Topics on this page
About Deep Security Smart Check
Deep Security™ Smart Check is a container image scanner from Trend Micro™. It performs pre-runtime scans of Docker™ images, enabling you to fix issues before they reach the orchestration environment (for example, Kubernetes®).
Deep Security Smart Check provides the ability to:
- detect OS-level and application-level vulnerabilities
- detect malware
- detect secrets and keys embedded in your applications
- perform custom scan queries to find suspicious or unwanted files
- check image content against a compliance checklist that includes items from PCI-DSS, HIPAA, and NIST 800-190.
Deep Security Smart Check receives up-to-date threat data from private Trend Micro endpoints. Smart Check obtains malware information from the Trend Micro Smart Protection Network™ and detects threats using Trend Micro XGen™ machine learning algorithms. Deep Security Smart Check will find vulnerabilities in these Linux® distributions:
- Red Hat® Enterprise Linux™
- CentOS™
- Oracle® Linux
- Ubuntu®
- Debian®
- Alpine™
- Amazon™ Linux 2018.03 and Amazon Linux 2
How does Smart Check fit into a DevOps pipeline?
Deep Security Smart Check provides a valuable step in your continuous integration (CI) or continuous delivery (CD) pipeline.
For example, Jenkins® projects can automatically build, test, and then push Docker images to a Docker registry. Once pushed, the image may be instantly available to run in an orchestration environment. If malware or vulnerabilities exist in the image, then they become a risk when the image is run. Since images are intended to be immutable, the right time to scan the image is when it's first pushed to the registry.
That’s where Deep Security Smart Check fits in – it can scan Docker images in any registry that implements the Docker Registry V2 API. All Deep Security Smart Check operations are available through a documented collection of APIs to simplify integration into your CI/CD pipeline. Deep Security Smart Check APIs can be invoked automatically by your CI/CD system to start scans when an image is pushed to a Docker registry. Scan results are also available through the API. You can also scan images before they reach your production registry (see Configure pre registry scanning).
The Smart Check API includes a web hook facility that allows CI/CD components to register to receive notifications of scan events, including 'scan-completed', allowing you to automate workflows. For example, a Docker image signing service could register to receive scan results and then use those results to decide whether a particular image should be digitally signed and promoted to a "blessed" repository that is available to your orchestration environment. You could also set a web hook to call a receiver service that forwards scan results to a Slack™ channel or ServiceNow™ account.
Deep Security Smart Check also includes an administrator console that provides:
- a dashboard (system-wide summary of scan information, including metrics)
- user management
- registry configuration
- access to scan results
- scan history
- content rule customization
Supported registries
Deep Security Smart Check supports scanning Docker images in any registry that supports the Docker Registry V2 API and allows catalog listing. Tested registries include:
- Docker Trusted Registry (DTR)
- Google Container Registry (GCR)
- Amazon™ Elastic Container Registry (ECR)
- Azure™ Container Registry (ACR)
- VMware® Harbor
- jFrog™ Artifactory
- Sonatype Nexus™
- Quay™ Container Registry
Deep Security Smart Check requires a TLS connection to the registry.
To integrate Deep Security Smart Check into your pipeline, you may need to write integration logic to trigger scanning based on the event model of your registry. For example, Google Container Registry uses a pub/sub model to publish events about registry activity and Docker Trusted Registry uses a web hook model. If you use Jenkins, you can use the Deep Security Smart Check plugin for Jenkins for easy integration into your pipeline. You can also use our GitHub Action directly to integrate Smart Check into your CI workflows. See Deep Security Smart Check Scan Action for details.
System requirements
Deep Security Smart Check requires:
- Kubernetes 1.21 or greater on a Kubernetes Certified platform (or equivalent). See Software Conformance - Cloud Native Computing Foundation
- Google Chrome™ browser to access the Smart Check administrator console. Other modern browsers may work with Smart Check but are not officially supported.
- Constant internet access. Air gapped environments are not supported.
Deep Security Smart Check is tested with Google Kubernetes Engine, using the following resource allocations:
- 1 manager node and 4 worker nodes
- Each node is an "n1-standard-2" machine type, with 2 vCPUs and 5 GB RAM
By default, Deep Security Smart Check requires an 8 GB persistent volume when using the built-in database. If you install using an external database, Deep Security Smart Check does not require any persistent volumes.
You can also Run Smart check on AWS Outposts. AWS Outposts enables you to run an AWS environment in a datacenter or other on-premises location. You can deploy Smart Check on an EKS cluster running on AWS Outposts, using either a built-in database (for testing) or an external RDS instance that's running on AWS Outposts (for production). Smart Check on AWS Outposts is identical to Smart Check in the AWS cloud environment. Smart Check does not currently support high availability.
For additional information about scaling and sizing your Smart Check cluster, see Deep Security Smart Check sizing guidelines.