Skip to main content

Documentation Index

Fetch the complete documentation index at: https://guide.codepure.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Container Security is Codepure’s unified scanning engine that analyzes container images, Kubernetes configurations, and cloud infrastructure for security misconfigurations, OS-level vulnerabilities, and compliance violations. Built entirely from the ground up in native Go — no Trivy, no Checkov, no external dependencies — it delivers sub-second scan performance with full air-gapped deployment support.

What is Container Security?

Codepure Container Security performs comprehensive analysis across the entire container and cloud infrastructure lifecycle. By examining Dockerfiles, Docker Compose files, Kubernetes manifests, Terraform configurations, Ansible playbooks, Helm charts, CloudFormation templates, and Azure ARM templates, it identifies security misconfigurations, hardcoded secrets, and OS-level package vulnerabilities before they reach production.

Core Capabilities

  • Real Docker Image Scanning: Reads actual package manifests (APK, DPKG, RPM) from Docker image layers to detect OS-level CVEs
  • Infrastructure-as-Code Analysis: Native parsers for 8 IaC formats — Dockerfile, Compose, Kubernetes, Terraform, Ansible, Helm, CloudFormation, ARM
  • Secret Detection: 16+ regex patterns and entropy analysis detect hardcoded credentials, API keys, and tokens
  • Multi-Cloud CSPM: Cloud Security Posture Management across AWS (35+ rules), GCP (25+ rules), and Azure (30+ rules)
  • SBOM Generation: Export Software Bill of Materials in SPDX 2.3 and CycloneDX 1.5 formats
  • SARIF 2.1.0 Output: Integration with GitHub Code Scanning, Azure DevOps, and GitLab Security
  • 9-Frame Compliance: Every finding maps to CIS, SOC2, PCI-DSS, NCA-ECC (Saudi), SAMA CSF (Saudi), NIST, GDPR, HIPAA, and FedRAMP
  • Air-Gapped Ready: All CVE databases and rule sets bundled on disk — zero internet dependency

How Container Security Works

Scanning Methodology

Codepure Container Security employs multiple analysis techniques for comprehensive coverage across container and cloud infrastructure:

1. Dockerfile Static Analysis

  • Parses Dockerfile instructions line by line
  • Tracks ARG/ENV variable resolution
  • Identifies multi-stage build boundaries
  • Detects insecure patterns: root user, latest tags, missing HEALTHCHECK, secrets in ENV, ADD vs COPY misuse

2. YAML Manifest Analysis (Compose & Kubernetes)

  • Parses multi-document YAML files
  • Maps service and pod specifications
  • Identifies security context misconfigurations
  • Detects privileged containers, host namespace sharing, missing resource limits

3. HCL Parsing (Terraform)

  • Parses Terraform HCL configurations using regex-based resource detection
  • Identifies cloud resource misconfigurations across AWS, GCP, and Azure
  • Detects overly permissive IAM, unencrypted storage, public endpoints

4. Real Docker Image Layer Scanning

  • Opens Docker image .tar archives (from docker save)
  • Reads manifest.json to identify image layers
  • Extracts actual package manifests from each layer:
    • Alpine: Parses /var/lib/apk/db/installed (APK format: P:name\nV:version)
    • Debian/Ubuntu: Parses /var/lib/dpkg/status (DPKG format: Package:\nVersion:\nStatus:)
    • RHEL/CentOS: Parses RPM manifest files (text format: Name:\nVersion:\nRelease:)
  • Cross-references installed packages against bundled CVE database
  • Reports vulnerabilities with severity, fix version, and compliance tags

5. Secret Detection (Regex + Entropy)

  • 16+ regex patterns detect known secret formats (AWS keys, GitHub PATs, Stripe tokens)
  • entropy analysis identifies unknown high-entropy strings
  • Scans across all file types in the target directory
  • Filters false positives (variable references, paths, example values)

6. Ansible Playbook Analysis

  • Parses YAML playbooks and task definitions
  • Identifies privilege escalation, shell injection, hardcoded passwords
  • Detects TLS validation disabled, firewall disabled, insecure HTTP fetches

