Forem: Jeff Thorne

Lacework VS Code Extension

Jeff Thorne — Tue, 09 Nov 2021 22:54:00 +0000

The Lacework VS Code vulnerability scanner extension is a new plugin that will quickly identify vulnerabilities in your base images right from your IDE. This is a first step and alpha release with expanded and additional capabilities to be released soon.

This blog covers how to install lw-scanner and leverage it to perform image assurance scans from within VS Code.

Install lw-scanner
The plugin assumes that lw-scanner is installed on your local system. Installation instructions can be found here: support.lacework.com and the the latest release of the scanner binary can be found at github.com

Once lw-scanner is installed the next step is to download the Lacework plugin from the VS Code Marketplace.

With an active Dockerfile in the editor you can initiate an image assurance scan by clicking Command+Shift+P on macOS (Control+Shift+P on Windows/Linux).

Once the scan is complete you will see a summary next to the base image that will disappear along with a more detailed scan result available in the output window.

Source code can be found here for now: github.

This is just a quick preview update. For suggestions or feedback please open an issue on the repo. PRs welcomed. Stay tuned for more.

Cheers,
Jeff

OPA @Lacework

Jeff Thorne — Tue, 17 Aug 2021 22:19:52 +0000

There is always a ton of innovation and exciting things happening in the Kubernetes community. One of the CNCF projects we are super excited about over here at Lacework is Open Policy Agent which has seen tremendous interest and adoption over the last 18months. If you’re not familiar with OPA it is a unified toolset and framework that can be used for consistent policy decisions across your cloud native stack. In 2020 alone the OPA project had over 35 million downloads and officially became an CNCF graduated project on Feb 4th, 2021.

What really makes this project special is it’s open governance and that organizations can leverage their existing investment and skillset around policy in many facets of their cloud native stack. Lacework is committed to embracing OPA so that our customers can drive policy decisions in many parts of our platform.

Where are we starting with our OPA support? No place better than in build. This will allow us to offer an enriched developer experience, deeper insight, software supply chain governance, and flexible decision making prior to application delivery.

Ok enough of the fancy terms. Let’s get to the nuts and bolts of our current integration efforts. Lacework is currently in the process of launching a k8s security toolkit called Helios named after the greek titan of the sun and guardian of oaths. So how does OPA fit into Helios? One of Helios’ components is a k8s admission webhook that allows for policy decisions to be made at time of deployment through pod interception with OPA and Lacework image assurance.

Admission webhooks intercept requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. At a high level they offer admission control which governs and enforces how the cluster is used. Let’s take a look at how this works in action as seen in figure 1.

Figure 1 - High level architecture of k8s admission webhook

When the application or pod is deployed in step 1 and after the request has been authenticated and authorized it is passed the admission webhook which can be both mutating or validating for processing in step 2. From here the helios webhook will then lookup image assurance scan results with the Lacework platform for the image in step 3. This lookup is performed with the image SHA and if not found an on-demand scan can be initiated. From here in step 4 the scan results json object is sent to an OPA endpoint for a policy decision.

Then based on the results received from the OPA endpoint the pod or deployment is either allowed to be provisioned or is blocked. This result along with any error message received from the OPA endpoint is passed to the kube API server for processing.

We can see the results of this in action below in figure 2. The top terminal is an attempt to circumvent an approved organizational CI/CD pipeline and directly deploy application changes from kubectl. The bottom terminal is a tail on the Lacework Helios admission webhook. We can see that the pod deployment has been intercepted while image assurance results are validated against an OPA endpoint. Based on the vulnerability surface in this image the deployment was ultimately blocked from entering this cluster.

Figure 2 - Pod interception and OPA validation of scan results

These types of checks and best practices can also be integrated at build time through a variety of plugins to well know CI/CD tools. In figure 3 we can see a Jenkins pipeline blocked through an arbitrary policy written in Rego and validated in build against Lacework’s image assurance scanning results. Figure 4 displays a portion of the resulting build artifact.

Figure 3 - Custom OPA policy in build driving pipeline decisions

Figure 4 - Resulting build artifact displaying scan decision and policy ID

These are just a couple of quick examples demonstrating the power and flexibility of using Open Policy Agent to enforce policy decisions at various stages in your build to deploy pipelines. In this article we covered how Lacework is integrating OPA into our k8s admission controller and CI/CD plugins. Stay tuned for more info on our OPA and other tech initiatives.

Integrating Accurics IaC Scanning into Jenkins

Jeff Thorne — Wed, 09 Dec 2020 17:31:45 +0000

Just a quick post on integrating IaC scanning into Jenkins with the Accurics CLI. This example will detect security violations in your Terraform provisioning along with any drift in config from running cloud resources in build. Super cool stuff!

Steps

Download CLI: From the Accurics dashboard for your chosen environment hit Download CLI. This will download the Accurics binary and config file. The config file is needed to associate the scan results with your Accurics account and specific environment.

Add Step to your Jenkins pipeline file: You can optionally set the -fail flag to stop the build if violations are detected. The CLI will produce reports in both html and json formats. For this example I have also optionally requested that Jenkins publish the HTML report as a build artifact.

Here is what the results look like from within Jenkins for a failed pipeline.

And the resulting html report:

Looks like I have some violations to address for the new infrastructure definition for the jeffsbooks app but currently no drift from my running application and cloud environment 👍

This was a super quick example on integrating IaC scanning for Terraform into a Jenkins pipeline. The Accurics CLI has many other options and support for other provisioning tools such as Helm, Kustomize, CFT, Ansible, ARM, CDM, etc.

If any questions come up or help is needed feel free to drop me a line.

Cheers,
Jeff