Functions

CGS provides container image security, security policies, and runtime security functions.

Container Image Security

CGS scans your images that are running or displayed in your image list, and provides suggestions on how to fix detected vulnerabilities and malicious files.

CGS can scan Linux images.

**Table 1** Container image check items
Item	Description	Check Frequency
Private image security	Scans private images in SWR for vulnerabilities, unsafe settings, and malicious code. The following items are checked: Vulnerabilities Whether there are CVE or other vulnerabilities in SWR images Malicious files Whether there are Trojans, worms, adware, or other malicious files in private images Unsafe settings Non-compliant or insecure settings Software information Software in private images File information Files in private images. Software is not included.	Automatic check in the early morning every day Manual scan
Local image vulnerabilities	Checks whether there are CVE or other vulnerabilities in the images running in CCE containers.	Real-time check
Official image vulnerabilities	Periodically scans official Docker images for vulnerabilities.	-

Container Security Policies

You can configure security policies, whitelist container processes, and set protected files to minimize the permissions required for containers to run, improving system and application security.

**Table 2** Container security policies
Item	Description	Check Frequency
Process whitelist	Alarms will be triggered if processes not whitelisted are started, preventing abnormal processes, privilege escalation attacks, and violations.	Real-time check
File protection	Read-only permissions should be configured for critical application directories (such as bin, lib, and usr directories) in the container to prevent hackers from tampering and attacking. If you set these directories to be read-only, CGS will protect them from security incidents such as file tampering.	Real-time check

Container Runtime Security

CGS scans running containers for malicious programs including miners and ransomware, detects non-compliant security policies, file tampering, and container escape, and provide suggestions.

**Table 3** Container runtime security
Item	Description	Check Frequency
Container escape detection	Uses rules and machine learning technologies to accurately detect escape behaviors on servers, including shocker attacks, process privilege escalation, Dirty COW, and brute-force attacks.	Real-time check
High-risk system calls	Detects Linux system calls that were made within containers and could pose security risks.	Real-time check
Abnormal program detection	Detects the startup of processes that violate security policies and malicious programs such as miners, ransomware, viruses, and Trojans.	Real-time check
Abnormal files	Detects file access that violates security policies. Security O&M personnel can check whether hackers are intruding and tampering with sensitive files.	Real-time check
Container environment	Checks for abnormal container runtime, including abnormal startup and improper configurations.	Real-time check