⌘K
ENES
GitHub
conceptDevSecOps~1 min readUpdated Apr 23, 2026

Container Security

Definition

Container security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run.

Why it matters

Containers make delivery easier, but they also package software, dependencies, configuration, and privilege assumptions into a highly portable unit. Weak base images, broad privileges, and poor defaults can scale insecure patterns quickly. Container security is broader than image-scanning: scanning is one useful control, but the full topic includes base image trust, privilege design, build context, runtime posture, and promotion discipline.

Attacker perspective

Attackers look for: - overly privileged containers - weak or bloated base images - secrets baked into images - exposed admin/debug tooling - drift between what the image contains and what teams think it contains

Defender perspective

Defenders should: - reduce image complexity - control privileges and capabilities carefully - keep build context and image contents intentional - separate build hygiene from runtime assumptions - review how images are sourced and promoted

Practical examples

  • a container runs as root unnecessarily
  • debug tools and credentials are baked into production images
  • teams inherit a base image without understanding its maintenance state

References

  • Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final
  • Foundational: CISA Secure by Design — https://www.cisa.gov/resources-tools/resources/secure-by-design

Explore nearby notes

DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns. DevSecOpsImage ScanningImage scanning is the process of inspecting container images for known vulnerabilities, risky packages, and other issues before promotion or deployment.