Run SCA Using the Lacework CLI
To run SCA using the Lacework CLI, you must authenticate, install the SCA component, and run it using the available commands. You can also generate an SBOM in the CLI and specify the format. For more information, go to Software Bill of Materials (SBOM). Although Lacework currently only integrates with GitHub Actions and BitBucket, Lacework offers manual support for other CI/CD providers.
Authenticate Using an API Secret
Before you can run Lacework's Software Composition Analysis, you must authenticate using an API Secret.
The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, go to the Access Control Overview.
Download the API Secret
To locate and download your API Secret:
- Log in to the Lacework Console.
- Click Settings > API keys.
- Select or create an API key.
- Ensure that a service user is assigned for your new or existing API key.
- To assign a service user:
- Select an API Key - Select an API key, click the edit icon, and then use the toggle and dropdown to select a service user and click Save.
- Create an API Key - Go to Create API key, then use the toggle and dropdown to select a service user and click Save.
- To assign a service user:
- Click the download icon.
- Open the downloaded
.jsonfile to view your API Key, API Secret, and account name.
The service user who's assigned the API secret must have Read and Write permissions on Container Registries and Code Security. For more information, go to the Access Control Overview.
Use the API Secret
To authenticate using your API Secret, run lacework configure -j <downloaded_lw_api_key>.json --noninteractive in the Lacework CLI.
Install the SCA Component
To install the SCA component in the Lacework CLI, run:
lacework component install sca
For help, run:
lacework sca
Usage
To run Lacework's Software Composition Analysis in the Lacework CLI, run sca [command] With [command] being replaced by an available command.
For example, if you are in the directory of code you want to analyze, you can run:
lacework sca scan PATH
View Scan Results in the Lacework Console
To post and view scan results in the Lacework Console, you must clone the repository locally before running SCA and use the --save-results flag.
To upload SCA findings to the Lacework Console, you must scan a repository that you have cloned locally.
Available Commands
| Command | Description |
|---|---|
compare | Compare two lw-json reports. Can be used to compare the SCA results with a baseline to identify the vulnerabilities that have been introduced. |
completion | Generate the autocompletion script for the specified shell. |
dir | Scan and analyze a specific directory. |
git | Clone a git repository and analyze it. |
help | Help for any command. |
scan | Scan the specified directory or repository. |
version | Print the version of SCA. |
Flags
| Flag | Description |
|---|---|
-f, --formats formats | Specify the output format. Default is lw-json. |
-h, --help | Help for SCA. |
-o, --output string | Set the file or directory to use for output. Default prints to stdout. |
-secret | Detect secrets in your code. |
--eval-direct-only | Show only direct dependencies. |
--severity | Show a list of findings of a specified severity, e.g., --severity CRITICAL, HIGH. |
--ignore-cve | Specify CVEs to omit from the SBOM. |
--save-results | Upload scan results to the Lacework Console. Note that you must scan a cloned repository to view results in the Console. |
--active-only | show only packages (and associated vulnerabilities) marked may_active |
--inactive-only | show only packages (and associated vulnerabilities) marked inactive |
Experimental Flags
Lacework SCA has additional experimental flags that can be used with Lacework SCA. We welcome feedback on these experimental features.
| --- | --- |
| --dynamic | attempts to match packages detected in an SCA scan with those found in production via the Code Aware Agent (CAA). |
Generate and Output an SBOM
To output a Software Bill of Materials (SBOM) using the CLI, use the -o output flag with -o sbom.json. For example:
lacework sca scan . -o sbom.json
or
lacework sca scan [repo URL or path to local repo] -o sbom.json
After you run SCA, a summary of findings is available in the CLI. The summary includes information about the repository analyzed and the breakdown of vulnerabilities (e.g.HIGH severity: 3). For additional information, such as the specific vulnerabilities found, open the sbom.json file located in your current directory.
Specify the SBOM Format
You can also specify the SBOM format with the -f flag. Current support includes:
| Format | Available File Types |
|---|---|
| Sarif | sarif |
| CycloneDX | cdx-xml, cdx-json |
| SPDX | spdx-json, spdx-tag, spdx-yaml |
| Lacework (default) | lw-json |
For example, to generate a CycloneDX json SBOM file, run:
lacework sca scan . -o sbom.json -f cdx-json
Use the CLI with Other CI Providers
Lacework SCA with CI providers is currently limited to GitHub Actions and BitBucket. However, you can manually use the Lacework CLI to support other CI providers. Although this method does not work in the environment itself, its results are nearly identical to those of GitHub Actions.
To run SCA with other CI providers, run the following commands in the Lacework CLI:
- On the commit you want to analyze:
lacework sca scan PATH [options] -o report.sarif -f sarif - On the commit you want to compare results with (usually the merge base):
lacework sca scan PATH [options] -o baseline.sarif -f sarif - To compare the two reports, run:
lacework sca compare –new report.sarif –old baseline.sarif –link [repository url] --markdown message.md
This enables you to analyze commits and identify vulnerabilities that were introduced in the commit you scanned. To generate pull request comments, edit the message.md file referenced in step 3.