< ciso
brief />
Tag Banner

All news with #container security tag

60 articles

HyperPod adds custom AMI support for Slurm

🔒 Amazon SageMaker HyperPod now supports custom AMIs for Slurm-orchestrated clusters, enabling deployment of pre-configured, security-hardened environments tailored to organizational needs. This reduces reliance on complex lifecycle scripts and improves startup times and consistency across nodes. Custom AMIs must be built from HyperPod's public base AMIs for compatibility and can be specified via the CreateCluster, UpdateCluster, or UpdateClusterSoftware APIs. The feature is available in all Regions where HyperPod is supported.
read more →

Secure container workloads with attribute-based rules

🛡️ AWS Network Firewall now supports container attribute-based rules for Amazon EKS and Amazon ECS, enabling firewall policies based on native container attributes (namespaces, pod names, labels, cluster names) instead of ephemeral IPs. This feature automatically discovers and tracks matching pods, dynamically updates IP-to-attribute mappings, and enriches alert logs with container context for easier troubleshooting and auditing. It integrates with Suricata-compatible rules, exports logs to CloudWatch Logs and S3, and can be configured via the AWS Console, CLI, or SDK with no additional feature charge.
read more →

Amazon ECS adds configurable deployment circuit breaker

🔧 Amazon Elastic Container Service (Amazon ECS) now lets you customize when a service deployment is considered failed and automatically rolled back. You can set the circuit breaker threshold using a fixed task failure count or a percentage of desired tasks, and choose between consecutive or cumulative failure counting models. This allows different rollback behavior across environments and is available in all AWS Regions where ECS is offered.
read more →

AWS Network Firewall Adds Container Attribute Rules

🔒 Today AWS announced container attribute-based rules for AWS Network Firewall, allowing firewall policies to reference native container constructs like Namespace, Cluster Name, Labels for Amazon EKS, and Cluster Name and Container Instance Attributes for Amazon ECS. This removes the need for fragile IP-based rules that break when pods scale or restart and supports generative AI and other dynamic workloads. The feature supports TLS decryption, FQDN and URL category filtering, and GeoIP controls, and is available at no extra cost in supported regions.
read more →

June 2026 Threat Technique Catalog Update for AWS

🛡️ The AWS CIRT updated the Threat Technique Catalog for June 2026, adding five new entries focused on container security, organization-level trust, and compute hijacking. The update documents EKS workload modification, exploitation of public-facing Kubernetes services, sts:AssumeRoot abuse across AWS Organizations, compute hijacking in clusters, and account invitations into attacker-controlled organizations. It also refreshes three existing entries with expanded detection and mitigation guidance.
read more →

Amazon GameLift Servers adds container fleet controls

🛠️ Amazon GameLift Servers introduces two container fleet improvements to improve flexibility and inter-container communication for game server deployments. You can now customize Linux capabilities in container group definitions to grant specific permissions such as NET_RAW or SYS_PTRACE, and call the new ListContainersNetworkInfo() server SDK action to discover co-located containers' names, IDs, local IPs, and group types. These features are exposed via the console, AWS CLI, SDK, and CloudFormation and supported in server SDK 5.x for Go, C++, and C#, plus Unreal and Unity plugins, available in all GameLift regions except China.
read more →

ECS Managed Daemons add PID and IPC sharing

🔧 Amazon ECS Managed Daemons now support inter-task visibility and communication by adding pidMode and ipcMode settings. These allow daemons to share process and IPC namespaces with application containers when set to "shared", while the default "none" keeps them isolated. Daemons run once per instance and start before applications, enabling independent deployment of agents like tracing, profiling, and security tools. The feature is available in all AWS Regions at no extra cost.
read more →

VirusTotal adds Knostic for VS Code extension analysis

🛡️ We’re adding Knostic’s AgentMesh to VirusTotal’s Crowdsourced AI lineup to analyze Visual Studio Code extension (.VSIX) files. This integration complements Code Insight and other AI contributors to help developers, platform engineers, and security teams assess extension security and detect supply-chain threats prior to installation. The collaboration highlights the growing importance of securing IDE extensions.
read more →

Gitea flaw lets unauthenticated users pull private images

🔒 Researchers disclosed a vulnerability in Gitea that allowed unauthenticated remote attackers to pull private container images from affected deployments without credentials. Tracked as CVE-2026-27771, the issue affects all Gitea versions prior to 1.26.2, which contains the fix. Noscope estimates more than 30,000 deployments globally may be impacted, spanning healthcare, aerospace, retail, and ISPs. Users are advised to update to 1.26.2 or enable REQUIRE_SIGNIN_VIEW as a temporary mitigation.
read more →

