Container Security Definition Container security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run. Why it matters Containers make delivery easier, but they also package software, dependencies, configuration, and privilege assumptions into a highly portable unit. Weak base images, broad privileges, and poor defaults can scale insecure patterns quickly. Container security is broader than image-scanning: scanning is one useful control, but the full topic includes base image trust, privilege design, build context, runtime posture, and promotion discipline. Attacker perspective Attackers look for: - overly privileged containers - weak or bloated base images - secrets baked into images - exposed admin/debug tooling - drift between what the image contains and what teams think it contains Defender perspective Defenders should: - reduce image complexity - control privileges and capabilities carefully - keep build context and image contents intentional - separate build hygiene from runtime assumptions - review how images are sourced and promoted Practical examples a container runs as root unnecessarily debug tools and credentials are baked into production images teams inherit a base image without understanding its maintenance state Related notes image-scanning supply-chain-security artifact-integrity Exposed Storage References Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final Foundational: CISA Secure by Design — https://www.cisa.gov/resources-tools/resources/secure-by-design ← PreviousCI/CD HardeningNext →Dependency Risk Explore nearby notes DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns. DevSecOpsImage ScanningImage scanning is the process of inspecting container images for known vulnerabilities, risky packages, and other issues before promotion or deployment.