Container Security Beyond Scanning: Runtime Protection and Supply Chain Integrity

Container security has four distinct layers, each requiring different controls:

Layer 1: Supply chain and build-time integrity What goes into the image? Is the base image from a trusted source? Are dependencies from a verified registry? Has the build pipeline been tampered with?

Layer 2: Image configuration and posture Is the image hardened? Does it run as root? Does it include unnecessary tools (curl, wget, bash) that aid attackers? Are secrets baked into the image?

Layer 3: Runtime behavior Is the running container doing what it is supposed to do? Has it spawned unexpected processes, made unexpected network connections, or accessed unexpected files?

Layer 4: Orchestration-level controls (Kubernetes) Are Pods configured securely? Are NetworkPolicies applied? Are RBAC permissions scoped correctly? Is the API server accessible only to authorized clients?

Most organizations have partial coverage of Layer 2 (image scanning) and no coverage of Layers 1, 3, or 4. The risk is concentrated in what they are not monitoring.

Software supply chain attacks against container environments target the build pipeline and dependency resolution — not the application code itself.

Software Bill of Materials (SBOM): An SBOM is a machine-readable inventory of every component in a container image — OS packages, language libraries, binaries. Generate SBOMs at build time using Syft or Grype. Store them alongside the image in the registry. When a new CVE drops (e.g., Log4Shell), query your SBOM inventory to identify which images are affected within minutes — not days.

Image signing with Sigstore/Cosign: Signing container images creates a cryptographic attestation that the image was built by your pipeline and has not been tampered with since. Sigstore's Cosign tool integrates with GitHub Actions, GitLab CI, and Tekton. Signed images are stored alongside the image in the registry (OCI 1.1 format). Admission controllers can require valid signatures before allowing image execution in the cluster.

SLSA (Supply Levels for Software Artifacts): SLSA is a framework for build provenance — a cryptographically signed record of how an artifact was built, from which source commit, by which system. SLSA Level 2 requires a hosted build service generating signed provenance. Level 3 adds requirements for tamper-resistant build infrastructure. SLSA provenance is queryable: you can verify that a production image was built from a specific git commit by an authorized pipeline.

Dependency verification: Lock dependency files (go.sum, package-lock.json, Pipfile.lock) and verify hashes at build time. Do not pull 'latest' from upstream registries — pin to specific digest hashes. Use a private registry mirror (Harbor, AWS ECR, Artifactory) that can enforce allowlists on base images.

Image configuration choices create attack surface independent of CVE count.

Run as non-root: Images that run as root within the container can escalate to host root if a container escape vulnerability exists. Use USER directive in Dockerfile to specify a non-root UID. Kubernetes PodSecurity admission can enforce this cluster-wide.

Minimize image contents: Attack tools (curl, wget, nc, bash, python) present in production images increase the capability of an attacker who achieves code execution. Use distroless base images (Google's distroless series) or multi-stage builds that copy only the compiled binary into a minimal base. No shell means significantly reduced attacker capability.

Read-only root filesystem: Setting readOnlyRootFilesystem: true in the Pod spec prevents attackers from writing malicious files to the container filesystem. Applications that need writable directories can mount tmpfs volumes for specific paths.

Dropped capabilities: Linux capabilities allow fine-grained privilege grants. Most containers need zero Linux capabilities. Drop all capabilities by default (drop: [ALL]) and add back only those the application explicitly requires (e.g., NET_BIND_SERVICE if binding to a port below 1024).

No secrets in images: Scan images for embedded credentials using Trufflehog or Detect-Secrets in the build pipeline. Use Kubernetes Secrets (or external secret managers — HashiCorp Vault, AWS Secrets Manager) mounted at runtime rather than baked into image layers.

Runtime security tools monitor container behavior against a behavioral baseline and alert when containers deviate — spawning unexpected processes, making unexpected network connections, or accessing unexpected files.

How runtime detection works: Falco (CNCF project), Sysdig Secure, Aqua, and StackRox use eBPF or kernel module interception to observe system calls from every container. They evaluate each system call against policy rules. Example Falco rule: 'Alert when a container spawns a shell process.' This catches post-exploitation regardless of whether the attacker used a known exploit.

