Skip to main content

Scanning with SecretScanner

You can use SecretScanner to scan running or at-rest container images, and local file systems. SecretScanner will match the assets it finds against the secrets rules it has been configured with.

Scan a Container Image

Pull the image to your local repository, then scan it

docker pull node:latest

docker run -it --rm --name=deepfence-secretscanner \
    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
    -v /var/run/docker.sock:/var/run/docker.sock \
    quay.io/deepfenceio/deepfence_secret_scanner_ce:2.5.0 \
    --image-name node:latest

docker rmi node:latest

Scan a filesystem

Mount the filesystem within the SecretScanner container and scan it. Here, we scan the contents of /tmp on the host:

docker run -it --rm --name=deepfence-secretscanner \
    -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
    -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
    -v /tmp:/deepfence/mnt \
    quay.io/deepfenceio/deepfence_secret_scanner_ce:2.5.0 \
    --host-mount-path /deepfence/mnt --local /deepfence/mnt

Note that you can use nerdctl as an alternative to docker in the commands above.