Free Trial


Continuous Security Assessment for the Docker/Kubernetes Ecosystem


Cavirin is taking a leadership role securing the container lifecycle, including co-authoring both Docker and Kubernetes Security Benchmarks, OS hardening of containers as well as registry and Docker image scanning.

container security - full-stack

Cavirin's Steps to Full-Stack Container Security

At Cavirin, we take this full-stack security approach to container security, starting with the cloud service provider (though we support on-premise deployments), then the host OS or hypervisor (if deployed), next the container itself, both at-rest and in production, the images that make up the container, and finally, orchestration. APIs integrate with your choice of CI/CD toolset. We apply our protection, monitoring, and response capabilities to these different domains (prediction coming soon). Here are the steps we recommend:

    • Harden your images via the CIS Docker Benchmark as well as patches and vulnerabilities. Our solution supports both public and private registries.
    • Secure your container hosts and VMs via the CIS Benchmark as well as any OS-specific guidelines, frameworks, and best-practices such as NIST and PCI.
    • Monitor your container runtime, software that executes containers and manages container images on a node, a new Cavirin capability. Remembering that containers enable immutable infrastructure, there should be no real changes to any deployed container except in rare instances. Any new users provisioned, privileges escalated, or new services activated will result in IT notification and action.
    • Harden your orchestration layer via a combination of the CIS Kubernetes Benchmark and monitoring.
    • In parallel with the above, harden your CSP environment via active monitoring (i.e, AWS CloudTrail), application of relevant benchmarks, and network policy enforcement.
    • Also in parallel with the above, add security as a promotion criteria to your CI/CD pipeline.

Continuous Visibility

Cavirin's automated Docker image scanning looks at and assess all things within the actual Docker image, including security baselines and whether the system is patched, and can play an important role in the CI/CD pipeline. This is critical, since about a third of all container images found in public or even private registries have vulnerabilities.

Unsurpassed Security

OS hardening of the full containerized infrastructure stack removes security holes and unnecessary/corrupt images to provide unsurpassed security in addition to improving container performance.

Advanced Compliance

Cavirin was a key contributor of the CIS Docker v17.06 Benchmark and has embedded the core security guidelines into their platform along with other security and industry compliance frameworks (e.g HIPAA, PCI, SOC2 and NIST).


Securing the Container Lifecycle From the Beginning

Scanning the container images for security is critical before they hit production, since container based applications are often built by composing with other images downloaded from registries, some even untrusted, that can potentially have serious vulnerabilities. We have automated container security to the level of easy integration into application development process and CI/CD pipeline.

If they are implementing containers (Docker/Kubernetes) either on-premise or as part of a cloud deployment, you need to ensure that their workloads are secure. And, if you bring in images from a registry, you need to ensure that these are not corrupted. We support both of these scenarios, de-risking their deployments.


Download Solution Guide


A Unified Approach to Full Stack Container Security

Learn more about the threat to the evolution of the container runtime layer as well as a unified approach to full stack container protection. Yes, container hardening and image scanning are essential for container security, but automating anomaly detection and threat defenses in the full stack is now essential.

What you will learn:

  • How container runtime protection complements image, instance, and orchestration security
  • How to automate full stack container security across multiple public clouds and/or on-premise
  • What elements of container security may be monitored
  • How runtime container protection enables true DevSecOps
  • Advantages of combining container security alerts with AWS CloudTrail monitoring


Watch Webinar

© 2018 Cavirin Systems, Inc. All rights reserved.