All news with #container security tag

🔒 Researchers disclosed a vulnerability in Gitea that allowed unauthenticated remote attackers to pull private container images from affected deployments without credentials. Tracked as CVE-2026-27771, the issue affects all Gitea versions prior to 1.26.2, which contains the fix. Noscope estimates more than 30,000 deployments globally may be impacted, spanning healthcare, aerospace, retail, and ISPs. Users are advised to update to 1.26.2 or enable REQUIRE_SIGNIN_VIEW as a temporary mitigation.

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.

📦 AWS Transform now automates replatforming to containers during migrations, extending its agentic AI to generate Dockerfiles, build images, and publish to Amazon ECR. It supports repositories from GitHub, Bitbucket, GitLab, or .zip sources and builds deployment artifacts for Amazon ECS and Amazon EKS. Integrated security scanning and Terraform and Helm outputs simplify operations. Available in all Regions where AWS Transform is offered.

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.

⚙️ At Google Cloud Next '26, Google announced Fluid Compute and a broad set of compute, networking, and storage updates to support both traditional and agentic AI workloads with better performance and lower cost. Key moves include GA of the Arm-based Axion N4A, a GKE Agent Sandbox running on Axion, previews of bare-metal Axion C4A.metal and network-optimized C4N, and expanded Flexible Committed Use Discounts. The changes emphasize elastic scaling for spiky agent workloads, isolated runtime sandboxes, and higher I/O and VM-to-VM bandwidth to reduce contention and TCO.

🔧 Amazon Elastic Container Service now includes NVIDIA GPU health monitoring and auto repair for ECS Managed Instances. The capability leverages NVIDIA Data Center GPU Manager (DCGM) to detect critical GPU hardware failures and proactively replace impaired instances to maintain availability for GPU-accelerated container workloads. You can view GPU health via the DescribeContainerInstances API and receive notifications through Amazon EventBridge. Auto repair is enabled by default on supported instances at no additional cost and is available in all AWS Commercial Regions.

🔁 Amazon Elastic Container Registry (Amazon ECR) now automatically discovers and caches OCI referrers — including image signatures, SBOMs, and attestations — from upstream registries for repositories configured with pull through cache. Previously, referrers had to be listed and fetched manually because ECR would not return or sync them for cached repositories. With this change, referrers API requests reach upstream and automatically cache related artifacts, enabling end-to-end signature verification, SBOM discovery, and attestation retrieval without client-side workarounds. The feature is available today in all Regions where Amazon ECR pull through cache is supported.

🧰 Cloudflare has declared Sandboxes and Cloudflare Containers generally available, delivering persistent, isolated development environments tailored for AI agents and human developers. Key additions include secure credential injection via an egress proxy, PTY-backed WebSocket terminals, persistent Python/JavaScript/TypeScript interpreters, filesystem event streams, background dev servers with public preview URLs, and fast disk-state snapshots. Higher instance limits and Active CPU Pricing reduce cost and improve scalability; the SDK is at version 0.8.9.

🔍 The State of Trusted Open Source report analyzes Chainguard customer usage and security data from Dec 1, 2025 through Feb 28, 2026, covering 2,200+ container image projects, 33,931 fix instances, and 377 unique CVEs. It shows AI-driven development accelerating adoption of Python and PostgreSQL, broader standardization around language ecosystems, and the rise of chainguard-base as a minimal foundation. Vulnerability discovery and remediation scaled dramatically—unique CVEs rose 145% and fixes tripled—while median remediation time remained about 2.0 days. The report highlights persistent long-tail risk and a notable increase in FIPS-driven adoption.

🛡️ Amazon Elastic Container Service (ECS) introduces Managed Daemons for ECS Managed Instances, enabling platform teams to centrally deploy and manage security, observability, and networking agents independently of application tasks. ECS guarantees exactly one daemon task per managed instance and ensures daemons are running before application placement, improving coverage and resource efficiency. Updates are handled by draining and replacing instances with circuit breaker and rollback protections; the feature is available in all AWS Regions with no additional service cost beyond compute.

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.

🔒 Amazon Elastic Container Registry (Amazon ECR) pull through cache now supports Chainguard as an upstream registry, enabling customers to cache private Chainguard images within ECR. This feature synchronizes frequently with Chainguard's registry so images stay up to date without extra tooling. Cached images can be managed with ECR capabilities like image scanning and lifecycle policies, and the pull through cache is available in all AWS Regions where ECR supports it. By centralizing Chainguard images in ECR, customers gain improved availability, manageability, and security posture.

🔒 Visit AWS at booth S-0466 in South Expo to experience interactive demos, partner integrations, and an AI-powered Humanoid Security Guardian that generates customized well-architected guides via QR code. AWS security specialists will present sessions on privacy-by-design, trusted identity for autonomous agents, container supply-chain protection, and preparing for AI-native incidents. Join hands-on workshops and CTF challenges in Cloud Village, March 23–26, and use a Partner Passport to collect booth stamps, earn swag, and enter daily raffles.

🔒 Kaspersky has extended Kaspersky Container Security with support for the OpenAI API, allowing organizations to connect local or third‑party large language models that implement that API. The integrated AI assistant analyzes uploaded container images, describes their contents and behavior, performs independent risk assessments, and suggests mitigations to speed investigations and decision-making. The update also brings single sign‑on and multi‑domain Active Directory support, faster image scanning, and enhanced security policy capabilities to the Kaspersky Cloud Workload Security suite.

🔒 New Kubernetes clusters are probed and often attacked within minutes, with honeypots run by Palo Alto Networks, Wiz and Aqua Security showing initial compromise attempts in roughly twenty minutes and repeated automated scans against container ports. The platform's permissive defaults and complex model make standard cloud controls insufficient. Organizations should adopt Kubernetes-specific controls: harden and automate RBAC, isolate workloads with network and namespace policies, store secrets in dedicated key management services, perform regular audits, and train developers on platform-specific threats and secure CI/CD practices.

🔒 The push to 'shift left' has largely failed because it places excessive security responsibility on developers who are pressured to prioritise speed. Ivan Milenkovic of Qualys highlights how noisy, slow tools and misplaced trust in public container registries let malicious images and embedded secrets slip into deployment pipelines. He urges organisations to proxy external images, create a golden path of approved templates and CI pipelines, and shift down security into platform engineering so controls are automatic and developer friction is minimised.

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.

🔒 Amazon ECS Managed Instances is now available in the AWS European Sovereign Cloud, enabling customers to run EC2-backed container workloads under regional sovereignty controls. As a fully managed compute option, Managed Instances dynamically scales EC2 instances, optimizes task placement, and performs security patching every 14 days while supporting GPU and network-optimized instance families. Enable via Console, the Amazon ECS MCP Server, or infrastructure-as-code; management fees apply in addition to standard EC2 costs.

🔒Amutable, a Berlin startup launched this week, says it will bring determinism and verifiable integrity to Linux systems. Its founding team includes prominent Linux engineers such as Lennart Poettering (known for systemd) and ex‑Microsoft executives Chris Kühl (CEO) and Christian Brauner (CTO). The company is focusing on the container stack — Kubernetes, runc, LXC, Incus and containerd — and proposes cryptographic verification of images, signed manifests and continuous checks to detect tampering proactively rather than reactively.