7. Helm Chart Analysis

  • Parses Helm templates and values files
  • Identifies privileged containers, host network/PID, missing resource limits
  • Detects hardcoded secrets, default namespace deployment, missing NetworkPolicy

Vulnerability & Misconfiguration Detection Categories

Container Runtime Misconfigurations

  • Privileged Containers: Full host access and capability escalation
  • Host Namespace Sharing: Network, PID, IPC, UTS namespace exposure
  • Missing Resource Limits: No memory or CPU constraints (DoS risk)
  • No Read-Only Filesystem: Writable container root filesystem
  • Docker Socket Mounted: Container escape via Docker API access
  • Missing Healthchecks: No container health monitoring

Image-Level Vulnerabilities (CVEs)

  • OS Package CVEs: Known vulnerabilities in installed Alpine/Debian/Ubuntu/RHEL packages
  • Outdated Packages: Packages with available security fixes
  • Base Image Vulnerabilities: CVEs inherited from base image layers
  • Critical CVEs: Buffer overflows, privilege escalation, remote code execution

Kubernetes Security

  • RBAC Misconfigurations: Cluster-admin bindings, wildcard permissions, secrets access
  • Pod Security Violations: Privileged pods, host namespaces, running as root
  • Missing Security Contexts: No allowPrivilegeEscalation: false, no runAsNonRoot
  • Network Policy Gaps: Missing network policies, overly permissive ingress/egress
  • Secret Mismanagement: Hardcoded secrets in environment variables, missing Secret resources

Cloud Infrastructure Misconfigurations (CSPM)

AWS
  • S3 Public Access: Buckets with public ACLs or missing public access blocks
  • Open Security Groups: SSH (22), RDP (3389), databases (3306, 5432, 6379) open to 0.0.0.0/0
  • IAM Over-Privilege: Admin policies (* on *), root access keys, wildcard actions
  • Unencrypted Storage: RDS without storage encryption, S3 without server-side encryption
  • Missing Logging: CloudTrail without encryption, VPC without flow logs
  • Public Endpoints: RDS, EKS, ElastiCache publicly accessible
GCP
  • Public Storage: Buckets accessible to allUsers or allAuthenticatedUsers
  • IAM Issues: Owner roles on service accounts, default SA with editor role
  • GKE Misconfigurations: Legacy ABAC enabled, logging/monitoring disabled
  • Unencrypted Resources: Compute disks, Cloud SQL without SSL, Pub/Sub without encryption
  • Open Firewall: Ingress from 0.0.0.0/0, HTTP load balancers
Azure
  • Storage Issues: Public blob access, HTTPS not enforced
  • VM Security: Password authentication, hardcoded passwords in templates
  • Network Security: NSGs allowing unrestricted inbound, no DDoS protection
  • Key Vault: Missing soft delete, weak access policies
  • AKS: RBAC disabled, no network policies, logging disabled
  • Database Exposure: SQL public access, Cosmos DB without IP restrictions

Infrastructure-as-Code Flaws

  • CloudFormation: Public S3, open security groups, RDS publicly accessible, IAM admin access
  • Azure ARM: Password-based VM auth, storage without HTTPS, NSG open rules
  • Ansible: Shell injection, hardcoded passwords, TLS validation disabled, firewall disabled
  • Helm: Hardcoded secrets, privileged containers, missing resource limits, no NetworkPolicy

Hardcoded Secrets

  • Cloud Credentials: AWS Access Key IDs, AWS Secret Access Keys, GCP Service Account JSON
  • API Tokens: GitHub PATs, Slack tokens, Google API keys, Stripe keys, SendGrid keys, Twilio keys
  • Private Keys: SSH RSA/DSA/EC private keys, TLS/SSL private keys
  • Database Credentials: Connection strings with embedded passwords
  • Azure Secrets: Storage account connection strings with AccountKey
  • High-Entropy Strings: Unknown secrets detected via entropy analysis

