Container Security Policies

Purpose: Identifies deprecated libraries introduced into container images through user code or build instructions.

Business impact: Deprecated libraries are no longer maintained and may not receive security fixes, increasing the risk of vulnerabilities and instability. Continuing to use deprecated dependencies can expose containerized applications to known security issues and operational risk.

Purpose: Detects third-party libraries or packages embedded in container images that contain malicious code.

Business impact: Malicious dependencies can be exploited to steal data, execute remote code, enable lateral movement, or take over underlying systems. These dependencies may be introduced through techniques such as typosquatting, dependency confusion, or compromised repositories, increasing the risk of severe security breaches in containerized environments.

For more on this policy, see the article Malicious Dependencies.

Purpose: Identifies insecure or non-compliant configuration settings in container images and container runtime settings.

When enabling this policy, any container misconfiguration with a severity higher than the set limit triggers a security issue.

Business impact: Container misconfigurations can introduce security vulnerabilities that expose applications and infrastructure to attack. Issues related to base images, user permissions, network access, or file system settings can be exploited to gain unauthorized access or compromise running services, leading to severe business and security impacts.

Purpose: Identifies libraries introduced into container images through user code or build instructions that are not using current versions.

When enabling this policy, any container misconfiguration with a severity higher than the set limit triggers a security issue.

Business impact: Outdated libraries may miss important security fixes and improvements available in newer versions. Continuing to use outdated dependencies increases exposure to known vulnerabilities and reduces the overall security and reliability of containerized applications.

Purpose: Detects hardcoded personally identifiable information (PII) present within container images.

Business impact: Storing PII in container images increases the risk of data exposure and privacy violations. If container images are shared, reused, or accessed without proper controls, exposed PII may lead to regulatory non-compliance and loss of user trust.

Purpose: Detects hardcoded secrets in container images or exposed through insecure container configuration.

Business impact: Embedded or misconfigured secrets in container environments can expose sensitive information and enable unauthorized access. If secrets are included directly in images or improperly protected, attackers may exploit them to access systems or data, increasing the risk of breaches and loss of confidentiality.

Purpose: Sets specific licenses that are approved for usage in open-source libraries. This policy will detect if any open-source library introduced into container images through user code or build instructions violates these settings.

• Users can configure a list of approved licenses OR unapproved licenses

• When this policy is enabled, any license not in the approved list is considered unapproved.

Business impact: Using dependencies with unapproved licenses in containers can create legal and compliance risks. License terms may conflict with organizational policies or legal obligations, potentially leading to intellectual property disputes or financial liability.

Purpose: Sets minimal popularity metrics (stars/downloads/forks) for libraries introduced into container images through user code or build instructions. When enabling this policy, any library detected with less than the set limit will trigger a security issue.

Business impact: Libraries with very few users are less likely to be actively reviewed, maintained, or tested, which can increase security and stability risks. Using widely adopted libraries is generally safer, as they tend to be more stable and receive more frequent updates and community scrutiny.

Purpose: Detects known vulnerabilities in dependencies inherited from the container base image. When enabled, any CVE detected in a base image’s dependency with a severity higher than the set limit triggers a security issue.

Business impact: Base images often include operating system components and libraries that applications rely on to run. Vulnerabilities in these foundational components can be inherited by all containers built from the image, increasing the attack surface and risk of exploitation. Identifying base image vulnerabilities early helps ensure containers are built on secure, up-to-date foundations.

Purpose: Detects known operating system vulnerabilities present in the operating system layer of container images. When enabling this policy, any CVE detected in the container’s operating system with a severity higher than the set limit will trigger a security issue.

Business impact: Containers rely on an underlying operating system layer that may include outdated, vulnerable, or misconfigured components. Vulnerabilities at the OS level can increase the attack surface and be exploited to compromise containerized workloads. Identifying and addressing OS-level vulnerabilities helps reduce risk and strengthens the security posture of container environments.

Purpose: Detects known vulnerabilities in open-source libraries introduced into container images through user application code.

Business impact: Containers often include open-source libraries that may contain known vulnerabilities. If these vulnerabilities are not identified, they can be exploited to gain unauthorized access, expose data, or compromise systems. As the use of containers and open-source components increases, unaddressed vulnerabilities can significantly raise security risk.

Purpose: Detects known vulnerabilities in open-source libraries introduced into container images through user-defined build instructions in the Dockerfile. When enabling this policy, any CVE detected in the container’s dockerfile instructions with a severity higher than the set limit will trigger a security issue.

Business impact: Dependencies added through Dockerfile instructions may include open-source libraries with known vulnerabilities. If these vulnerabilities are not identified, they can be exploited to gain unauthorized access, expose data, or compromise containerized workloads. As container builds increasingly rely on custom instructions, unscanned dependencies can significantly increase security risk.

Purpose: Detects known vulnerabilities in Java archive (JAR) packages included in container images.

When enabled, any CVE detected in a dependency located in a JAR artifact with a severity higher than the set limit triggers a security issue.

Business impact: Java archive packages may contain critical security flaws that can be exploited if left unaddressed. Failing to identify vulnerabilities in these components can lead to unauthorized access, data exposure, and broader application compromise.

Purpose: Detects known vulnerabilities in public container images that are hosted or mirrored in private registries.

When enabled, any CVE detected in a privately hosted public image with a severity higher than the set limit triggers a security issue.

Business impact: Public images hosted on private registries may contain vulnerable dependencies that can be exploited. Failing to identify these vulnerabilities increases the risk of security breaches and operational disruption, even when images are stored in internal registries.