Topics on this page
What is Container Security?
Trend Micro Cloud One™ - Container Security provides security for your containers at all stages of their lifecycle:
- During development: With supported Trend Micro Smart Check, you can discover the vulnerabilities at the early development stage.
- At deployment: Policy-based deployment control ensures that container images are run only when they meet the security criteria that you define. If you integrate with Smart Check, additional criteria can be set using security policies from Trend Micro Smart Check scan results to help ensure that only safe images are deployed.
- After deployment: Continuous compliance allows you to intermittently scan your containers after they are deployed.
- At runtime: Runtime security provides visibility into any container activity that violates a customizable set of rules.
Container image scanning
Container image scanning (performed by Trend Micro Smart Check) enables you to scan container images as part of your development pipeline and to perform ongoing scans of images in your registries so that developers can detect and fix security issues early in the container image lifecycle. With container image scanning, DevOps teams can continuously deliver production-ready applications and meet the needs of your business, without impacting build cycles.
Container image scanning checks for:
- secrets and keys
- compliance violations
Container image scanning detects threats in apps installed with a package manager, as well as direct-installed apps, using Trend Micro’s industry-leading rules feed. Container image scanning also uses the Snyk open source vulnerability database, offering early detection and mitigation of vulnerabilities in open-source code dependencies.
The results of the container image scans are also sent to Trend Micro Cloud One - Container Security, which determines whether it's safe to deploy the image by checking the scan results against a policy that you define.
To enable container image scanning, you will need to install and configure Trend Micro Smart Check in your local environment.
Policy-based deployment control
Container Security provides policy-based deployment control through a native integration with Kubernetes to ensure the Kubernetes deployments you run in your production environment are safe.
Container Security enables you to create policies that allow or block deployments based on a set of rules. The rules are based on a Kubernetes object's properties and the results of Trend Micro Smart Check scans (if you have Trend Micro Smart Check integrated with your environment).
When an image is ready to be deployed with Kubernetes, the admission control webhook is triggered, which checks whether the image is safe to deploy and either allows or blocks it from running.
After deployment, Container Security can continue to monitor containers. Container Security checks the policy assigned to the cluster on a regular basis, ensuring that running containers continue to conform to the policy you defined. If there are changes to the policy after the initial deployment, the updated policy is enforced. Running containers are also checked for new vulnerabilities as they are discovered.
Runtime security provides visibility into any activity of your running containers that violates a customizable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK® framework tactics for containers, as well as container drift detection. Container Security can mitigate problems detected by the runtime visibility and control feature, based on a policy that you define. If a pod violates any rule during runtime, the issue is mitigated by terminating or isolating the pod based on the runtime ruleset in the policy.
Runtime vulnerability scanning
Runtime vulnerability scanning provides visibility of operating system and open source code vulnerabilities that are part of containers running in clusters where you have Container Security installed. It provides a list of vulnerabilities, sorted based on severity, which you can select for additional information. You can search for a vulnerability by name, and filter by severity level or CVE score.
At this time, runtime vulnerability scanning cannot be used to scan registries. If you need to scan container image registries, see Trend Micro Smart Check.
Vulnerability details include:
- Vulnerability Information: A description of the vulnerability, a link to details (like those listed in the Common Vulnerabilities and Exposures (CVE®) list), the vulnerable package and version, and the version of the vulnerable package which contains the fix (if available).
- Image Information: The container image where the vulnerability was detected.
- Detection Information: A list of workloads in which the vulnerability was detected including the namespace, type, container, and last detection time for each of these workloads.