< ciso
brief />
Tag Banner

All news with #container security tag

60 articles · page 3 of 3

Amazon ECR Adds PrivateLink Support for FIPS Endpoints

🔒 Amazon Web Services announced that Amazon ECR now supports PrivateLink endpoints validated under FIPS 140-3. This allows customers with security and compliance requirements to use FIPS-validated cryptographic modules while keeping traffic private within their Amazon VPCs. The enhancement helps organizations meet regulatory obligations without exposing container registry traffic to the public internet. Availability includes several commercial and AWS GovCloud regions.
read more →

High-severity runc bugs allow container breakouts via procfs

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.
read more →

Critical runC Vulnerabilities Allow Docker Container Escape

⚠️ Three newly disclosed vulnerabilities in runC (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) could allow attackers to bypass container isolation and obtain root write access on the host. The issues involve manipulated bind mounts and redirected writes to /proc, and one flaw affects runC releases back to 1.0.0-rc3. Patches are available in recent runC releases; administrators should update, monitor for suspicious symlink/mount activity, and consider enabling user namespaces or running rootless containers as mitigations.
read more →

Amazon ECS: Managed EBS Permissions for Non-Root Containers

🔐 Amazon Elastic Container Service (ECS) now supports mounting Amazon EBS volumes to containers running as non-root users. ECS automatically sets file system permissions on the attached EBS volume so non-root processes can securely read and write while preserving root ownership. This removes the need for manual chown/chmod or custom entrypoint scripts, simplifying security-first container deployments. The capability is available across all AWS Regions for EC2, AWS Fargate, and ECS Managed Instances.
read more →

Amazon ECS Service Connect Adds Envoy Access Logs Support

🔍 Amazon ECS Service Connect now captures per-request telemetry with Envoy access logs to improve visibility into service-to-service traffic for tracing, debugging, and compliance. Access logging is enabled via the ServiceConnectConfiguration and emits Envoy logs to STDOUT alongside application logs, flowing through the existing ECS log pipeline without extra infrastructure. Query strings are redacted by default and the feature supports HTTP, HTTP/2, gRPC, and TCP protocols. The capability is available in all regions where Service Connect is supported.
read more →

Amazon ECS Adds CloudTrail Data Events for Agent API

🔍 Amazon ECS now emits AWS CloudTrail data events for ECS Agent API activities, giving teams detailed visibility into container instance operations. Customers can opt in to the new data event resource type AWS::ECS::ContainerInstance to capture actions such as ecs:Poll, ecs:StartTelemetrySession, and ecs:PutSystemLogEvents. The capability is available for ECS on EC2 across all AWS Regions and for ECS Managed Instances in select regions. Standard CloudTrail data event charges apply.
read more →

Dataproc 2.3 on Google Compute Engine: Lightweight Security

🔐 Dataproc 2.3 on Google Compute Engine provides a streamlined image that includes only the essential core components for Spark and Hadoop, reducing the attack surface and simplifying compliance. The image is FedRAMP High compliant and leverages both automated CVE remediation and manual engineering intervention for complex fixes. Optional tools like Flink, Hudi, Ranger, and Zeppelin are available on-demand during cluster creation, or can be pre-baked into custom images to speed provisioning while preserving the security benefits of the lightweight base.
read more →

Amazon ECS: Run Firelens Logging Containers Non-Root

🔒 Amazon Elastic Container Service (Amazon ECS) now lets you run Firelens containers as a non-root user by specifying a numeric user ID in the user field of your Task Definition. Running Firelens as non-root reduces the potential attack surface and helps meet security and compliance requirements, including checks surfaced by AWS Security Hub. This capability replaces the previous default of "user": "0" and is available in all AWS Regions. See the Firelens documentation for configuration details.
read more →

Docker offers Hardened Images for SMBs and startups

🔒 Docker has opened unlimited, subscription-based access to its Hardened Images catalog starting today, offering a 30-day free trial to make near-zero CVE container images affordable for startups and SMBs. These images are built from source, signed, rootless by default, include SBOM and VEX data, and are covered by a seven-day patch SLA for newly discovered CVEs. Docker says removing nonessential components can reduce attack surface by up to 95%, and hardened variants are compatible with Alpine and Debian and can be adopted by changing a single Dockerfile line.
read more →

OpenShift AI Privilege Escalation Flaw Exposes Clusters

🔒 Red Hat has disclosed a severe privilege escalation vulnerability in OpenShift AI (CVE-2025-10725) that can allow an authenticated, low-privileged user to escalate to full cluster administrator and fully compromise a deployment. The issue carries a CVSS score of 9.9 but is rated Important by Red Hat because exploitation requires an authenticated account. Affected releases include OpenShift AI 2.19, 2.21 and RHOAI. Administrators are advised to avoid broad ClusterRoleBindings such as binding kueue-batch-user-role to system:authenticated, and to grant job creation permissions only on a granular, need-to-know basis while applying vendor guidance.
read more →

