Container Security
What is Container Security?
Container SecurityThe practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
Container security covers the full lifecycle of OCI-compatible containers (Docker, containerd, CRI-O). At build time, teams scan images for CVEs and embedded secrets, sign them with Sigstore/Cosign, and enforce minimal base images. At distribution, registries are protected with authenticated access and signature verification. At runtime, host hardening, namespace/cgroup isolation, seccomp, AppArmor, and read-only file systems reduce attack surface, while admission controllers and eBPF-based sensors enforce policy and detect anomalies. Common risks include privileged containers, hostPath mounts, vulnerable base layers, leaked credentials, and container escape via kernel exploits.
● Examples
- 01
Trivy or Grype scanning images in CI; Kyverno or OPA Gatekeeper rejecting privileged pods.
- 02
Falco detecting a shell spawned inside a production container.
● Frequently asked questions
What is Container Security?
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute. It belongs to the Cloud Security category of cybersecurity.
What does Container Security mean?
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.
How do you defend against Container Security?
Defences for Container Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Container Security?
Common alternative names include: Docker security, OCI container security.