Protect Your Container Images and CI/CD Pipeline
Ever wonder if the container images you provide to customers have been checked for vulnerabilities, malware, and other malicious threats? Read this article on how to easily and quickly set up protection for your container images and CI/CD pipeline.
Have you ever wondered that the container images that you are providing to your customers to consume have been checked for vulnerabilities, malware, and items you don't want developers putting into the images? Trend Micro has a great product that is very easy to set up in a new or existing Kubernetes cluster just for this purpose.
To start this experiment, I just created a simple kubernetes cluster shown below. This is easily accomplished programmatically using eksctl. This is a great tool to easily create an EKS cluster in Amazon AWS. https://eksctl.io/.
Once your Kubernetes cluster is provisioned, this takes about 10 minutes or so, you should be ready to run the Trend Micro Cloud One Container Image Security solution. This is simply run by running a helm chart against your Kubernetes cluster. https://github.com/deep-security/smartcheck-helm
Once you have the Cloud One Container Image Security solution deployed, you can logon to the solution. The first thing you are going to want to do is add your container registries to the solution. The good news is that all major registries are supported! Here is an example of scanning an Microsoft Azure Container Registry (ACR).
Once you have a scan completed against your registry, Trend Micro will provide vulnerability information for each layer of your container image. This is an example shown below.
Also, you can look at image vulnerabilities not only from Trend Micro, but also Snyk https://snyk.io/ as well! This is illustrated with the subsequent screen shots. First, the vulnerabilities shown are the Trend Micro vulnerabilities by layer. Next, are Snyk vulnerabilities. This is great multilayered security technology!
You can also integrate this solution with your CI/CD pipelines as well! This allows you to shift left and prevent vulnerabilities from ever reaching your container registries! Here is an example below. This is where I have integrated it with Jenkins to protect my CI/CD pipeline, and make sure vulnerable containers do not make in it my production registry.
References used for this article: