The aim of this project is to make it simple to trigger vulnerability assessments for containers which are active and have integrated container registries in Lacework.
- The script will download a report of all scanned containers a defined "look-back" period. Containers that have already been scanned will be skipped by default. This can be overwritten with the
--rescanflag. - The script will enumerate all integrated container registries, gathering the domains that can be scanned. This can be overwritten with the
--registry <registry_domain>argument. - The script will run a query against the specified Lacework account to gather distinct container repository/tag combinations that have run in the environment over the "look-back" period for the integrated domains.
- The script will then issue container scan requests for the un-scanned active containers via the Lacework API.
The default "look-back" period is 1 day, but can be augmented with the --days <num_of_days> or --hours <num_of_hours> arguments.
The easiest way to run this script is by executing it as a container using Lacework API credentials provided from your Lacework CLI configuration:
docker run -v ~/.lacework.toml:/home/user/.lacework.toml alannix/container-auto-scanThis will mount your Lacework CLI credentials into the container and execute the scan on the default profile. You can, of course, pass in a different profile with the -p <profile> argument as outlined here. Or you can provide credentials using the --account, --subaccount, --api-key, --api-secret arguments.
The script can also read the standard Lacework CLI environment variables for authentication as outlined here.
If cloning this repository, rather than using a container, you can run the script with the following usage:
usage: ./auto-scan.py [-h] [--account ACCOUNT] [--subaccount SUBACCOUNT] [--api-key API_KEY] [--api-secret API_SECRET] [-p PROFILE] [--proxy-scanner PROXY_SCANNER] [--days DAYS] [--hours HOURS] [--registry REGISTRY] [--rescan] [--list-only] [-d] [--debug]If you wish to run this script continuously, there is an example Kubernetes manifest in the manifests directory which will store your Lacework API credentials as a Kubernetes Secret and then run the container in a Deployment with the -d flag to execute it as a daemon.
| short | long | default | help |
|---|---|---|---|
-h |
--help |
show this help message and exit | |
--account |
None |
The Lacework account to use | |
--subaccount |
None |
The Lacework sub-account to use | |
--api-key |
None |
The Lacework API key to use | |
--api-secret |
None |
The Lacework API secret to use | |
-p |
--profile |
None |
The Lacework CLI profile to use |
--proxy-scanner |
None |
The address of a Lacework proxy scanner: http(s)://[address]:[port] | |
--days |
None |
The number of days in which to search for active containers | |
--hours |
0 |
The number of hours in which to search for active containers | |
--registry |
None |
The container registry domain(s) for which to issue scans (comma separated) | |
--rescan |
Issue scan requests for previously scanned containers | ||
--list-only |
Only list active containers for integrated/specified registries (no scans) | ||
-d |
--daemon |
Run the scanner as a daemon (executes every 20 minutes) | |
--debug |
Enable debug logging |
| Environment Variable | Description | Required |
|---|---|---|
LW_PROFILE |
Lacework CLI profile to use (configured at ~/.lacework.toml) | N |
LW_ACCOUNT |
Lacework account/organization domain (i.e. <account>.lacework.net) |
N |
LW_SUBACCOUNT |
Lacework sub-account | N |
LW_API_KEY |
Lacework API Access Key | N |
LW_API_SECRET |
Lacework API Access Secret | N |
- Due to Lacework API limitations, only 400 containers can be scanned in a single hour.
- Due to Lacework API limitations, only 5000 scanned container images (for de-duplication) will get returned.
- Due to Lacework API limitations, only 5000 container repo/tag combinations will get returned per registry.