Amazon ECS Adds Native IPv6-Only Task and Service Support

🚀 Amazon Elastic Container Service (Amazon ECS) now supports running tasks and services in IPv6-only subnets, eliminating the prior requirement for IPv4 addresses. This enables containerized applications to scale without IPv4 address constraints and helps organizations meet IPv6 compliance mandates. The capability works across all ECS launch types and networking modes; create IPv6-only VPC subnets and ECS will provision networking automatically. See the task networking documentation and a blog walkthrough for launch-specific details and migration guidance.
read more →

Open-source VibeSDK for Self-hosted AI Coding Platforms

🚀 VibeSDK is an open-source platform that enables organizations to deploy a complete AI-powered "vibe coding" experience with one click, integrating LLMs, secure sandboxes, and scalable hosting. It provisions isolated development environments to safely execute AI-generated code, offers templates and live previews, and automates build, test, and deploy workflows. The SDK also provides multi-model routing, observability, and caching, plus one-click export to users' Cloudflare accounts or GitHub so teams retain control of code and costs.
read more →

Protect AI Development Using Falcon Cloud Security

🔒 Falcon Cloud Security provides end-to-end protection for AI development pipelines by embedding AI detection into CI/CD workflows, scanning container images, and surfacing AI-related packages and CVEs in real time. It extends visibility to cloud model services — including AWS SageMaker and Bedrock, Azure AI, and Google Vertex AI — revealing model provenance, dependencies, and API usage. Runtime inventory ties build-time detections to live containers so teams can prioritize fixes, govern models, and maintain delivery velocity without compromising security.
read more →

AWS Lambda: Cross-Account Container Images in GovCloud

🚀 AWS Lambda now supports creating or updating functions using container images stored in an Amazon ECR repository in a different AWS account within GovCloud Regions. This removes the previous need to copy images into a local ECR repo and streamlines centralized image management and CI/CD workflows. Administrators must grant the Lambda resource and the Lambda service principal the necessary cross-account permissions.
read more →

AWS Console Adds ECS Exec for Direct Container Shell Access

🔐 The AWS Management Console now supports ECS Exec, allowing operators to open secure, interactive shell sessions to running containers directly from the console. This removes the need to switch to the CLI, API, or SDKs for troubleshooting and avoids opening inbound ports or managing SSH keys. You can enable ECS Exec when creating or updating services and standalone tasks, and configure encryption and logging at the cluster level. Sessions launch through CloudShell, and the console displays the underlying AWS CLI command for reuse in a local terminal.
read more →

Amazon ECR Repository Templates Now in AWS GovCloud

📦 Amazon ECR now supports repository creation templates in AWS GovCloud (US) Regions. Templates let you preconfigure encryption, lifecycle policies, access permissions, and tag immutability for repositories that ECR creates during pull-through cache and replication operations. Templates use a prefix to automatically match and apply settings to new repositories, reducing manual setup and helping enforce consistent registry governance across environments.
read more →

AWS HealthOmics Adds Third-Party Container Registry Support

🧬 AWS HealthOmics now supports third-party container registries through Amazon ECR pull-through cache and a new container URI remapping capability, easing access to tools hosted on Docker Hub, GitHub, Quay, GitLab, Azure, and other registries. The pull-through cache automatically retrieves and caches images while URI remapping translates third-party references to private ECR URIs using customer-defined mapping rules. These capabilities remove the need for manual image migration or workflow edits and are available in all regions where AWS HealthOmics is offered, helping bioinformatics teams accelerate workflow development and execution.
read more →

Securing Cloud-Native Workloads From Code to Runtime

🔒 Lacework FortiCNAPP unifies CSPM, CWP, CIEM, and CDR to secure cloud-native workloads from development through runtime. It integrates with CI/CD pipelines to scan IaC, container images, and libraries, and leverages FortiDevSec for static and dynamic testing so vulnerabilities are caught before deployment. At runtime, behavior-based workload protection, cloud audit log analysis, and Fortinet Composite Alerts produce high-fidelity detections, while FortiWeb and automation via FortiSOAR enable edge blocking and orchestrated remediation.
read more →

Skopeo for Google Cloud: Simplifying Container Workflows

📦 This post describes how Skopeo, a daemonless CLI for container images, can streamline image management with Artifact Registry and Google Cloud CI/CD. It outlines setup steps and five practical workflows—inspect manifests, registry-to-registry copying, listing tags, promoting images, and automated verification. The article also covers security integrations with tools like Cosign and Binary Authorization, and recommends Skopeo for faster, daemonless automation in Cloud Build and related environments.
read more →

Microsoft Named Leader in 2025 Container Management

🚀 Microsoft announced it was recognized as a Leader in the 2025 Gartner Magic Quadrant for Container Management, reflecting the scope and customer impact of its container portfolio. Azure Kubernetes Service (AKS), Azure Container Apps, and hybrid/multicloud capabilities with Azure Arc are highlighted for developer productivity, operational simplicity, and AI readiness. The company emphasized developer tooling like AKS Automatic (preview), Azure Developer CLI, and GitHub Copilot, plus integrated security through Microsoft Defender for Containers and Azure Policy. Customer examples such as ChatGPT, Telefônica Brasil, Coca‑Cola, Hexagon, and Delta Dental illustrate real-world outcomes.
read more →