Configuring Lineaje SCA360

To enable Lineaje SCA360 to scan container images and process metadata securely within your AWS environment, you must configure storage and access permissions. This involves creating an Amazon S3 bucket to store metadata files generated by your CI/CD pipeline and assigning an IAM role policy to the EC2 instance running SCA360 so it can read these files. Proper configuration ensures that SCA360 can retrieve metadata, perform scans, and upload SBOM information without exposing sensitive information outside your infrastructure.

Follow these steps to configure Lineaje SCA360:

Step 1: Creating an S3 Bucket

Metadata files are uploaded in Amazon S3 bucket. You can create the bucket using the AWS Management Console or the AWS CLI.

Creating an S3 bucket in AWS

To create an S3 bucket in AWS Management Console:

  1. Sign in to the AWS Management Console and navigate to S3.

  2. Click Create Bucket.

  3. Enter a unique bucket name and select a region.

  4. Configure optional settings:

    • Block Public Access: Enabled by default for security.

    • Versioning (optional): For retaining multiple object versions.

    • Default Encryption: Recommended for data protection.

  5. Click Create Bucket.

Creating an S3 Bucket Using Command Line

To create an S3 bucket using command line:

  1. Open AWS CloudShell or your local terminal with AWS CLI configured.

  2. Run the following command, replacing:

    • <BUCKET_NAME> with your bucket name

    • <REGION> with the AWS region

    aws s3api create-bucket --bucket <BUCKET_NAME> --region <REGION> --create-bucket-configuration LocationConstraint= <REGION>

Step 2: Configuring a Role Policy

After creating the bucket, assign a policy to the IAM Role of the VM running SCA360 so it can read metadata files from the bucket.

  1. Go to EC2 > Instances, select the VM running SCA360, and click the IAM Role linked to the instance. Note the Role Name.

  2. Open AWS CloudShell (must have admin access) and run the following command, replacing:

    • <ROLE_NAME> with the IAM Role name of the VM.

    • <BUCKET_NAME> with the name of the S3 bucket you created.

aws iam put-role-policy \
    --role-name <ROLE_NAME> \
    --policy-name LineajeVMS3MetafilereadAccess \
    --policy-document '{ 
        "Version": "2012-10-17", 
        "Statement": [ 
            { 
                "Effect": "Allow", 
                "Action": [
                    "s3:GetObject", 
                    "s3:ListBucket"
                ], 
                "Resource": [
                    "arn:aws:s3:::<BUCKET_NAME>", 
                    "arn:aws:s3:::<BUCKET_NAME>/*"
                ] 
            } 
        ] 
    }'

  1. Verify the policy is attached:

    1. Go to IAM > Roles > <ROLE_NAME> > Inline Policies.

    2. Confirm that the policy name is listed and includes the correct permissions.

    3. To confirm access, log in to the VM and run: aws s3 ls s3://<BUCKET_NAME>. If the command returns the bucket contents (or an empty list if no files exist), the configuration is successful.

Step 3: Configuring ECR Access and Cross-Account Role

You must allow SCA360 to pull and push container images from ECR across AWS accounts to ensure secure cross-account access for workflows such as image scanning and SBOM generation. To configure ECR access and cross-account role:

  1. Go to EC2 > Instances > IAM Role and select the VM running SCA360.

  2. Click on the IAM Role link.

  3. In the Summary section, copy the ARN code.

  4. In the target AWS account, create a policy (for example, LineajeCrossAccountAccessPolicy) and paste the following JSON:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:PutImage",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
      ],
      "Resource": "*"
    }
  ]
}

  5. Create an IAM Role (for example, LineajeCrossAccountAccessRole) in the target account and use the following trust policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<TARGET_ROLE_ARN>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  6. Replace <TARGET_ROLE_ARN> with the ARN copied earlier.

  7. Go to IAM > Roles in the target AWS account, and search for the role you created, LineajeCrossAccountAccessRole.

  8. Open the role and verify the ARN is listed under the “Principal” section of the trust policy in the Trust relationships tab.

  9. In the Permissions tab > Add permissions > Attach policies, search for LineajeCrossAccountAccessRole and click Attach Policies, then attach LineajeCrossAccountAccessRole to the role.

  10. Confirm that the SCA360 VM can access ECR repositories and the required S3 bucket.

Step 4 (Optional): Configuring Secret Manager and Role

When integrating SCA360 with external services such as GitHub or other systems that require tokens or credentials, storing these secrets securely is critical. Instead of hardcoding tokens in scripts or configuration files, you can use AWS Secrets Manager to manage sensitive information. This approach ensures secure retrieval by the SCA360 VM during automated workflows. To enable this, you must create a secret in Secrets Manager and grant the VM’s IAM role permission to read it.

  1. Go to AWS Secrets Manager in the AWS account where the Lineaje Scanner VM is deployed.

  2. Click Store a new secret.

  3. Select Other type of secret and enter the key-value pair for the token (for example: github_token: <your-token>).

  4. Click Next. Provide a descriptive name for the secret (for example: SCA360/GitHubToken) and complete the wizard.

  5. Copy the Secret ARN after the secret is created.

  6. Go to EC2 > Instances, select the VM running SCA360, and click the IAM Role linked to the instance.

  7. Note the Role Name associated with the VM.

  8. Open a terminal or AWS CLI in the same AWS account and run the following command, replacing:

    • <ROLE_NAME> with the IAM Role name of the VM.

    • <SECRET_ARN> with the ARN of the secret created in Secrets Manager.

      aws iam put-role-policy \
    --role-name <ROLE_NAME> \
    --policy-name LineajeVMSecretReadAccess \
    --policy-document '{ 
        "Version": "2012-10-17", 
        "Statement": [ 
            { 
                "Effect": "Allow", 
                "Action": [
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:DescribeSecret"
                ], 
                "Resource": "<SECRET_ARN>"
            } 
        ] 
    }'

  9. Go to IAM > Roles > <ROLE_NAME> > Inline Policies and confirm that the policy LineajeVMSecretReadAccess is attached with the correct permissions.

Step 5 (Optional) Configuring GitHub Permissions

GitHub permissions are required if you plan to enable automated workflows that interact with GitHub repositories. For example, pulling source code for Software Composition Analysis (SCA) or uploading SBOM results. Configuring a fine-grained personal access token ensures secure integration while granting only the necessary permissions.

  1. In your Github account, go to Developer Settings > Personal access tokens > Fine-grained tokens.

  2. Click Generate new token.

  3. In the configuration window:

    • Token name: Enter a name for the token.

    • Expiration: Select an expiration for the token.

    • Resource owner: Select a resource owner. The token will only be able to access resources owned by the selected resource owner.

    • Repository access: Select which repositories you want the token to access.

    • Permissions: Select the following permissions to grant to the token.

      • Contents (read, write)

      • Pull Requests (read, write)

      • Metadata (read)

      • Click Generate token.

PreviousRegistering Lineaje SCA360NextAdvanced Configuration

Last updated