Product Advantages

Product Advantages

  • Uniform Security Management

    Manage the security of all your container images in a Cloud Container Engine (CCE) cluster on a single console.
    Manage the security of all your container images in a Cloud Container Engine (CCE) cluster on a single console.

  • Extensive Vulnerability Library

    Accurately detect over 100,000 container image vulnerabilities.
    Accurately detect over 100,000 container image vulnerabilities.

  • Container Escape Detection

    Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block container escape attacks.
    Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block container escape attacks.

  • Lightweight Agent

    The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.
    The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.

Application Scenarios

  • Container Image Security

  • Container Runtime Security

Container Image Security

Container Image Security

External images, including those downloaded from Docker Hub, contain vulnerabilities.  Image vulnerabilities can also be inadvertently introduced through the use of open-source frameworks.  It is time consuming to manually find and fix all the vulnerabilities.

Functions

Vulnerability Management for SWR

You can use CGS to scan SWR for and eliminate vulnerabilities, malicious files, and unsafe settings.

Vulnerability Management for Running Images

CGS scans running images for vulnerabilities and gives you suggestions for mitigation.

Official Image Vulnerability Scan

CGS periodically scans for and helps you fix Docker image vulnerabilities.

Related Services

swr

cce

Container Runtime Security

Container Runtime Security

Container behaviors are immutable. CGS helps enterprises develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required and are secure against threats.

Functions

Malicious Program Detection

CGS can detect malicious programs, such as miners, ransomware, and Trojans.

Process Whitelist

You can whitelist good processes while blocking anything anomalous, such as abnormal processes, privilege escalation attacks, and unapproved operations.

File Protection

You can set your important file directories to read-only to protect files from modification.


Container Escape Detection

CGS accurately detects escapes, such as shocker attacks, process escalation, Dirty COW, and brute-force cracking.


Related Services

CCE

HSS

Functions

Functions

  • Container Image Security

    CGS scans images that are running or displayed in your image list, and provides suggestions on how to fix vulnerabilities and malicious files.
    CGS scans images that are running or displayed in your image list, and provides suggestions on how to fix vulnerabilities and malicious files.

  • Container Security Policies

    You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security.
    You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security.

  • Container Runtime Security

    CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.
    CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.
  • SWR Image Scan
    SWR Image Scan
    You can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.
    You can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.
  • Running Image Scan
    Running Image Scan
    You can scan images in CCE for CVE vulnerabilities and other risks.
    You can scan images in CCE for CVE vulnerabilities and other risks.
  • Official Image Scan
    Official Image Scan
    CGS periodically scans official Docker images for vulnerabilities.
    CGS periodically scans official Docker images for vulnerabilities.
  • Process Whitelist
    Process Whitelist
    Alarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.
    Alarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.
  • File protection
    File protection
    Read-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.
    Read-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.
  • Container Escape Detection
    Container Escape Detection
    CGS uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks.
    CGS uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks.
  • Abnormal Program Detection
    Abnormal Program Detection
    CGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.
    CGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.
  • Abnormal File Detection
    Abnormal File Detection
    CGS can detect file access that violates security policies. You can detect any intruding and tampering with sensitive files.
    CGS can detect file access that violates security policies. You can detect any intruding and tampering with sensitive files.
  • Container Runtime Check
    Container Runtime Check
    CGS checks for abnormal container runtime, including abnormal startup and improper configurations.
    CGS checks for abnormal container runtime, including abnormal startup and improper configurations.

Documentation

Documentation

Register with HUAWEI CLOUD to get free services

Register Now