Skip to main content

Container security policies

Container security policies are a group of software quality policies used by the Spectra Assure platform to help you improve the security of your container images.


These policies are triggered during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, container security policies focus on preventing issues tied to container images that can make them more susceptible to attacks or security breaches if left unresolved. In this context, container security issues include exposed insecure ports, lack (or abundance) of defined instructions, and unnecessary administrative privileges in container image configuration files.

In Spectra Assure analysis reports, these policy violations are listed in the Issues > Container Security category. Advanced users of Spectra Assure can adjust how each issue is treated and add their own exceptions to policy configuration files.

Software developers and DevOps engineers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect an issue in a container image, its exact location is highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.

Supported container image formats

The Spectra Assure platform currently supports the following container image formats:

  • Docker
  • Open Container Initiative (OCI)
  • Linux Containers (LXD)

Security challenges and practicesโ€‹

Container images are immutable packages with all dependencies, configuration, metadata, and instructions needed for an application to run. Containers are runnable instances of container images that can be started on local machines, virtual machines, or deployed in the cloud. They contain all dependencies of an application, which allows you to deploy your software in any environment. This also makes applications run more quickly, as they contain everything they need, including the access to the host system's kernel. Containers are isolated both from the system and other containers, so they don't interfere with each other. Due to this, they're convenient for securely running any software that needs access to sensitive information without granting access rights to all users on the system.

However, container images often contain third-party code and open-source dependencies, which can carry vulnerabilities later inherited by these images and containers deployed from them. Every configuration instruction in a container image makes up its separate layer. Each of these layers is a distinct attack surface that can conceal possible security issues or misconfigurations.

The use of containers has significantly increased in recent years due to their convenience, speed, and reliability across various environments. This in turn increases the need for organizations to implement the appropriate container security measures as an essential part of their cybersecurity strategy. Container security measures are expected to be fully automated and included into all stages of SDLC due to the complexity and ephemeral nature of containers, as well as their dynamic deployments and scaling. This helps detect and remediate security issues before a containerized application is deployed.

To ensure that your containers are safe to run and distribute, adopt some of the following container security best practices:

  • Secure your container images by removing unnecessary components. The attack surface can also be reduced by using only base images from trusted sources and repeatedly scanning them. Avoid granting root access to containers and instead create a user profile for each container with specific permissions.
  • Secure your container infrastructure by segmenting your network to isolate containers carrying sensitive data. It is also crucial to expose only those ports that are safe and required for the containerized application to use.
  • Make sure your secrets, such as database credentials or SSL/encryption/API keys, are not stored directly inside your containers. Instead, store them in a secret management tool that will encrypt them and pass them to a container at its runtime.
  • Secure the target environment by hardening the underlying (host) operating system and limiting the number of accounts with administrative access to container resources.
  • If your company maintains its own container registry, make sure to frequently manage access to it. Images stored there need to be signed to protect them from tampering. They should also be regularly scanned to detect any potential vulnerabilities or outdated components that could be exploited.

Container security policies can help you improve your organization's security posture and protect it from any potential threats. This way, your customers are confident that their data is kept safe, which in turn strengthens the reputation of your organization.

Policies in this categoryโ€‹

Container security policies cover the following:

  • user privilege and file permission issues
  • insecure network access protocols
  • Dockerfile instructions issues
Show/hide all policies