Topics on this page
Configure pre-registry scanning
Deep Security Smart Check can help you ensure that images have been scanned before they reach your production registry.
Replace the default service certificate
If you have not already done so, follow the Replace the service certificate procedure to configure a valid certificate for the service.
Enable the scan registry in Deep Security Smart Check
We provide a registry for scanning purposes that you can enable in your Deep Security Smart Check deployment. The scan process stores images in this registry temporarily while they are being scanned. Because this registry is separate from your production registry, you don't have to worry about images being deployed accidentally before they have been scanned.
To enable the scan registry, make sure that your overrides.yaml file contains the following:
registry:
enabled: true
auth:
username: registryUser
password: registryPasswordin addition to the overrides for the replaced certificate and run the helm install or helm upgrade command.
Replace the registryUser and registryPassword with values specific to your site.
The built-in registry in Deep Security Smart Check is intended for pre-registry scanning only. The system will periodically delete images pushed to this registry.
service.httpsPort, service.httpPort and service.registryPort must all be unique.
Install the scan registry's certificate on your build hosts
If the service certificate is not trusted by your build hosts, you will need to configure the Docker daemon on your build hosts to trust the Deep Security Smart Check service certificate.
Get the Deep Security Smart Check certificate
If your certificate is stored in the Kubernetes secret named dssc-proxy-certificate, you can get the certificate from your Deep Security Smart Check cluster using this command:
kubectl get secret dssc-proxy-certificate -o go-template='{{index .data "tls.crt" | base64decode}}'You will need kubectl version 1.11.0 (June 2018) or later for this command to work.
Save the certificate data to a file.
Install the certificate on your build hosts
Copy the certificate file from the previous step to the following location on your build hosts. Replace smartcheck.example.com with the host name assigned to your Deep Security Smart Check service. If you are using a different port than the default, replace 5000 with the port number you are using.
/etc/docker/certs.d/smartcheck.example.com:5000/ca.crtYou do not need to restart the Docker daemon on your build hosts.
Configure the Deep Security Smart Check plugin for Jenkins
These instructions require v1.1.0 of the plugin. If you have an older version, please upgrade before using this sample.
If you are using the Deep Security Smart Check plugin for Jenkins, add the preRegistry parameters to your smartcheckScan call in your Jenkinsfile as shown below:
stage("Deep Security Smart Check scan") {
smartcheckScan([
imageName: "registry.example.com/my-project/my-image",
smartcheckHost: "smartcheck.example.com",
smartcheckCredentialsId: "smartcheck-auth",
preregistryScan: true,
preregistryCredentialsId: "preregistry-auth",
])
}Remember that you can run this stage in parallel with any test stages that your pipeline requires.
The smartcheckCredentialsId and preregistryCredentialsId above refer to the Jenkins credentials that you have created for accessing Deep Security Smart Check and the built-in registry, respectively.
For the smartcheckCredentialsId, create a "Username with password" credential in Jenkins with the username and password of a Deep Security Smart Check user that has the Administrator or User role. Provide the ID for this credential as the value for smartcheckCredentialsId.
For the preregistryCredentialsId, create a "Username with password" credential in Jenkins with the registry.auth.username and registry.auth.password that you put in the overrides.yaml file as described in Enable the scan registry in Deep Security Smart Check above. Provide the ID for this credential as the value for preregistryCredentialsId.