Inline Scanner integration (and subsequent access token) can be managed automatically. Simply pass the --auto-integrate-inline-scanner argument to the script, and it will re-use/create Inline Scanner integrations for each Lacework account it needs to interact with. The Inline Scanner integration will appear as lacework-auto-scan by default.

This option is extra beneficial when paired with the --org-level argument, as all inline scanner integrations will be automatically generated across an entire Lacework organization.

docker run -v ~/.lacework.toml:/root/.lacework.toml -v /var/run/docker.sock:/var/run/docker.sock lacework/container-auto-scan-inline --org-level --auto-integrate-inline-scanner

Things to Note

  • The Inline Scanner based container repository is named container-auto-scan-inline instead of container-auto-scan
  • The Inline Scanner based container runs as root rather than user
    • As a result, the lacework.toml file is mounted in /root/ rather than /home/user/
  • The Inline Scanner based scans require an access token be provided in one of three ways:
    • The --inline-scanner-access-token argument
    • The LW_ACCESS_TOKEN environment variable while setting the --inline-scanner argument
    • The --auto-integrate-inline-scanner argument (This will automatically create/re-use an integration per-account)
  • The Inline Scanner is currently limited to 60 scans per hour.
  • If you are using the Inline Scanner to scan against images which may be hosted in a remote registry, credentials can be passed into the scanner as a volume mount. For example, inserting -v /root/.docker/config.json:/root/.docker/config.json into the example above would pass the current root user's Docker credentials into the container to assume for pull operations.
Kubernetes Manifest

If you wish to run this script continuously, there is an example Kubernetes manifest in the manifests directory which will store your Lacework API credentials as a Kubernetes Secret and then run the container in a Deployment with the -d flag to execute it as a daemon.

Arguments

shortlongdefaulthelp
-h--helpshow this help message and exit
--accountNoneThe Lacework account to use
--subaccountNoneThe Lacework sub-account to use
--api-keyNoneThe Lacework API key to use
--api-secretNoneThe Lacework API secret to use
-p--profileNoneThe Lacework CLI profile to use
--proxy-scannerNoneThe address of a Lacework proxy scanner: http(s)://[address]:[port]
--cache-timeout24The number of hours in which to cache scan results before retrying.
--daysNoneThe number of days in which to search for active containers
--hours0The number of hours in which to search for active containers
--registryNoneThe container registry domain(s) for which to issue scans (comma separated)
--rescanIssue scan requests for previously scanned containers
--list-onlyOnly list active containers for integrated/specified registries (no scans)
--auto-integrate-inline-scannerAutomatically create and re-use inline scanner integration(s)
--inline-scannerNoneUse local Inline Scanner to evaluate images rather than Lacework platform (will attempt to scan images regardless of registry integration status)
--inline-scanner-pathNonePath to the Inline Scanner executable (default: lw-scanner expected on path)
--inline-scanner-access-tokenNoneInline Scanner authentication token (in production environments it is recommended to use the --inline-scanner argument paried with the LW_ACCESS_TOKEN environment variable)
--inline-scanner-onlyUse Inline Scanner exculsively (default: use platform scans with inline scanner for unconfigured registries)
--inline-scanner-pruneOnce scanning is complete, prune images from the local docker registry (equivalent to docker rmi)
--org-levelIterate through each Account in an Organization (Platform Scanner Only)
-d--daemonRun the scanner as a daemon (executes every 20 minutes)
--debugEnable debug logging

Environment Variables

Lacework API
Environment VariableDescriptionRequired
LW_PROFILELacework CLI profile to use (configured at ~/.lacework.toml)N
LW_ACCOUNTLacework account/organization domain (i.e. <account>.lacework.net)N
LW_SUBACCOUNTLacework sub-accountN
LW_API_KEYLacework API Access KeyN
LW_API_SECRETLacework API Access SecretN

Lacework Inline Scanner

Environment VariableDescriptionRequired
LW_ACCESS_TOKENLacework Inline Scanner authentication tokenN

Known Issues

  • Due to Lacework API limitations, only 400 containers can be scanned in a single hour.
  • Due to Lacework API limitations, only 5000 scanned container images (for de-duplication) will get returned.
  • Due to Lacework API limitations, only 5000 container repo/tag combinations will get returned per registry.

Docker Pull Command

docker pull lacework/container-auto-scan-inline