|
To trigger a scan, one can simply use the CLI.
The lacework vulnerability container scan command is versatile:
Usage:
lacework vulnerability container scan <registry> <repository> <tag|digest> [flags]
Flags:
--details increase details of a vulnerability assessment
--fail_on_fixable fail if the assessed container has fixable vulnerabilities
--fail_on_severity string specify a severity threshold to fail if vulnerabilities are found (critical, high, medium, low, info)
--fixable only show fixable vulnerabilities
-h, --help help for scan
--html generate a vulnerability assessment in HTML format
--packages show a list of packages with CVE count
--poll poll until the vulnerability scan completes
--severity string filter vulnerability assessment by severity threshold (critical, high, medium, low, info)
Example commands:
'Scan the latest version of the FortiCNAPP Lacework data collector on the latest tag in Dockerhub':
lacework vulnerability container scan index.docker.io lacework/datacollector latest
'Scan the latest version of the FortiCNAPP Lacework data collector on the latest tag in Dockerhub but only show fixable CVEs':
lacework vulnerability container scan index.docker.io lacework/datacollector latest --fixable --poll
'Scan the latest version of the FortiCNAPP Lacework data collector on the latest tag in Dockerhub showing the packages broken down into how many CVEs each package has':
lacework vulnerability container scan index.docker.io lacework/datacollector latest --packages --poll
Note:
- Ensure to use the --poll option so that the scan returns in the current CLI session; not using poll will save the scan results to the platform itself.
- To scan a registry, it needs to be integrated already into the FortiCNAPP Lacework platform; in this example, an integration in the platform for DockerHub has been added.
The 'Registry Domain' is what is used in the CLI argument for the registry
|
