Fortinet black logo

Administration Guide

Home Lacework FortiCNAPP Administration Guide

Integrate Google Container Registry

Integrate Google Container Registry

Container Registry Support

Google Container Registry (GCR) integrations support:

  • Auto polling - polling occurs every 15 minutes.
  • On-demand scans via the API.

Navigate to GCR Integration

  1. Log in to the Lacework FortiCNAPP Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container registries.
  3. Click + Add New.
  4. Click Google Container Registry (GCR).
  5. Click Next.
  6. Follow the steps in the next section.

Integrate with GCR

Note

GCR integrations can be done at the organization, folder, project, or bucket level.

To integrate GCR with Lacework FortiCNAPP, follow these steps:

  1. Configure the registry and complete any optional settings.
  2. Click Save. The integration status displays Integration Successful only after its first completed assessment.
  3. Verify that assessments have started by viewing the table in Vulnerabilities > Containers.

After an image is assessed, Lacework FortiCNAPP reports its results in the table. Select Last 24 hours above the table to view the assessment results.

Configure Registry

Setting Name Description
Name Specify a unique name for the container registry in the Lacework FortiCNAPP Console.
Upload GCP Credentials Upload a JSON-formatted Service Account Key to use for the integration; this auto-populates the Private Key ID, Client Email, and Private Key fields.
Client ID

Specify a Client ID for the service account that has been granted access to the organization, folder, or project that contains the registry (or registries).

If integrating at the organization, folder, or project level, assign the storage.objectViewer role to the service account for the organization/folders/projects that contain the buckets used by the registry hosts.
Note: Granting this role provides read access to all storage buckets within the organization, folder(s), or project(s).

If integrating at the bucket level, assign the storage.objectViewer role to the service account for the bucket called artifacts.PROJECT-ID.appspot.com where PROJECT-ID is the project that hosts the registry (or registries).

Additionally, the following APIs or services must be enabled (for any level of integration):
Private Key ID Specify the private key ID for the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR).
Client Email Specify the client email associated with the service account that has granted the storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR).
Private Key Specify the private key for the specified private key ID. See Private Key Format below for guidance on formatting your key.
Registry Domain

From the drop-down, select one of the supported Google Cloud regions:

  1. gcr.io
  2. us.gcr.io
  3. eu.gcr.io
  4. asia.gcr.io

For more information, see Container Registry Pushing and pulling images.

Note

Do not prefix the URL with https://.

Note

Private Key Format You cannot copy the private key from an editor because of an issue copying the new line characters. You must copy a raw version of the key using the jq utility as described in the next steps:

  1. To view the private key raw text, enter the following command, where YourFileName.json is the name of the file downloaded when you created the Google Cloud Service Account:
    cat YourFileName.json | jq -r '.private_key'
  2. Copy all text displayed in the output including the BEGIN and END lines.

Optional Settings

Setting Name Description
Limit Image Tags If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.

Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz).
Limit Image Labels If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.
Limit Repositories If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.

NOTE: Do not include the registry in the repository name(s).
Images per Repo Set the maximum number of newest container images to discover/scan per repository. See Platform Scanner - Default Scanning Quotas for the maximum setting.
Non-OS Package Support This feature is enabled by default. Select No if you want to disable scanning of language libraries.
[END]:#

Create a GCR Integration Using Terraform

For organizations using Terraform to manage their environments, Lacework FortiCNAPP maintains the Lacework FortiCNAPP Terraform Provider that enables integrating supported container registries with Lacework FortiCNAPP using automation.

If you are new to the Lacework FortiCNAPP Terraform Provider, or Lacework FortiCNAPP Terraform Modules, read the Terraform for Lacework FortiCNAPP Overview to learn the basics on how to configure the provider and more.

terraform {
  required_providers {
    lacework = {
      source  = "lacework/lacework"
    }
  }
}

provider "lacework" {}

provider "google" {}

module "lacework_gcr" {
  source  = "lacework/gcr/gcp"
  version = "~> 2.0"

  # Supported domains are gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io
  registry_domain = "us.gcr.io"

  # Optionally, a project ID can be specified with the input 'project_id'
}

Additional information on the lacework/gcr/gcp module can be found on the Terraform Registry.

Validate the Integration

After Terraform finishes applying changes, you can use the Lacework FortiCNAPP CLI to validate the integration is working.