Kaspersky Container Security: Practical Team Insights

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.
read more →

AWS Transform Adds Automated Containerization for Migrations

📦 AWS Transform now automates replatforming to containers during migrations, extending its agentic AI to generate Dockerfiles, build images, and publish to Amazon ECR. It supports repositories from GitHub, Bitbucket, GitLab, or .zip sources and builds deployment artifacts for Amazon ECS and Amazon EKS. Integrated security scanning and Terraform and Helm outputs simplify operations. Available in all Regions where AWS Transform is offered.
read more →

Linux 'Copy Fail' CVE-2026-31431: kernel LPE across distros

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.
read more →

Google Cloud Next 26: New Compute and Fluid Compute

⚙️ At Google Cloud Next '26, Google announced Fluid Compute and a broad set of compute, networking, and storage updates to support both traditional and agentic AI workloads with better performance and lower cost. Key moves include GA of the Arm-based Axion N4A, a GKE Agent Sandbox running on Axion, previews of bare-metal Axion C4A.metal and network-optimized C4N, and expanded Flexible Committed Use Discounts. The changes emphasize elastic scaling for spiky agent workloads, isolated runtime sandboxes, and higher I/O and VM-to-VM bandwidth to reduce contention and TCO.
read more →

Amazon ECS Adds NVIDIA GPU Health Monitoring & Repair

🔧 Amazon Elastic Container Service now includes NVIDIA GPU health monitoring and auto repair for ECS Managed Instances. The capability leverages NVIDIA Data Center GPU Manager (DCGM) to detect critical GPU hardware failures and proactively replace impaired instances to maintain availability for GPU-accelerated container workloads. You can view GPU health via the DescribeContainerInstances API and receive notifications through Amazon EventBridge. Auto repair is enabled by default on supported instances at no additional cost and is available in all AWS Commercial Regions.
read more →

Amazon ECR Pull-Through Cache Now Syncs OCI Referrers

🔁 Amazon Elastic Container Registry (Amazon ECR) now automatically discovers and caches OCI referrers — including image signatures, SBOMs, and attestations — from upstream registries for repositories configured with pull through cache. Previously, referrers had to be listed and fetched manually because ECR would not return or sync them for cached repositories. With this change, referrers API requests reach upstream and automatically cache related artifacts, enabling end-to-end signature verification, SBOM discovery, and attestation retrieval without client-side workarounds. The feature is available today in all Regions where Amazon ECR pull through cache is supported.
read more →

Cloudflare Sandboxes and Containers Reach General Availability

🧰 Cloudflare has declared Sandboxes and Cloudflare Containers generally available, delivering persistent, isolated development environments tailored for AI agents and human developers. Key additions include secure credential injection via an egress proxy, PTY-backed WebSocket terminals, persistent Python/JavaScript/TypeScript interpreters, filesystem event streams, background dev servers with public preview URLs, and fast disk-state snapshots. Higher instance limits and Active CPU Pricing reduce cost and improve scalability; the SDK is at version 0.8.9.
read more →

State of Trusted Open Source: Q1 2026 Insights & Trends

🔍 The State of Trusted Open Source report analyzes Chainguard customer usage and security data from Dec 1, 2025 through Feb 28, 2026, covering 2,200+ container image projects, 33,931 fix instances, and 377 unique CVEs. It shows AI-driven development accelerating adoption of Python and PostgreSQL, broader standardization around language ecosystems, and the rise of chainguard-base as a minimal foundation. Vulnerability discovery and remediation scaled dramatically—unique CVEs rose 145% and fixes tripled—while median remediation time remained about 2.0 days. The report highlights persistent long-tail risk and a notable increase in FIPS-driven adoption.
read more →

Amazon ECS Managed Daemons for ECS Managed Instances

🛡️ Amazon Elastic Container Service (ECS) introduces Managed Daemons for ECS Managed Instances, enabling platform teams to centrally deploy and manage security, observability, and networking agents independently of application tasks. ECS guarantees exactly one daemon task per managed instance and ensures daemons are running before application placement, improving coverage and resource efficiency. Updates are handled by draining and replacing instances with circuit breaker and rollback protections; the feature is available in all AWS Regions with no additional service cost beyond compute.
read more →

EmDash: Cloudflare’s Modern, Secure Successor to WordPress

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.
read more →

Kubernetes Controllers as Stealthy Persistent Backdoors

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.
read more →