Table of contents

What is Container Security?

Trend Cloud One - Container Security provides security for your containers at all stages of their lifecycle:

  • During development: With Trend Micro Artifact Scanner (TMAS), you can discover the vulnerabilities at the early development stage.
  • At deployment: Policy-based deployment control ensures that container images are run only when they meet the security criteria that you define. If you integrate with TMAS, additional criteria can be set using security policies from TMAS scan results to help ensure that only safe images are deployed.
  • After deployment: Continuous compliance allows you to intermittently scan your containers after they are deployed.
  • At runtime: Runtime security provides visibility into any container activity that violates a customizable set of rules.

Diagram of container lifecycle

Container image scanning

Container image scanning (performed by TMAS) enables you to scan container images as part of your development pipeline and to perform ongoing scans of images in your registries so that developers can detect and fix security issues early in the container image lifecycle. With container image scanning, DevOps teams can continuously deliver production-ready applications and meet the needs of your business, without impacting build cycles.

Container image scanning checks for:

  • vulnerabilities
  • malware
  • secrets and keys
  • compliance violations

Container image scanning detects threats in apps installed with a package manager, as well as direct-installed apps, using Trend Micro’s industry-leading rules feed. Container image scanning also uses the Snyk open source vulnerability database, offering early detection and mitigation of vulnerabilities in open-source code dependencies.

The results of the container image scans are also sent to Trend Micro Cloud One - Container Security, which determines whether it's safe to deploy the image by checking the scan results against a policy that you define.

To enable container image scanning, you will need to deploy and configure TMAS in your local environment.

Policy-based deployment control

Container Security provides policy-based deployment control through a native integration with Kubernetes to ensure the Kubernetes deployments you run in your production environment are safe.

Container Security enables you to create policies that allow or block deployments based on a set of rules. The rules are based on a Kubernetes object's properties and the results of TMAS scans (if you have TMAS integrated with your environment).

When an image is ready to be deployed with Kubernetes, the admission control webhook is triggered, which checks whether the image is safe to deploy and either allows or blocks it from running.

Continuous compliance

After deployment, Container Security can continue to monitor containers. Container Security checks the policy assigned to the cluster on a regular basis, ensuring that running containers continue to conform to the policy you defined. If there are changes to the policy after the initial deployment, the updated policy is enforced. Running containers are also checked for new vulnerabilities as they are discovered.

Runtime security

Runtime security provides visibility into any activity of your running containers that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK® framework tactics for containers, as well as container drift detection. Container Security can mitigate problems detected by the runtime visibility and control feature, based on a policy that you define. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the runtime ruleset in the policy.

Runtime vulnerability scanning

Runtime vulnerability scanning provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters where you have Container Security installed. It provides a list of vulnerabilities, sorted based on severity, which you can select for additional information. You can search for a vulnerability by name, and filter by severity level or CVE score.

Vulnerability details include:

  • Vulnerability Information: A description of the vulnerability, a link to details (like those listed in the Common Vulnerabilities and Exposures (CVE®) list), the vulnerable package and version, and the version of the vulnerable package which contains the fix (if available).
  • Image Information: The container image where the vulnerability was detected.
  • Detection Information: A list of workloads in which the vulnerability was detected including the namespace, type, container, and last detection time for each of these workloads.