What is Container Security?

Trend Micro Cloud One™ - Container Security provides policy-based deployment security, ensuring that container images are run only when they meet the security criteria that you define. Continuous Compliance allows you to intermittently scan your container after they are deployed.

With supported Deep Security™ Smart Check integration, you can build security policies from scan results that only allow safe images to be deployed.

Diagram of container lifecycle

Container image scanning

Container image scanning (performed by Deep Security Smart Check) enables you to scan container images as part of your development pipeline, and to perform ongoing scans of images in your registries so that developers can detect and fix security issues early in the container image lifecycle. With container image scanning, DevOps teams can continuously deliver production-ready applications and meet the needs of the business, without impacting build cycles.

Container image scanning checks for:

  • vulnerabilities
  • malware
  • secrets and keys
  • compliance violations

Container image scanning detects threats in apps installed with a package manager, as well as direct-installed apps, using Trend Micro’s industry-leading rules feed. Container image scanning also uses the Snyk open source vulnerability database, offering early detection and mitigation of vulnerabilities in open-source code dependencies.

To enable container image scanning, you will need to install and configure Deep Security Smart Check in your local environment.

Policy-based deployment control

Container Security provides policy-based deployment control through a native integration with Kubernetes to ensure the Kubernetes deployments you run in your production environment are safe.

Container Security enables you to create policies that allow or block deployments based on a set of rules. The rules are based on pod and container security properties, and the results of Deep Security Smart Check scans (if you have Smart Check running integrated with your environment).

When an image is ready to be deployed with Kubernetes, the admission control webhook is triggered, which checks whether the image is safe to deploy and either allows or blocks it from running.

Continuous compliance

Container Security can continue to monitor containers after deployment. Container Security checks the policy assigned to the cluster on a regular basis, ensuring that running containers continue to conform to the policy. If there are changes to the policy after the initial deployment, the updated policy is enforced. Running containers are also checked for new vulnerabilities as they are discovered.

For more information about ways to use Container Security, see Use cases.