Container Guard Service

The Container Guard Service (CGS) can scan for vulnerabilities in container images and provide container security policy settings and anti-escape capabilities.

Participate in the Open Beta Test and get a free trial.

Product Advantages
  • Uniform Management

    Centrally manages the security status of containers and images running on all nodes in the CCE cluster.

  • Extensive Vulnerability Database

    Accurately detects over 100,000 image vulnerabilities.

  • Container Escape Detection

    Effectively detects container escape through built-in container escape rules.

  • Lightweight Agent

    Features a lightweight CGS agent that runs as a container and requires minimal CPU and memory resources.

Application Scenarios
  • Container and Image Security

  • Container Runtime Protection

Container and Image Security

Container and Image Security

External images, including those downloaded from Docker Hub, contain vulnerabilities. Image vulnerabilities can also be inadvertently introduced through the use of open source frameworks.


Vulnerability Management for Running Images

Runs vulnerability scans on running images and provides mitigation actions.

Vulnerability Management for Images in the Image Repository (Coming Soon)

Performs vulnerability analysis for images in the image repository.

Related Services




Container Runtime Protection

Container Runtime Protection

Container behaviors are immutable. CGS helps enterprises develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required and secure containers against potential threats.


Process Whitelist

Whitelists good processes while blocking anything anomalous, such as abnormal processes, privilege escalation attacks, and unapproved operations.

File Protection

Sets the key file directory to read-only to protect key files in the container from being modified.

Container Escape Detection

Effectively detects escapes such as shocker, process escalation, Dirty COW, and brute-force cracking.

Related Services




  • Vulnerability Management

    CGS scans all running container images in a node to detect vulnerabilities, and provides mitigation actions.

  • Security Policy

    CGS provides security policy configuration to help enterprises formulate container process whitelists and file protection lists. Because containers run with the minimum permissions required, system and application security is strengthened.

  • Runtime Monitoring

    Monitors the running status of containers to detect abnormal processes, file modifications, and container escapes.

Vulnerability Management

Security Policy

− Container process whitelist The process whitelist function provided by CGS can effectively prevent security risks, such as abnormal processes, privilege escalation attacks, and violation operations.

− File protection Read-only permissions should be configured for key application directories (such as bin, lib, and usr directories) in the container to prevent file tampering and attacks by hackers. The file protection function provided by CGS helps achieve such read-only configurations.

Runtime Monitoring

Usage Guides

Create an Account and Experience HUAWEI CLOUD for Free

Register Now