AWS Immersion Day with Lacework > Vulnerability & Workload Protection (DevSecOps) with CodePipeline, CodeBuild, ECR & EKS > Lacework Container Security: Image and Registry Scanning
Lacework Container Security: Image and Registry Scanning
The Build phase includes a Lacework vulnerability scan using the Lacework Inline Scanner. This tool scans Docker images for image and software package vulnerabilities. Additionally, Lacework has been set up to scan the Docker repositories. This allows you to detect vulnerable software and prevent it from being deployed.
View the lines of code in the CodeBuild buildspec that include the Lacework Inline Scanner.
- export LW_ACCOUNT_NAME=$LW_ACCOUNT_NAME - export LW_ACCESS_TOKEN=$LW_ACCESS_TOKEN - export LW_SCANNER_DISABLE_UPDATES=true - rm -rf ./evaluations/$IMAGE_NAME/$CODEBUILD_BUILD_NUMBER/evaluation_*.json || true - curl -L https://github.com/lacework/lacework-vulnerability-scanner/releases/latest/download/lw-scanner-linux-amd64 -o lw-scanner - chmod +x lw-scanner - ./lw-scanner image evaluate $DOCKER_REG/$IMAGE_NAME $CODEBUILD_BUILD_NUMBER --build-id $CODEBUILD_BUILD_NUMBER --data-directory .The Docker push command pushes the Docker image to a ECR repository that is automatically scanned by Lacework.
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $DOCKER_REG - docker image push -a "$DOCKER_REG/$IMAGE_NAME"Go to Settings > Integrations > Container Registries in your Lacework Console. This page shows the ECR registry and inline scanner setups.