High-value runtime detection rules:

• Shell spawned in a container (bash, sh, zsh, dash) — catches interactive attacker access
• Unexpected outbound network connection to an external IP — catches C2 callback
• Write to /etc, /bin, /usr/bin — catches persistence mechanisms
• Process execution of known attack tools (curl, wget, nc, nmap, python) — catches post-exploitation activity
• Container escape indicators (host mount access, /proc/sysrq-trigger access, ptrace on host processes)
• Sensitive file access (/etc/shadow, /etc/kubernetes/pki, service account token files)

Runtime policy enforcement: Beyond alerting, runtime tools can kill containers or block syscalls that violate policy (using seccomp profiles). Seccomp profiles define which system calls a container is permitted to make — a tight seccomp profile reduces the syscall surface available for container escape exploitation.

Admission controllers intercept API server requests and enforce policy before resources are created. They are the enforcement layer for image signing requirements, Pod security standards, and namespace-level guardrails.

Built-in admission controllers: Kubernetes 1.25+ includes Pod Security Admission (PSA) built in, replacing the deprecated PodSecurityPolicy. PSA enforces security profiles at the namespace level:

• privileged: No restrictions (default)
• baseline: Prevents known privilege escalation (no privileged containers, no host namespaces, no dangerous capabilities)
• restricted: Enforces security best practices (non-root, read-only filesystem, dropped capabilities, seccomp required)

Apply at minimum baseline to all namespaces; restricted to namespaces running untrusted or multi-tenant workloads.

External admission webhooks: External admission controllers (OPA/Gatekeeper, Kyverno) allow custom policy definition in Rego or YAML. Common uses:

• Require signed images (validate Cosign signatures before allowing image pull)
• Enforce image registry allowlists (only allow images from internal registry)
• Require specific labels for all Pods (owner, team, environment)
• Block privileged containers, hostPath mounts, host network usage

Policy as code: Admission control policies belong in version control alongside application code. Test policies against known-good and known-bad manifests in CI before deploying to the cluster. Kyverno's policy reports provide ongoing compliance scanning of existing resources.

Container escape attacks move from container-level code execution to host-level compromise. The techniques exploit misconfigurations more often than CVEs.

Common container escape vectors:

Privileged containers: A container running with privileged: true has full access to host devices and can mount the host filesystem trivially. Privileged containers are equivalent to root on the host. Never use privileged containers in production; replace with specific capability grants.

Mounted host paths: hostPath volume mounts that include /, /proc, /sys, or /etc give a container near-complete host access. Audit all hostPath mounts; restrict to specific safe paths (e.g., /var/log) with read-only access where possible.

Docker socket mounting: Mounting the Docker socket (/var/run/docker.sock) into a container allows that container to control the Docker daemon and spawn new privileged containers. This is a complete container escape. CI/CD systems that need Docker-in-Docker should use rootless Podman or Kaniko instead.

Lateral movement between pods: By default, all pods in a Kubernetes cluster can communicate with all other pods across all namespaces. NetworkPolicies define allowed traffic patterns — they are the container equivalent of microsegmentation. Apply default-deny NetworkPolicies in every namespace, then allowlist only the specific pod-to-pod connections the application requires.

Layer 1 (Supply chain): Sigstore/Cosign for image signing, Syft for SBOM generation, Grype for vulnerability scanning against SBOMs, Trufflehog for secrets detection in build artifacts.

Layer 2 (Image scanning and hardening): Trivy (broad CVE, IaC, and secret scanning), Grype (SBOM-based vulnerability scanning), Dockle (Dockerfile best practice linting), hadolint (Dockerfile static analysis).

Layer 3 (Runtime): Falco (open-source runtime security), Sysdig Secure (commercial Falco-based), Aqua Security, Prisma Cloud (formerly Twistlock), StackRox/OpenShift ACS.

Layer 4 (Kubernetes posture): kube-bench (CIS Benchmark compliance checks), Polaris (workload configuration analysis), Kubescape (NSA/CISA hardening guide compliance), Kyverno or OPA/Gatekeeper (policy enforcement).

Commercial platforms (Wiz, Orca, Lacework, Aqua, Sysdig) provide unified coverage across Layers 1-4 with a single agent and management plane, reducing operational complexity at the cost of licensing spend.