Centrally manages the security status of containers and images running on all nodes in the CCE cluster.
Extensive Vulnerability Database
Accurately detects over 100,000 image vulnerabilities.
Container Escape Detection
Effectively detects container escape through built-in container escape rules.
Features a lightweight CGS agent that runs as a container and requires minimal CPU and memory resources.
Container and Image Security
External images, including those downloaded from Docker Hub, contain vulnerabilities. Image vulnerabilities can also be inadvertently introduced through the use of open source frameworks.
Runs vulnerability scans on running images and provides mitigation actions.
Performs vulnerability analysis for images in the image repository.
Container Runtime Protection
Container behaviors are immutable. CGS helps enterprises develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required and secure containers against potential threats.
Whitelists good processes while blocking anything anomalous, such as abnormal processes, privilege escalation attacks, and unapproved operations.
Sets the key file directory to read-only to protect key files in the container from being modified.
Effectively detects escapes such as shocker, process escalation, Dirty COW, and brute-force cracking.
CGS scans all running container images in a node to detect vulnerabilities, and provides mitigation actions.
CGS provides security policy configuration to help enterprises formulate container process whitelists and file protection lists. Because containers run with the minimum permissions required, system and application security is strengthened.
Monitors the running status of containers to detect abnormal processes, file modifications, and container escapes.
− Container process whitelist The process whitelist function provided by CGS can effectively prevent security risks, such as abnormal processes, privilege escalation attacks, and violation operations.
− File protection Read-only permissions should be configured for key application directories (such as bin, lib, and usr directories) in the container to prevent file tampering and attacks by hackers. The file protection function provided by CGS helps achieve such read-only configurations.