Product Advantages
Product Advantages
-
Uniform Security Management
Manage the security of all your container images in a Cloud Container Engine (CCE) cluster on a single console.Manage the security of all your container images in a Cloud Container Engine (CCE) cluster on a single console. -
Extensive Vulnerability Library
Accurately detect over 100,000 container image vulnerabilities.Accurately detect over 100,000 container image vulnerabilities.
-
Container Escape Detection
Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block container escape attacks.Take advantage of the 10 types and 100 subtypes of built-in rules to detect and block container escape attacks. -
Lightweight Agent
The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.The CGS agent runs as a container requiring minimal CPU and memory, never affecting the running of other containers.
Application Scenarios
-
Container Image Security
-
Container Runtime Security
Container Image Security
External images, including those downloaded from Docker Hub, contain vulnerabilities. Image vulnerabilities can also be inadvertently introduced through the use of open-source frameworks. It is time consuming to manually find and fix all the vulnerabilities.
Functions
You can use CGS to scan SWR for and eliminate vulnerabilities, malicious files, and unsafe settings.
CGS scans running images for vulnerabilities and gives you suggestions for mitigation.
CGS periodically scans for and helps you fix Docker image vulnerabilities.
Container Runtime Security
Container behaviors are immutable. CGS helps enterprises develop a whitelist of container behaviors to ensure that containers run with the minimum permissions required and are secure against threats.
Functions
CGS can detect malicious programs, such as miners, ransomware, and Trojans.
You can whitelist good processes while blocking anything anomalous, such as abnormal processes, privilege escalation attacks, and unapproved operations.
You can set your important file directories to read-only to protect files from modification.
CGS accurately detects escapes, such as shocker attacks, process escalation, Dirty COW, and brute-force cracking.
Functions
Functions
-
Container Image Security
CGS scans images that are running or displayed in your image list, and provides suggestions on how to fix vulnerabilities and malicious files.CGS scans images that are running or displayed in your image list, and provides suggestions on how to fix vulnerabilities and malicious files. -
Container Security Policies
You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security.You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required to run containers, improving system and application security. -
Container Runtime Security
CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.CGS monitors statuses of containers in nodes and can detect miners, ransomware, malicious processes, file modifications that violate container security policies, and container escape behaviors.
-
SWR Image ScanSWR Image ScanYou can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.You can scan images in SWR for vulnerabilities, unsafe settings, and malicious code.
-
Running Image ScanRunning Image ScanYou can scan images in CCE for CVE vulnerabilities and other risks.You can scan images in CCE for CVE vulnerabilities and other risks.
-
Official Image ScanOfficial Image ScanCGS periodically scans official Docker images for vulnerabilities.CGS periodically scans official Docker images for vulnerabilities.
-
Process WhitelistProcess WhitelistAlarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.Alarms are triggered if non-whitelisted processes are started. This prevents abnormal processes, privilege escalation attacks, and violations.
-
File protectionFile protectionRead-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.Read-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent tampering and attacking. If you set these directories to read-only, CGS will protect them from security threats such as file tampering.
-
Container Escape DetectionContainer Escape DetectionCGS uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks.CGS uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks.
-
Abnormal Program DetectionAbnormal Program DetectionCGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.CGS can detect the startup of processes that violate security policies and malicious programs such as miners, ransomware, Trojans, and other viruses.
-
Abnormal File DetectionAbnormal File DetectionCGS can detect file access that violates security policies. You can detect any intruding and tampering with sensitive files.CGS can detect file access that violates security policies. You can detect any intruding and tampering with sensitive files.
-
Container Runtime CheckContainer Runtime CheckCGS checks for abnormal container runtime, including abnormal startup and improper configurations.CGS checks for abnormal container runtime, including abnormal startup and improper configurations.
Register with HUAWEI CLOUD to get free services
Register Now