All news with #container security tag

🔒 Chainguard’s quarterly pulse, The State of Trusted Open Source, analyzes anonymized usage and CVE data across a large customer base and catalog of container images to reveal where real production risk concentrates. The report finds Python leading the modern AI stack, while roughly half of production runs on a diverse longtail of images beyond the top 20. Importantly, 98% of remediated CVE instances occurred in that longtail, and compliance drivers like FIPS adoption materially influence image choices. Chainguard also highlights fast remediation performance, averaging under 20 hours for Critical CVEs.

🐳 Docker has open-sourced and made freely available over 1,000 Docker Hardened Images (DHI) under the Apache 2.0 license to provide a secure, minimal foundation for containerized applications. The images are rootless, stripped of unnecessary components, SBOM-verifiable, and shipped with SLSA Build Level 3 provenance and proof of authenticity. Docker will continue to publish fixes for DHI components while reserving a 7-day critical CVE patching SLA for the commercial DHI Enterprise tier. The full DHI catalog and subscription options are available from Docker's product offerings.

🔁 Amazon Elastic Container Registry (ECR) can now automatically create repositories when images are pushed, removing the need to pre-create repositories before a push. Repository creation follows organization-defined repository creation templates, enabling consistent naming and default settings at creation. The create-on-push capability is available in all AWS commercial and AWS GovCloud (US) Regions.

🛑 Amazon Elastic Container Service (ECS) on AWS Fargate now honors container-defined stop signals for Linux tasks by reading the OCI image STOPSIGNAL instruction and sending that signal when a task is stopped. Previously Fargate always sent SIGTERM followed by SIGKILL after the configured timeout, but containers that rely on SIGQUIT, SIGINT, or other signals can now receive their intended shutdown signal. If no STOPSIGNAL is present, ECS continues to default to SIGTERM. Support for container-defined stop signals is available in all AWS Regions and the ECS Developer Guide provides implementation details.

📦 Amazon Web Services announced a new Amazon ECR Archive storage class to lower costs for large volumes of rarely accessed container images. Lifecycle policies can now archive images by last pull time, age, or count, and archived images are excluded from repository image limits. Archived images are inaccessible for pulls but can be restored via Console, CLI, or API within about 20 minutes, and all operations are logged to CloudTrail; the feature is available in AWS Commercial and GovCloud (US) Regions.

🔒 Amazon Web Services announced that Amazon ECR now supports PrivateLink endpoints validated under FIPS 140-3. This allows customers with security and compliance requirements to use FIPS-validated cryptographic modules while keeping traffic private within their Amazon VPCs. The enhancement helps organizations meet regulatory obligations without exposing container registry traffic to the public internet. Availability includes several commercial and AWS GovCloud regions.

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.

🔐 Amazon Elastic Container Service (ECS) now supports mounting Amazon EBS volumes to containers running as non-root users. ECS automatically sets file system permissions on the attached EBS volume so non-root processes can securely read and write while preserving root ownership. This removes the need for manual chown/chmod or custom entrypoint scripts, simplifying security-first container deployments. The capability is available across all AWS Regions for EC2, AWS Fargate, and ECS Managed Instances.

🔍 Amazon ECS Service Connect now captures per-request telemetry with Envoy access logs to improve visibility into service-to-service traffic for tracing, debugging, and compliance. Access logging is enabled via the ServiceConnectConfiguration and emits Envoy logs to STDOUT alongside application logs, flowing through the existing ECS log pipeline without extra infrastructure. Query strings are redacted by default and the feature supports HTTP, HTTP/2, gRPC, and TCP protocols. The capability is available in all regions where Service Connect is supported.

🔍 Amazon ECS now emits AWS CloudTrail data events for ECS Agent API activities, giving teams detailed visibility into container instance operations. Customers can opt in to the new data event resource type AWS::ECS::ContainerInstance to capture actions such as ecs:Poll, ecs:StartTelemetrySession, and ecs:PutSystemLogEvents. The capability is available for ECS on EC2 across all AWS Regions and for ECS Managed Instances in select regions. Standard CloudTrail data event charges apply.

