Get Started with the Lacework FortiCNAPP CLI
The Lacework FortiCNAPP CLI is an open source project written in Golang and released as separate binaries for Linux, macOS, and Windows. All releases of the CLI are also published as Docker containers to Docker Hub for various platforms with the intended purpose of integrating with CI/CD automation pipelines.
Lacework FortiCNAPP as a platform provides a set of robust APIs for configuring accounts within the platform, as well as accessing data from accounts. The Lacework FortiCNAPP CLI provides an interface to those APIs with the goal of providing fast, accurate, and actionable insights into the platform.
Install the Lacework FortiCNAPP CLI
Bash (macOS/Linux)
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
Powershell (Windows)
-
Open a PowerShell terminal and run the following command:
Set-ExecutionPolicy Bypass -Scope Process -Force iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))The Lacework FortiCNAPP CLI is installed at `C:\ProgramData\Lacework\lacework.exe` and the system PATH environment variable is updated to include the Lacework FortiCNAPP CLI.
-
Open a new PowerShell terminal to read the updated system PATH and use the Lacework FortiCNAPP CLI.
Homebrew (macOS/Linux)
brew install lacework/tap/lacework-cli
For more details, see the Lacework Homebrew Tap.
Chocolatey (Windows):
choco install lacework-cli
For more details, see the Lacework CLI Chocolatey package.
Azure Cloud Shell
-
In Cloud Shell, switch to Bash.
-
Run the following commands:
mkdir -p "$HOME"/bin curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin
-
Exit and reconnect to Cloud Shell.
Create API Key
The Lacework FortiCNAPP CLI requires an API key and secret to authenticate with Lacework FortiCNAPP. Lacework FortiCNAPP API Keys can be created by Lacework FortiCNAPP account administrators via the Lacework FortiCNAPP Console. For more information, go to API Access Keys and Tokens.
-
Log in to the Lacework FortiCNAPP Console.
-
Click **Settings > API keys**.
-
Click **Add New**.
-
Enter a name for the key and an optional description.
-
Click **Save**.
-
Click the **...** icon and then **Download** to save the API key file locally.
The contents of your API key contain a keyId, secret, subAccount, and account:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the CLI
Use the lacework configure command to configure the Lacework FortiCNAPP CLI with the API Key downloaded from the previous step.
lacework configure -j /path/to/key.json
Example output:
Account: example Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE Secret Access Key: ********************************** You are all set!
The lacework configure command generates a file named .lacework.toml inside your home directory
($HOME/.lacework.toml) with a single profile named default.
Enable Command Autocomplete
You can work faster and get help remembering commands by enabling command autocomplete for the Lacework FortiCNAPP CLI for your shell environment.
With autocomplete enabled, you can quickly complete CLI commands you have started to type by hitting the tab key. If there is more than one way to complete a command, hit the tab key twice to view all options.
The Lacework FortiCNAPP CLI supports several shell environments, including bash, powershell, and zsh.
To use autocomplete in a supported shell, you first need to enable it by running the autocomplete script. To see supported shell environments, run the following command:
lacework completion
For example, to enable completion in your current bash shell session, run the following command:
source <(lacework completion bash)
For complete instructions for bash and other supported environments, see the following topics:
For general information on the Lacework FortiCNAPP CLI command autocomplete feature, see lacework completion.
Multiple Profiles
You can add additional profiles that you can refer to with a name by specifying the --profile flag. The following
example creates a profile named prod.
lacework configure --profile prod -j /path/to/key.json
Example output:
Account: prod.example Access Key ID: PROD_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE Secret Access Key: ********************************** You are all set!
Then, when you run a command, you can specify a --profile prod and use the credentials and settings stored under that
name.
lacework agent list --profile prod
If there is no --profile flag, the Lacework FortiCNAPP CLI defaults to the default profile.
To list all available profiles configured in the workstation use:
lacework configure list
Example output:
PROFILE | ACCOUNT | API KEY | API SECRET
--------------+---------------+----------------------------------------------------------+------------------------------------
prod | prod-account | PRODACCT_0C66EF03A0694E16D3203E553C9B13E36E39239FB0FCEBF | *****************************8520
qa1 | qa1-account | QA1ACCOT_038B1395C1B5B9BD1C5DEA849DF62FCB95D7697C58C4942 | *****************************9ad8
qa2 | qa2-account | QA2ACCOT_0362BF5146FBE18A9CD0AB0259FBEE912EBB1A429A0A213 | *****************************a3cb
> default | dev-account | DEVACCOT_03C8910D0BDCDBD2AFD4355A1C5284104AAA2AE5253938C | *****************************98f1
Switch Profiles
To switch between profiles configured into the config file $HOME/.lacework.toml, use the command.
lacework configure switch-profile <profile>
|
This is a global configuration for the Lacework FortiCNAPP CLI, which means that any new terminal continues to use the selected profile. |
To switch back to the default profile.
lacework configure use default
The command lacework configure use is an alias to the switch-profile sub-command.
An alternative to temporarily switching to a different profile in your current terminal is to export the environment
variable LW_PROFILE=your-profile
Organizational Accounts
An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.
|
|
To enroll your account in an organization, see Organization Enrollment Process. |
Use the global flag --subaccount to switch to a different account inside your organizational account.
