Checkmarx
Container Security Tool

Container security focuses on reducing the security risks of containerized applications. These include vulnerabilities in application source code and open-source software found in static container images, container infrastructure risks, and runtime risks found in production applications.

Container security is an aspect of application security focused on identifying risks in container images or running containerized applications. Container security addresses unique threats such as insecure container images, misconfigured Docker settings, and runtime attacks targeting ephemeral workloads. Enterprises should view application risk across the full lifecycle of their containerized application, whether its SAST for vulnerabilities in proprietary code, SCA for vulnerabilities in OSS, DAST to test compiled applications, container security for container-specific risks, and more.

Containers are lightweight, ephemeral components that package code and applications and are a fundamental building block for cloud-based applications. This makes them attractive targets for attackers. Container security tools identify vulnerabilities, insecure dependencies, misconfigurations, and compliance risks in container images – both static and in runtime – as will as in Docker environments. They also help recommend secure images to use. Without proper security, containers can expose an organization to breaches, data leaks, and compliance failures.

When selecting a container security tool, look for features that ensure comprehensive container protection from code to runtime. This includes container image scanning, runtime insights correlation with pre-production data, vulnerability triage, prioritization, base image remediation, scan risk reports and CI/CD integrations. These should be delivered through a developer-centric approach to build #DevSecTrust.

Container security tools help organizations meet compliance requirements by enforcing security policies, enabling audit trails, and generating reports aligned with regulatory standards. In addition, the ability to prioritize risks helps organizations meet specific compliance requirements.

As with any type of application, identifying software vulnerabilities as early as possible in the software development lifecycle (SDLC) helps to reduce the cost and business risk associated with container security. However, some risks only become apparent after applications are deployed in a runtime environment.

Checkmarx helps you address software vulnerabilities in your source code and open-source software, while partnering with Sysdig to correlate pre-production and runtime insights and identify vulnerabilities that are called by your code and exploitable in runtime containerized applications.

Checkmarx scans all layers of a container image including:OS base image packages (Alpine, Debian, Red Hat UBI, Ubuntu, etc.)Language runtime packages (Node.js, Python, Java, Go, Ruby, etc.)Application dependencies bundled into the imageEmbedded secrets and credentialsDockerfile misconfigurations (running as root, exposed ports, hardcoded secrets)License compliance issues in third-party components

Yes! Checkmarx provides remediation guidance for vulnerabilities discovered in both your source code and open-source software.

Not only do we provide remediation guidance, but we also help you better prioritize vulnerabilities to fix first, by correlating between your source code, the methods in open-source libraries called by your code, and open-source libraries found in running containerized applications.

Container security tools integrate with CI/CD pipelines by embedding security checks at multiple stages of development to ensure vulnerabilities and misconfigurations are caught early. They scan container images during the build phase, blocking deployments that contain critical vulnerabilities, misconfigurations, policy violations, etc. This continuous feedback loop ensures that security remains a constant focus throughout the development process, allowing teams to address issues promptly while maintaining DevSec trust.

Checkmarx Container Security integrates with all major registries and pipelines including Docker Hub, AWS ECR, Google GCR/Artifact Registry, Azure ACR, Harbor, JFrog Artifactory, and Nexus. For CI/CD, it integrates natively with GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, CircleCI, and any pipeline that supports Docker image scanning via CLI or API.

Checkmarx combines multiple signals to help teams focus on what matters: CVSS severity scores, EPSS (Exploit Prediction Scoring System) probability of exploitation, reachability analysis to determine if the vulnerable code path is actually executed, runtime context from container orchestration platforms, and availability of a fix. This prevents teams from wasting time on theoretical vulnerabilities while real risks go unaddressed.

Container Security is a native capability within the Checkmarx One platform, sharing the same dashboard, reporting, and ASPM (Application Security Posture Management) layer as SAST, SCA, IaC Security, Secrets Detection, and API Security. This means container vulnerabilities are correlated with code-level findings — giving teams a unified, prioritized view of their entire cloud-native security posture without switching between tools.

Checkmarx integrates with leading cloud-native application protection platforms (CNAPPs) such as Sysdig and cloud service providers such as AWS EKS. This integration enables Checkmarx to correlate security findings from the SDLC with runtime data to help prioritize remediation based on real-world risk such as whether an OSS library is used in production or an application is deployed in an Internet-facing manner.

Yes. Checkmarx Container Security integrates with Kubernetes admission controllers via webhook, allowing you to enforce image security policies at cluster admission time. Images that fail your policy are blocked from deployment, and the rejection message includes clear guidance on what needs to be fixed. Policies are managed centrally in Checkmarx One and can be customized per namespace, environment, or team.