🔐 Dataproc 2.3 on Google Compute Engine provides a streamlined image that includes only the essential core components for Spark and Hadoop, reducing the attack surface and simplifying compliance. The image is FedRAMP High compliant and leverages both automated CVE remediation and manual engineering intervention for complex fixes. Optional tools like Flink, Hudi, Ranger, and Zeppelin are available on-demand during cluster creation, or can be pre-baked into custom images to speed provisioning while preserving the security benefits of the lightweight base.

🔒 Amazon Elastic Container Service (Amazon ECS) now lets you run Firelens containers as a non-root user by specifying a numeric user ID in the user field of your Task Definition. Running Firelens as non-root reduces the potential attack surface and helps meet security and compliance requirements, including checks surfaced by AWS Security Hub. This capability replaces the previous default of "user": "0" and is available in all AWS Regions. See the Firelens documentation for configuration details.

🔒 Docker has opened unlimited, subscription-based access to its Hardened Images catalog starting today, offering a 30-day free trial to make near-zero CVE container images affordable for startups and SMBs. These images are built from source, signed, rootless by default, include SBOM and VEX data, and are covered by a seven-day patch SLA for newly discovered CVEs. Docker says removing nonessential components can reduce attack surface by up to 95%, and hardened variants are compatible with Alpine and Debian and can be adopted by changing a single Dockerfile line.

🔒 Red Hat has disclosed a severe privilege escalation vulnerability in OpenShift AI (CVE-2025-10725) that can allow an authenticated, low-privileged user to escalate to full cluster administrator and fully compromise a deployment. The issue carries a CVSS score of 9.9 but is rated Important by Red Hat because exploitation requires an authenticated account. Affected releases include OpenShift AI 2.19, 2.21 and RHOAI. Administrators are advised to avoid broad ClusterRoleBindings such as binding kueue-batch-user-role to system:authenticated, and to grant job creation permissions only on a granular, need-to-know basis while applying vendor guidance.

🚀 Amazon Elastic Container Service (Amazon ECS) now supports running tasks and services in IPv6-only subnets, eliminating the prior requirement for IPv4 addresses. This enables containerized applications to scale without IPv4 address constraints and helps organizations meet IPv6 compliance mandates. The capability works across all ECS launch types and networking modes; create IPv6-only VPC subnets and ECS will provision networking automatically. See the task networking documentation and a blog walkthrough for launch-specific details and migration guidance.

🚀 VibeSDK is an open-source platform that enables organizations to deploy a complete AI-powered "vibe coding" experience with one click, integrating LLMs, secure sandboxes, and scalable hosting. It provisions isolated development environments to safely execute AI-generated code, offers templates and live previews, and automates build, test, and deploy workflows. The SDK also provides multi-model routing, observability, and caching, plus one-click export to users' Cloudflare accounts or GitHub so teams retain control of code and costs.

🔒 Falcon Cloud Security provides end-to-end protection for AI development pipelines by embedding AI detection into CI/CD workflows, scanning container images, and surfacing AI-related packages and CVEs in real time. It extends visibility to cloud model services — including AWS SageMaker and Bedrock, Azure AI, and Google Vertex AI — revealing model provenance, dependencies, and API usage. Runtime inventory ties build-time detections to live containers so teams can prioritize fixes, govern models, and maintain delivery velocity without compromising security.

🚀 AWS Lambda now supports creating or updating functions using container images stored in an Amazon ECR repository in a different AWS account within GovCloud Regions. This removes the previous need to copy images into a local ECR repo and streamlines centralized image management and CI/CD workflows. Administrators must grant the Lambda resource and the Lambda service principal the necessary cross-account permissions.

🔐 The AWS Management Console now supports ECS Exec, allowing operators to open secure, interactive shell sessions to running containers directly from the console. This removes the need to switch to the CLI, API, or SDKs for troubleshooting and avoids opening inbound ports or managing SSH keys. You can enable ECS Exec when creating or updating services and standalone tasks, and configure encryption and logging at the cluster level. Sessions launch through CloudShell, and the console displays the underlying AWS CLI command for reuse in a local terminal.