loading
Loading content
loading
Container security covers the full lifecycle of a container, from the image a developer builds to the workload running in production. An image bundles an application with its dependencies and a slice of an operating system, so it inherits every vulnerable package those layers carry. A registry stores and distributes those images, and a runtime executes them on a shared kernel, which makes isolation a core concern.
The discipline matters because containers concentrate risk. A single base image with a vulnerable library propagates to every service built on it. Developers commit API keys into layers, where secrets scanning often finds them long after the fact. Containers run as root or with excess capabilities far too often, which turns a contained breach into a host compromise.
Image scanning inspects layers for known CVEs and embedded credentials before deployment, while runtime controls watch for drift and suspicious behavior. At scale, orchestration introduces its own attack surface that Kubernetes security addresses, and the broader cloud configuration falls under cloud security posture management.
In an automated workflow, you scan every image on push, fail the pipeline on critical findings, and re-scan running images as new CVEs land, since yesterday's clean image is not clean today.
Related terms