Skip to main content

Scanning with SecretScanner

You can use SecretScanner to scan running or at-rest container images, and local file systems. SecretScanner will match the assets it finds against the secrets rules it has been configured with.

Scan a Container Image

Pull the image to your local repository, then scan it

docker pull node:latest

docker run -it --rm --name=deepfence-secretscanner \
-e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
-e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
-v /var/run/docker.sock:/var/run/docker.sock \
quay.io/deepfenceio/deepfence_secret_scanner_ce:2.5.2 \
--image-name node:latest

docker rmi node:latest

Scan a filesystem

Mount the filesystem within the SecretScanner container and scan it. Here, we scan the contents of /tmp on the host:

docker run -it --rm --name=deepfence-secretscanner \
-e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \
-e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \
-v /tmp:/deepfence/mnt \
quay.io/deepfenceio/deepfence_secret_scanner_ce:2.5.2 \
--host-mount-path /deepfence/mnt --local /deepfence/mnt

Note that you can use nerdctl as an alternative to docker in the commands above.