Package: Invicti AppSec Enterprise (on-premise, on-demand)
Lacework Container Security
Lacework provides cloud security and container image vulnerability scanning through its cloud-native platform. In Invicti AppSec, the integration connects to your Lacework instance to import container security findings by account.
Prerequisites
| Field | Description |
|---|---|
| Key ID | Lacework API key ID generated in the Lacework console |
| Secret | Lacework API secret paired with the Key ID |
| URL | The base URL of your Lacework instance (e.g., https://<account>.lacework.net) |
Get a Key ID and Secret (on Lacework Side)
- Log in to the Lacework console.
- Navigate to Settings > API Keys.
- Click + Create New.
- Enter a name and description for the key.
- Click Save. Download or copy the Key ID and Secret immediately — the secret is shown only once.
Refer to the Token Instructions link displayed in the Invicti AppSec settings panel for additional guidance on generating Lacework API credentials.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the CS Tab
On the Integrations > Scanners page, click on the CS tab.
Step 3: Find and Activate Lacework CS
Scroll through the list of CS scanners to find Lacework CS.
- If Lacework CS is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Lacework CS card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Key ID | Lacework API Key ID | Yes |
| Secret | Lacework API Secret paired with the Key ID | Yes |
| URL | Base URL of your Lacework instance | Yes |
| Insecure | Skip TLS certificate verification (use only for self-signed certificates) | No |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Lacework API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the CS tab |
| 3 | Activate Lacework CS |
| 4 | Enter Key ID, Secret, and URL |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Lacework CS Scanner
- Select CS as the scanner type.
- Choose Lacework CS from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | The deployment environment (e.g., feature, production) | No |
| Account ID | Select the Lacework account to associate with this scan | Yes |
| Branch | Source code branch for this scan | Yes |
| Meta Data | Additional metadata to tag the scan | No |
| Scan Tag | Free-text tag to identify or group scans | No |
| Fork Default Branch / Fork Source Branch | Enable to fork scan results from the default or source branch | No |
Account ID links the Invicti AppSec project to a specific Lacework account. Vulnerability findings from container images tracked under that account will be imported into the project.
Scheduler
Enable the Scheduler toggle to automatically run Lacework CS scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t laceworkcs -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid Key ID or Secret | Verify the credentials in the Lacework console under Settings > API Keys. Regenerate if needed. |
| URL unreachable | Confirm the Lacework instance URL (https://<account>.lacework.net) is reachable from the Invicti AppSec server. |
| TLS certificate error | If using a self-signed certificate, enable the Insecure option in the connection settings. |
| Secret not available | The secret is shown only at creation — create a new API key if the original was not saved. |
Scan Issues
| Issue | Resolution |
|---|---|
| No accounts available in Account ID dropdown | Ensure the API key has access to at least one Lacework account and that container image data is available. |
| Scan shows no findings | The account may have no known vulnerabilities, or Lacework scans may not have completed yet. Check the Lacework console. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API key for Invicti AppSec with the minimum required permissions rather than reusing credentials shared with other tools.
- Rotate the Secret periodically and update the integration settings in Invicti AppSec accordingly.
- Associate each Invicti AppSec project with the Lacework account that tracks its production container images for accurate vulnerability data.
- Use the Scheduler to align scans with your container image rebuild cadence so findings always reflect the latest state.
Limitations
- Lacework CS in Invicti AppSec imports vulnerability data from existing Lacework scans — it does not trigger new Lacework image scans.
- Only accounts accessible via the provided API key are available for selection.
- Runtime behavioral signals and cloud activity findings from Lacework are not surfaced in Invicti AppSec; only container vulnerability data is imported.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center