Run SAST using the Lacework CLI
Before using SAST for the first time, consult the Lacework Product Team for more information as it may not work appropriately for you.
To run SAST using the Lacework CLI, you must install the SAST component and run it using the available commands. Although Lacework currently only integrates with GitHub Actions and BitBucket, Lacework offers manual support for other CI/CD providers.
Authenticate Using an API Secret
Before you can run Lacework's Static Application Security Testing tool, you must authenticate using an API Secret.
Download the API Secret
To locate and download your API Secret:
- Log in to the Lacework Console.
- Click Settings > API keys.
- Select or create an API key.
- Click the download icon.
Use the API Secret
To authenticate using your API Secret, run lacework configure -j <downloaded_lw_api_key>.json --noninteractive in the Lacework CLI.
Install the SAST Component
To install the SAST component in the Lacework CLI, run:
lacework component install sast
For help, run:
lacework sast
Usage
To run Lacework's Static Application Security Testing in the Lacework CLI, run sast [command] With [command] being replaced by an available command.
For example, if you are in the directory of code you want to analyze, you can run lacework sast scan.
Available Commands
| Command | Description |
|---|---|
compare | Compare two reports. Can be used to compare the SAST results with a baseline to identify the vulnerabilities that have been introduced. |
completion | Generate the autocompletion script for the specified shell. |
help | Help for any command. |
scan | Run SAST. |
version | Print the version of SAST. |
Flags
| Flag | Description |
|---|---|
-h, --help | Help for SAST. |
-o, --output string | Set the file or directory to use for output. Default prints to stdout. |
Use the CLI with Other CI Providers
Lacework SAST with CI providers is currently limited to GitHub Actions and BitBucket. However, you can manually use the Lacework CLI to support other CI providers. Although this method does not work in the environment itself, its results are nearly identical to those of GitHub Actions.
To run SAST with other CI providers, run the following commands in the Lacework CLI:
- On the commit you want to analyze:
lacework sast scan [options] –output report.sarif - On the commit you want to compare results with (usually the merge base):
lacework sast scan [options] –output baseline.sarif - To compare the two reports, run:
lacework sast compare –new report.sarif –old baseline.sarif –link [repository url] --markdown message.md
This enables you to analyze commits and identify vulnerabilities that were introduced in the commit you scanned. To generate pull request comments, edit the message.md file referenced in step 3.