CI/CD Integrations
CI/CD Support (excluding Atlantis) is currently in beta for select Lacework customers. Contact your Lacework Representative for more information.
Lacework's Code Security integrates with CI/CD providers on and off premise. View the updated Support Matrix for current offerings. To get started scanning CI/CD pipelines, view the provider-specific docs to integrate with Lacework:
Usage
Usage is universal across all CI/CD providers. Optional variables allow you additional control over your CI/CD scans and are notated with (Optional). All other variables are required.
IaC Component Environment Secrets
The following values are required if the Lacework CLI is being used directly with the IaC component:
| Secret | Description |
|---|---|
LW_ACCOUNT | Lacework account URL subdomain. For example, <ACCOUNT>.lacework.net |
LW_API_KEY | Lacework API access key ID |
LW_API_SECRET | Lacework API secret access key |
Obtain the Component Environment Secrets
To collect your environment secrets:
- Log in to the Lacework Console.
- Click Settings > API keys.
- Select or create an API key.
- Click the download icon.
- Open the downloaded .json file to view your API Key, API Secret, and account name.
Environment Variables
Set the following environment variables:
| Variable | Description |
|---|---|
SCAN_COMMAND | must be set to tf-scan, cfn-scan, helm-scan, k8s-scan, kustomize-scan or tf-plan-scan |
SCAN_DIR | (Optional) directory where scan should be executed (relative to WORKSPACE or absolute). If a value is not provided, WORKSPACE will be the SCAN_DIR |
WORKSPACE | (Optional) directory where the volume is mounted |
Formatting Variables
| Variable | Description |
|---|---|
JSON_OUTPUT_FILE | (Optional) File to print results in JSON format. The directory for this file should be mounted when running Docker so that the file is written to your disk. |
JUNIT_OUTPUT_FILE | (Optional) File to print results in JUNIT XML format. The directory for this file should be mounted when running Docker so that the file is written to your disk. |
GO_TEMPLATE_FILE | (Optional) (GO_TEMPLATE_OUTPUT_FILE must also be set) prints using a Go text template (Usage) |
LW_IAC_CLI_FORMAT | (Optional) Format to print stdout results in (table, yaml, json, none, csv, atlantis, or count). May be used in conjunction with JSON_OUTPUT_FILE, JUNIT_OUTPUT_FILE and GO_TEMPLATE_FILE. |
SCAN_COMMAND Abbreviations
| Command | Description |
|---|---|
tf-scan | Terraform |
cfn-scan | CloudFormation |
helm-scan | Helm |
k8s-scan | Kubernetes |
kustomize-scan | Kustomize |
tf-plan-scan | Terraform plan |
tf-plan-scanTo specify the path to the JSON plan, use TF_PLAN_JSON. The default is ./tf-plan.json.
Other Variables
CI_GIT_REPO_URL / CI_REPO_URL - (Optional) Specifies the details of the git repository you are scanning
Flags
To fail the scan for particular severity findings, specify:
EXIT_FLAG = Critical/High/Medium/Low/Info.
Exit flag values are case sensitive.
For example, EXIT_FLAG='Critical' fails if there is one or more critical failed findings and EXIT_FLAG='Critical=2' fails if there are 2 or more critical failed findings.
Exit Codes
When you run a SCAN_COMMAND, the scan may exit with an exit code. This gives you a preliminary scan result by notifying you of violations and failing the scan if the specified violation threshold is met or exceeded.
| Code | Description |
|---|---|
| 0 | The scan was successful. |
| 1 | The scan exited with errors. |
| 2 | The completed scan failed because it met or exceeded the violation threshold set in Flags. |