Container Security

Secure Kubernetes® and other container platforms on any public or private cloud, from build to run with Prisma Cloud.

Containers, Kubernetes and containers as a service (CaaS) have become mainstream ways to package and orchestrate services at scale. At the same time, container users need to ensure they have purpose-built security to address vulnerability management, compliance, runtime protection and network security requirements for their containerized applications.

Read Gartner’s report on cloud workload protection platforms.

Container security spanning the full application lifecycle

Prisma® Cloud scans container images and enforces policies as part of continuous integration and continuous delivery workflows, continuously monitors code in repositories and registries, and secures both managed and unmanaged runtime environments – combining risk prioritization with runtime protection at scale.
  • Support for public and private clouds
  • Single agent for managed and unmanaged environments
  • Full lifecycle security for repositories, images and containers
  • Vulnerability management
    Vulnerability management
  • Container compliance
    Container compliance
  • CI/CD security
    CI/CD security
  • Runtime defense
    Runtime defense
  • Access control
    Access control


Our approach to Container Security

Vulnerability management

Start with full visibility into all dependencies from containers during the build, deploy and run phases. Prisma Cloud aggregates and prioritizes vulnerabilities continuously in CI/CD pipelines and containers running on hosts or on containers as a service, in public and private clouds.

  • Prioritize remediation with guidance

    Establish risk prioritization across all known CVEs, remediation guidance and per-layer image analysis with vulnerability Top 10 lists.

  • Add guardrails with alerts and blocks for severity levels

    Control the alert and blocking severity level for individual and groups of services during build time and runtime.

  • Leverage unmatched accuracy

    Minimizing false positives with more than 30 upstream data sources. Prisma Cloud is focused on providing only accurate vulnerability information back to developers and security teams.

  • Surface vulnerability information throughout the lifecycle

    Integrate vulnerability management to scan repositories, registries, CI/CD pipelines and runtime environments.

Container compliance

Maintainers of container environments face unique configuration challenges compared to server based monoliths. Prisma Cloud provides more than 400 out-of-the-box and customizable compliance checks to improve posture in containerized environments.

  • Maintain an audit history of compliance over time

    See your total compliance rate with Prisma Cloud, based on continuous and up-to-date views of your container posture, as well as a thorough history of previous scans.

  • Control builds and deployments based on pre-built and custom policies

    Use templates from leading frameworks, including PCI DSS, HIPAA, GDPR, DISA STIG and NIST SP 800-190, and customize them to your organization’s needs.

  • Implement CIS Benchmarks and proprietary checks

    Leverage preconfigured checks from the CIS Benchmarks and Prisma Cloud’s research for Docker®, Kubernetes, Linux, Windows® and Istio™.

  • Set license compliance levels

    Automatically alert on and block licenses that don’t meet your organization’s requirements or require additional details, such as attribution.

  • Manage image trust

    Leverage trusted groups and trusted images to only allow safe images to reach production.

  • Add compliance checks during build and runtime

    Provide alerts and guardrails for misconfigurations at every step of the development lifecycle to decrease patch friction and prevent misconfigurations in production.

CI/CD security

The most effective strategy to securing containers is to catch and remediate issues at every step of the development lifecycle. CI/CD workflows offer an opportunity to embed automated security checks in existing development processes, reducing the load on both developers and security teams.

  • Scan repositories and registries for vulnerabilities and misconfigurations

    Check source code and images for vulnerabilities and compliance issues across repositories, such as GitHub, and registries, such as Docker, Quay, Artifactory and more.

  • Lock down deployments to vetted images

    Leverage trusted groups and trusted images to only allow safe images to reach production.

  • Integrate security into CI tooling

    Prisma Cloud includes integrations to alert on and block images with issues from CI tools, such as Jenkins, GitHub Actions, CircleCI, AWS CodeBuild, Azure DevOps, Google Cloud Build and more.

  • Provide software composition analysis (SCA) at every stage

    Provide feedback on package vulnerabilities and open source licenses from the CLI and repository scans.

Runtime defense

Containers scale automatically while running in a variety of environments. Prisma Cloud secures ephemeral containers using predictive and threat-based protection without adding overhead. Our agent secures containers running stand-alone on vanilla and managed Kubernetes as well as CaaS environments.

  • Simplify security with a single agent and console

    Leverage support for containers in cloud and on-premises environments across all unmanaged and managed offerings and all CRI compliant runtimes.

  • Detect anomalous behavior automatically

    Automatically profile running containers based on processes, networking and file system behavior and detects and blocks known-bad and anomalous behavior.

  • Gain network visibility across environments

    View all container network communications across your cloud environments in real time.

  • Respond to incidents quickly with automatically captured forensic details

    View the history of events that led up to and followed an incident for threat hunting and lifecycle analysis.

Access control

Container runtimes and Kubernetes defaults create overly permissive access. Prisma Cloud locks down user and control plane access to Docker and Kubernetes to decrease the attack surface area.

  • Control Docker command access

    Add fine-grained control over which user should have access to run Docker commands on a per-environment basis.

  • Inject secrets safely into containers

    Prisma Cloud integrates with secrets management tools, like CyberArk and HashiCorp, to secure secrets and securely provide them to containers as needed.

  • Simplify policy enforcement with managed Open Policy Agent

    Simplify the creation of policy as code and enforce OPA’s decisions.

  • Automate and aggregate detailed logging

    Audit events for vulnerabilities, compliance violations and runtime events are automatically generated, collected and aggregated in a single, searchable dashboard.

Prisma Cloud
Prisma Cloud
Prisma Cloud delivers the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across multi- and hybrid-cloud environments.

Cloud Workload Protection modules

Host Security

Secure virtual machines (VMs) on any public or private cloud.

Container Security

Secure Kubernetes and other container platforms on any public or private cloud.

Serverless Security

Secure serverless functions across the full application lifecycle.

Web Application & API Security

Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.