For example, having a default profile that has access to your primary
account named my-company:
[default] account = "my-company" api_key = "my-api-key" api_secret = "my-api-secret" version = 2
To access your sub-account named business-unit, pass the flag --subaccount business-unit to any command.
There are two ways to set a sub-account persistently:
-
Export the environment variable
LW_SUBACCOUNT="<YOUR_SUBACCOUNT>". This only makes the sub-account configuration persist for the active terminal. -
Reconfigure your profile with the command
lacework configure. This command prompts you to select any sub-account that you have access to in your organizational account.
To list all accounts in your organization:
lacework account list
Output Formats
The Lacework FortiCNAPP CLI supports the following output formats:
-
Human-readable: Default output that presents the information in a "human-readable" or "human-friendly" format, which is much easier to read, but not as useful for automation purposes.
-
JSON: To switch the output of any command to be formatted as a JSON string, add the flag
--json.
Some commands that have additional formats available:
-
PDF: For compliance reports, it is possible to download a report in PDF format by adding the flag
--pdf. -
HTML: For container vulnerability assessments, use the
--htmlflag to render the assessment results in HTML format. -
CSV: For compliance reports and host vulnerability data, you can pass the flag
--csvto switch the output to CSV format.
Environment Variables
Default configuration parameters found in the .lacework.toml may also be overridden by setting environment variables
prefixed with LW_.
To override the account, api_key, and api_secret configurations:
-
Bash (macOS/Linux)
export LW_ACCOUNT="<YOUR_ACCOUNT>" export LW_API_KEY="<YOUR_API_KEY>" export LW_API_SECRET="<YOUR_API_SECRET>"
-
Powershell (Windows)
$env:LW_ACCOUNT = '<YOUR_ACCOUNT>' $env:LW_API_KEY = '<YOUR_API_KEY>' $env:LW_API_SECRET = '<YOUR_API_SECRET>'
For org admins only, to switch to a different sub-account permanently in your current terminal:
-
Bash (macOS/Linux)
export LW_SUBACCOUNT=business-unit
-
Powershell (Windows)
$env:LW_SUBACCOUNT = 'business-unit'
The following lists all environment variables that you can use to modify the operation of the Lacework FortiCNAPP CLI.
|
Environment Variable |
Description |
|---|---|
|
|
turn off colors |
|
|
turn off caching |
|
|
turn on debug logging |
|
|
switch commands output from human-readable to JSON format |
|
|
disable interactive progress bars (i.e. spinners) |
|
|
disable daily version checks |
|
|
disable sending telemetry data |
|
|
switch between profiles configured at |
|
|
account subdomain of URL (i.e. |
|
|
API access key id |
|
|
API secret access key |
|
|
sub-account name inside your organization (org admins only) |
Code Security component installation
The Lacework FortiCNAPP Code Security suite uses a Cloud Development Kit (CDK) model to package and upgrade IaC and SCA components. The lacework component <command> <component> command can be used to implement Code Security components. See Code Security in the Lacework FortiCNAPP Administration Guide for more information on IaC and SCA.
Available commands are included in the following table:
|
Command |
Description |
|---|---|
|
install |
Install a new component. See lacework component install. |
|
list |
List all available components. See lacework component list. |
|
show |
Show details about a defined component. See lacework component show. |
|
uninstall |
Uninstall an existing component. See lacework component uninstall. |
|
update |
Update an existing component. See lacework component update. |
Available components are included in the following table:
|
Component |
Description |
|---|---|
|
preflight |
The preflight check for Lacework FortiCNAPP Cloud setup. |
|
remediate |
Isolate and remediate resources. See Lacework remediate. |
|
sca |
The Code Security Software Composition Analysis (SCA) offering. See Software Composition Analysis (SCA) in the Lacework FortiCNAPP Administration Guide. |
|
component-example |
Review component descriptions. |
|
iac |
The Code Security Infrastructure-as-Code (IaC) offering. See Infrastructure-as-Code Security in the Lacework FortiCNAPP Administration Guide. |
Example 1: Running Lacework FortiCNAPP component commands in the CLI
The following example demonstrates using the lacework component list command to review the installation status and current version of available components:
> lacework component list
STATUS NAME VERSION DESCRIPTION
----------------+-------------------+---------+--------------------------------------------
Not Installed preflight 0.8.21 Preflight check for Cloud Setup
Not Installed remediate 0.6.4 A tool to isolate and remediate resources
Not Installed sca 0.1.66 Software Component Analysis
Not Installed component-example 0.9.7 Component description
Not Installed iac 0.10.31 Infrastructure as Code (IaC) scanner
Example 2: Installing the Code Security IaC component
The following example demonstrates installing the Lacework FortiCNAPP Code Security IaC offering:
> lacework component install iac [✓] Component iac found [✓] Component iac staged [✓] Component signature verified [✓] Component version 0.10.31 installed [✓] Component configured Installation completed. IAC component successfully installed. You can start using scanning your code, see: lacework iac --help
See lacework component install.
Example 3: Installing the Code Security SCA component
The following example demonstrates installing the Lacework FortiCNAPP Code Security SCA offering:
> lacework component install sca [✓] Component sca found [✓] Component sca staged [✓] Component signature verified [✓] Component version 0.1.66 installed [✓] Component configured Installation completed. To check the version of SCA installed, run: lacework sca version