Skip to content

Configure pre registry scanning

Geoff Baskwill edited this page Jun 17, 2019 · 6 revisions

Software delivery pipeline

Deep Security Smart Check can help you ensure that images have been scanned before they reach your production registry.

Replace the default service certificate

If you have not already done so, follow the Replace the service certificate procedure to configure a valid certificate for the service.

Enable the scan registry in Deep Security Smart Check

We provide a registry for scanning purposes that you can enable in your Deep Security Smart Check deployment. The scan process stores images in this registry temporarily while they are being scanned. Because this registry is separate from your production registry, you don't have to worry about images being deployed accidentally before they have been scanned.

To enable the scan registry, make sure that your overrides.yaml file contains the following:

registry:
  enabled: true

  auth:
    username: registryUser
    password: registryPassword

in addition to the overrides for the replaced certificate and run the helm install or helm upgrade command.

Note: Replace the registryUser and registryPassword in above with values specific to your site.

Warning: The built-in registry in Deep Security Smart Check is intended for pre-registry scanning only. The system will periodically delete images pushed to this registry.

Install the scan registry's certificate on your build hosts

If the service certificate is not trusted by your build hosts, you will need to configure the Docker daemon on your build hosts to trust the Deep Security Smart Check service certificate.

Get the Deep Security Smart Check certificate

If your certificate is stored in the Kubernetes secret named dssc-proxy-certificate, you can get the certificate from your Deep Security Smart Check cluster using this command:

kubectl get secret dssc-proxy-certificate -o go-template='{{index .data "tls.crt" | base64decode}}'

NOTE: You will need kubectl version 1.11.0 (June 2018) or later for this command to work.

Save the certificate data to a file.

Install the certificate on your build hosts

Copy the certificate file from the previous step to the following location on your build hosts. Replace smartcheck.example.com with the host name assigned to your Deep Security Smart Check service. If you are using a different port than the default, replace 5000 with the port number you are using.

/etc/docker/certs.d/smartcheck.example.com:5000/ca.crt

You do not need to restart the Docker daemon on your build hosts.

Configure the Deep Security Smart Check plugin for Jenkins

These instructions require v1.1.0 of the plugin. If you have an older version, please upgrade before using this sample.

If you are using the Deep Security Smart Check plugin for Jenkins, add the preRegistry parameters to your smartcheckScan call in your Jenkinsfile as shown below:

stage("Deep Security Smart Check scan") {
    smartcheckScan([
        imageName: "registry.example.com/my-project/my-image",
        smartcheckHost: "smartcheck.example.com",
        smartcheckCredentialsId: "smartcheck-auth",
        preregistryScan: true,
        preregistryCredentialsId: "preregistry-auth",
    ])
}

Remember that you can run this stage in parallel with any test stages that your pipeline requires.

You can’t perform that action at this time.