Container Guard Service

Container Guard Service (CGS)

Container Guard Service (CGS)

Container Guard Service (CGS) protects containers from vulnerabilities, escape attacks, intrusions, and malicious code by scanning container images and implementing the security policies you define.

Container Guard Service (CGS) protects containers from vulnerabilities, escape attacks, intrusions, and malicious code by scanning container images and implementing the security policies you define.

Product Advantages

  • Uniform Security Management

    Manage the security of all your container images in a Cloud Container Engine (CCE) cluster in a unified manner.

    Manage the security of all your container images in a Cloud Container Engine (CCE) cluster in a unified manner.

  • Extensive Vulnerability Library

    Accurately detect over 100,000 container image vulnerabilities.

    Accurately detect over 100,000 container image vulnerabilities.

  • Container Escape Detection

    Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block escape attacks on containers.

    Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block escape attacks on containers.

  • Lightweight Agent

    The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.

    The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.

Application Scenarios

Container Image Security

External images, including those downloaded from Docker Hub, contain vulnerabilities. Image vulnerabilities can also be inadvertently introduced through the use of open-source frameworks. It is time consuming to manually find and fix all the vulnerabilities.


Advantages

  • Vulnerability Management for SWR

    You can use CGS to scan SWR for and eliminate vulnerabilities, malicious files, and unsafe settings.

  • Vulnerability Management for Running Images

    CGS scans running images for vulnerabilities and gives you suggestions for mitigation.

  • Official Image Vulnerability Scan

    CGS periodically scans for and helps you fix Docker image vulnerabilities.

Related Services

SWR
CCE

Container Runtime Security

Container behaviors are immutable. CGS helps enterprises develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required and are secure against threats.


Advantages

  • Malicious Program Detection

    CGS can detect malicious programs, such as miners, ransomware, and Trojans.

  • Process Whitelist

    You can whitelist good processes while blocking anything anomalous, such as abnormal processes, privilege escalation attacks, and unapproved operations.

  • File Protection

    You can set your important file directories to read-only to protect files from being tampered with.

  • Container Escape Detection

    CGS accurately detects escapes, such as shocker attacks, process escalation, Dirty COW, and brute-force cracking.

Related Services

CCE

Functions

  • Container Image Security

    CGS scans running images and the images in your repositories, and provides suggestions on how to fix vulnerabilities and malicious files.

    CGS scans running images and the images in your repositories, and provides suggestions on how to fix vulnerabilities and malicious files.

  • Container Security Policies

    You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security.

    You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security.

  • Container Runtime Security

    CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.

    CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.

  • SWR Image Scan
    SWR Image Scan

    You can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.

    You can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.

  • Running Image Scan
    Running Image Scan

    You can scan images in CCE for CVE vulnerabilities and other risks.

    You can scan images in CCE for CVE vulnerabilities and other risks.

  • Official Image Scan
    Official Image Scan

    CGS periodically scans official Docker images for vulnerabilities.

    CGS periodically scans official Docker images for vulnerabilities.

  • Process Whitelist
    Process Whitelist

    Alarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.

    Alarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.

  • File protection
    File protection

    Read-only permissions can be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.

    Read-only permissions can be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.

  • Container Escape Detection
    Container Escape Detection

    CGS uses rules and machine learning to accurately detect escape behaviors, including shocker attacks, process privilege escalations, Dirty COW, and brute-force attacks.

    CGS uses rules and machine learning to accurately detect escape behaviors, including shocker attacks, process privilege escalations, Dirty COW, and brute-force attacks.

  • Abnormal Program Detection
    Abnormal Program Detection

    CGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.

    CGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.

  • Abnormal File Detection
    Abnormal File Detection

    CGS scans for file access that violates security policies, detecting any sensitive file intrusions and tampering.

    CGS scans for file access that violates security policies, detecting any sensitive file intrusions and tampering.

  • Container Runtime Check
    Container Runtime Check

    CGS checks for abnormal container runtime, including abnormal startup and improper configurations.

    CGS checks for abnormal container runtime, including abnormal startup and improper configurations.

Documentation

Getting Started

About Container Guard Service

User Guide

Container Guard Service User Guide

FAQs

Container Guard Service FAQs
查看更多 收起

Sign up and start an amazing cloud journey

Try Free