GitHub Actions
CI/CD support for GitHub Actions is currently in beta for select Lacework customers. Contact your Lacework Representative for more information.
Lacework IaC Security now integrates with CI/CD providers. For more information, go to the updated IaC Support Matrix.
Integrate a GitHub Actions CI/CD Pipeline
To integrate a GitHub Actions CI/CD Pipeline, you must first collect your Lacework account name, LW_API_KEY and LW_API_SECRET. To view this information:
- Log in to the Lacework Console.
- Click Settings > API keys.
- Select or create an API key.
- Click the download icon.
- Open the downloaded .json file to view your API Key, API Secret, and account name.
In your GitHub repository, configure the API Key, API Secret, and account name:
- Go to your GitHub repository > Settings > Security > Secrets & Variables > Actions
- Click the Secrets tab.
For each secret (LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET):
- Click New repository secret.
- In the Name field, enter the name of your variable. For example,
LW_ACCOUNT. - In the Secret field, enter the value you retrieved from the .json file for each secret. For example,
<account.lacework.net>. - Click Add secret.
Then configure a GitHub Action similar to the following example:
Example GitHub Action
name: lacework-iac-example-ga
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "main" branch
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-20.04
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Code
uses: actions/checkout@v3
- name: Scan the repo for vulnerabilities in IaC
run: |
# Required to pass the GITHUB and Lacework (LW) environment secrets to use
env | grep "GITHUB_\|LW_\|CI_" > env.list
# Required command based on what you want to scan in the repository
echo "SCAN_COMMAND=tf-scan" >> env.list
# Required if you are not mounting the volume on /app
echo "WORKSPACE=src" >> env.list
# if we want to fail the step for any critical failed findings (violations) in the assessment scan
echo "EXIT_FLAG='Critical=1'" >> env.list
docker run --env-file env.list -v "$(pwd):/app/src" lacework/codesec-iac:latest
env:
LW_ACCOUNT: ${{ secrets.LW_ACCOUNT }}
LW_API_KEY: ${{ secrets.LW_API_KEY }}
LW_API_SECRET: ${{ secrets.LW_API_SECRET }}
Available Commands
For available commands, refer to CI/CD Usage.
GitHub Actions Host Runner
Lacework integrates with your on-premise CI/CD pipelines. Contact your Lacework representative for more information.