Open a Terminal and trigger an on-demand container vulnerability scan of one of your repositories that lives in the GCR registry you just integrated:

lacework vuln ctr scan YourGoogleRegistryDomain YourRepository YourTagOrImageDigest --poll
Note

To list all container registries configured in your account run lacework vuln ctr registries

You should see the vulnerability assessment of your repository.

lacework vulnerability container scan us.gcr.io lw-test latest --poll

A new vulnerability scan has been requested. (request_id: da123491-89f3-123d-a93b-d3a1980ee80a)

                                  CONTAINER IMAGE DETAILS                                          VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
    ID          sha256:48706bcd2b97520266df3cb0b3f42c3aaccf8b7819c1356c02b0609c4ec2dd98       SEVERITY   COUNT   FIXABLE
    Digest      sha256:7b4c7ae1c8c91759449f7c0c62c4b90330443ed08f5ed761d4a2bf4331504bae     -----------+-------+----------
    Registry    us.gcr.io                                                                     Critical       2         1
    Repository  lw-test                                                                       High          32         8
    Size        144.8 MB                                                                      Medium       127        33
    Created At  2021-03-03T23:28:46.220Z                                                      Low          140         6
    Tags        latest                                                                        Info         377         5

Try adding '--details' to increase the details shown about the vulnerability assessment.

Troubleshoot

GCR Image Scanning Errors After Integration

When viewing the Vulnerabilities > Containers page (and grouped by Image ID/Registry/Repo), the Lacework FortiCNAPP Console displays an Error if there was an underlying permissions issue during the last scan.

Tooltip

Using developer tools in your web browser, check for any 403 errors during a refresh of the page.

A common cause for this is when the Client ID (specified during configuration) has not been given permissions to access the Cloud Storage bucket that acts as the underlying storage for the container images.

If integrating at the bucket level:

  1. Check which project hosts the registry (or registries) that you want to integrate with Lacework FortiCNAPP.
  2. Ensure the storage.objectViewer role (for your Client ID) is assigned to the correct PROJECT-ID in artifacts.PROJECT-ID.appspot.com.
Previous
Next

Integrate Google Container Registry

Integrate Google Container Registry

Container Registry Support

Google Container Registry (GCR) integrations support:

  • Auto polling - polling occurs every 15 minutes.
  • On-demand scans via the API.

Navigate to GCR Integration

  1. Log in to the Lacework FortiCNAPP Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container registries.
  3. Click + Add New.
  4. Click Google Container Registry (GCR).
  5. Click Next.
  6. Follow the steps in the next section.

Integrate with GCR

Note

GCR integrations can be done at the organization, folder, project, or bucket level.

To integrate GCR with Lacework FortiCNAPP, follow these steps:

  1. Configure the registry and complete any optional settings.
  2. Click Save. The integration status displays Integration Successful only after its first completed assessment.
  3. Verify that assessments have started by viewing the table in Vulnerabilities > Containers.

After an image is assessed, Lacework FortiCNAPP reports its results in the table. Select Last 24 hours above the table to view the assessment results.

Configure Registry

Setting Name Description
Name Specify a unique name for the container registry in the Lacework FortiCNAPP Console.
Upload GCP Credentials Upload a JSON-formatted Service Account Key to use for the integration; this auto-populates the Private Key ID, Client Email, and Private Key fields.
Client ID

Specify a Client ID for the service account that has been granted access to the organization, folder, or project that contains the registry (or registries).

If integrating at the organization, folder, or project level, assign the storage.objectViewer role to the service account for the organization/folders/projects that contain the buckets used by the registry hosts.
Note: Granting this role provides read access to all storage buckets within the organization, folder(s), or project(s).

If integrating at the bucket level, assign the storage.objectViewer role to the service account for the bucket called artifacts.PROJECT-ID.appspot.com where PROJECT-ID is the project that hosts the registry (or registries).

Additionally, the following APIs or services must be enabled (for any level of integration):
Private Key ID Specify the private key ID for the service account that has granted storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR).
Client Email Specify the client email associated with the service account that has granted the storage.objectViewer role for access to the Google project that contains the Google Container Registry (GCR).
Private Key Specify the private key for the specified private key ID. See Private Key Format below for guidance on formatting your key.
Registry Domain

From the drop-down, select one of the supported Google Cloud regions:

  1. gcr.io
  2. us.gcr.io
  3. eu.gcr.io
  4. asia.gcr.io

For more information, see Container Registry Pushing and pulling images.

