Table of contents

What is Container Security?

Trend Micro Cloud One™ - Container Security provides security for your containers at all stages of their lifecycle:

  • During development: With supported Deep Security™ Smart Check, you can discover the vulnerabilities at the early development stage.
  • At deployment: Policy-based deployment control ensures that container images are run only when they meet the security criteria that you define. The criteria can include with supported Deep Security™ Smart Check integration, you can build security policies from scan results that allow only safe images to be deployed.
  • After deployment: Continuous compliance allows you to intermittently scan your containers after they are deployed.
  • At runtime: Runtime security provides visibility into any container activity that violates a customizable set of rules.

Diagram of container lifecycle

Container image scanning

Container image scanning (performed by Deep Security Smart Check) enables you to scan container images as part of your development pipeline and to perform ongoing scans of images in your registries so that developers can detect and fix security issues early in the container image lifecycle. With container image scanning, DevOps teams can continuously deliver production-ready applications and meet the needs of your business, without impacting build cycles.

Container image scanning checks for:

  • vulnerabilities
  • malware
  • secrets and keys
  • compliance violations

Container image scanning detects threats in apps installed with a package manager, as well as direct-installed apps, using Trend Micro’s industry-leading rules feed. Container image scanning also uses the Snyk open source vulnerability database, offering early detection and mitigation of vulnerabilities in open-source code dependencies.

The results of the container image scans are also sent to Trend Micro Cloud One - Container Security, which determines whether it's safe to deploy the image by checking the scan results against a policy that you define.

To enable container image scanning, you will need to install and configure Deep Security Smart Check in your local environment.

Policy-based deployment control

Container Security provides policy-based deployment control through a native integration with Kubernetes to ensure the Kubernetes deployments you run in your production environment are safe.

Container Security enables you to create policies that allow or block deployments based on a set of rules. The rules are based on a Kubernetes object's properties and the results of Deep Security Smart Check scans (if you have Smart Check integrated with your environment).

When an image is ready to be deployed with Kubernetes, the admission control webhook is triggered, which checks whether the image is safe to deploy and either allows or blocks it from running.

Continuous compliance

After deployment, Container Security can continue to monitor containers. Container Security checks the policy assigned to the cluster on a regular basis, ensuring that running containers continue to conform to the policy you defined. If there are changes to the policy after the initial deployment, the updated policy is enforced. Running containers are also checked for new vulnerabilities as they are discovered.

Runtime security

Runtime security provides visibility into any activity of your running containers that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK® framework tactics for containers, as well as container drift detection. Container Security can mitigate problems detected by the runtime visibility and control feature, based on a policy that you define. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the runtime ruleset in the policy.