Note

Do not prefix the URL with https://.

Note

Private Key Format You cannot copy the private key from an editor because of an issue copying the new line characters. You must copy a raw version of the key using the jq utility as described in the next steps:

  1. To view the private key raw text, enter the following command, where YourFileName.json is the name of the file downloaded when you created the Google Cloud Service Account:
    cat YourFileName.json | jq -r '.private_key'
  2. Copy all text displayed in the output including the BEGIN and END lines.

Optional Settings

Setting Name Description
Limit Image Tags If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.

Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz).
Limit Image Labels If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.
Limit Repositories If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.

NOTE: Do not include the registry in the repository name(s).
Images per Repo Set the maximum number of newest container images to discover/scan per repository. See Platform Scanner - Default Scanning Quotas for the maximum setting.
Non-OS Package Support This feature is enabled by default. Select No if you want to disable scanning of language libraries.
[END]:#

Create a GCR Integration Using Terraform

For organizations using Terraform to manage their environments, Lacework FortiCNAPP maintains the Lacework FortiCNAPP Terraform Provider that enables integrating supported container registries with Lacework FortiCNAPP using automation.

If you are new to the Lacework FortiCNAPP Terraform Provider, or Lacework FortiCNAPP Terraform Modules, read the Terraform for Lacework FortiCNAPP Overview to learn the basics on how to configure the provider and more.

terraform {
  required_providers {
    lacework = {
      source  = "lacework/lacework"
    }
  }
}

provider "lacework" {}

provider "google" {}

module "lacework_gcr" {
  source  = "lacework/gcr/gcp"
  version = "~> 2.0"

  # Supported domains are gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io
  registry_domain = "us.gcr.io"

  # Optionally, a project ID can be specified with the input 'project_id'
}

Additional information on the lacework/gcr/gcp module can be found on the Terraform Registry.

Validate the Integration

After Terraform finishes applying changes, you can use the Lacework FortiCNAPP CLI to validate the integration is working.

Open a Terminal and trigger an on-demand container vulnerability scan of one of your repositories that lives in the GCR registry you just integrated:

lacework vuln ctr scan YourGoogleRegistryDomain YourRepository YourTagOrImageDigest --poll
Note

To list all container registries configured in your account run lacework vuln ctr registries

You should see the vulnerability assessment of your repository.

lacework vulnerability container scan us.gcr.io lw-test latest --poll

A new vulnerability scan has been requested. (request_id: da123491-89f3-123d-a93b-d3a1980ee80a)

                                  CONTAINER IMAGE DETAILS                                          VULNERABILITIES
------------------------------------------------------------------------------------------+---------------------------------
    ID          sha256:48706bcd2b97520266df3cb0b3f42c3aaccf8b7819c1356c02b0609c4ec2dd98       SEVERITY   COUNT   FIXABLE
    Digest      sha256:7b4c7ae1c8c91759449f7c0c62c4b90330443ed08f5ed761d4a2bf4331504bae     -----------+-------+----------
    Registry    us.gcr.io                                                                     Critical       2         1
    Repository  lw-test                                                                       High          32         8
    Size        144.8 MB                                                                      Medium       127        33
    Created At  2021-03-03T23:28:46.220Z                                                      Low          140         6
    Tags        latest                                                                        Info         377         5

Try adding '--details' to increase the details shown about the vulnerability assessment.

Troubleshoot

GCR Image Scanning Errors After Integration

When viewing the Vulnerabilities > Containers page (and grouped by Image ID/Registry/Repo), the Lacework FortiCNAPP Console displays an Error if there was an underlying permissions issue during the last scan.

Tooltip

Using developer tools in your web browser, check for any 403 errors during a refresh of the page.

A common cause for this is when the Client ID (specified during configuration) has not been given permissions to access the Cloud Storage bucket that acts as the underlying storage for the container images.

If integrating at the bucket level:

  1. Check which project hosts the registry (or registries) that you want to integrate with Lacework FortiCNAPP.
  2. Ensure the storage.objectViewer role (for your Client ID) is assigned to the correct PROJECT-ID in artifacts.PROJECT-ID.appspot.com.
Previous
Next