Why Container Security is Critical

Security Benefits

Unified Visibility
  • Single engine covers containers, Kubernetes, and multi-cloud infrastructure
  • Eliminate tool sprawl — no need for separate Trivy, Checkov, and custom secret scanners
  • Consistent findings format across all scan types
Real Image Scanning
  • Reads actual package manifests from Docker image layers — no guessing
  • Detects OS-level CVEs in Alpine, Debian, Ubuntu, and RHEL-based containers
  • Identifies vulnerable packages with specific fix versions
Comprehensive IaC Coverage
  • 8 infrastructure-as-code formats analyzed natively
  • 160+ misconfiguration detection rules
  • Multi-cloud CSPM across AWS, GCP, and Azure
Air-Gapped Deployment
  • All CVE databases, rule sets, and compliance mappings bundled on disk
  • Zero internet dependency — works in fully isolated environments
  • Ideal for regulated industries and government deployments

Business Impact

Cost Reduction

  • Early Detection: Catch misconfigurations in IaC before deployment
  • Prevent Breaches: Identify publicly exposed cloud resources before attackers find them
  • Reduce Tool Costs: One engine replaces Trivy, Checkov, and multiple secret scanners

Accelerated Development

  • Sub-Second Scans: 31 Docker images in 21ms, 219 infrastructure files in 414ms
  • CI/CD Ready: Exit codes based on severity thresholds gate deployments automatically
  • SARIF Integration: Native GitHub Code Scanning, Azure DevOps, and GitLab compatibility

Compliance Assurance

  • Meet regulatory requirements with 9 framework mappings per finding
  • Satisfy GCC market requirements with NCA-ECC and SAMA CSF coverage
  • Generate audit-ready reports with SBOM in SPDX and CycloneDX formats

Supported Technologies

Container & Orchestration

Container Runtimes
  • Docker / Docker Engine
  • Docker Compose (v2 and v3)
  • Kubernetes (any distribution)
  • Helm Charts (templates and values)

Cloud Providers

AWS (35+ Rules)
  • S3, EC2, Security Groups, IAM, RDS, Lambda, VPC
  • CloudTrail, API Gateway, DynamoDB, ElastiCache
  • EKS, ECS, ECR, KMS, SNS, SQS
GCP (25+ Rules)
  • Cloud Storage, Compute Engine, GKE, IAM
  • BigQuery, KMS, Cloud Functions, Cloud Run
  • Pub/Sub, Cloud SQL, Cloud DNS, Firewall
Azure (30+ Rules)
  • Virtual Machines, Storage Accounts, AKS
  • Key Vault, App Service, SQL Database, Cosmos DB
  • Container Registry, Network Security Groups, Redis Cache, Monitor

Infrastructure as Code

  • Terraform (AWS, GCP, Azure, Docker, Kubernetes providers)
  • Ansible Playbooks (YAML)
  • Helm Charts (Go templates + values)
  • AWS CloudFormation (YAML and JSON)
  • Azure ARM Templates (JSON)

Operating Systems (Image Scanning)

  • Alpine Linux — APK package database parsing
  • Debian — DPKG status file parsing
  • Ubuntu — DPKG status file parsing
  • RHEL / CentOS / Fedora — RPM manifest parsing
  • Amazon Linux — RPM manifest parsing

Compliance Frameworks

Every finding maps to all 9 frameworks simultaneously:
  • CIS Benchmarks — Docker, Kubernetes, AWS, GCP, Azure hardening
  • SOC2 — CC6.1, CC6.6, CC7.2 Trust Services Criteria
  • PCI-DSS — 1.3, 2.2, 3.4, 6.2, 6.5, 7.1, 8.1, 10.6
  • NCA-ECC — Saudi NCA Essential Cybersecurity Controls (3-1-2, 3-2-1, 3-3-1, 4-1-1, 4-2-1)
  • SAMA CSF — Saudi SAMA Cyber Security Framework (3-1-1, 3-2-1, 3-3-1, 4-1-2, 4-2-1)
  • NIST 800-53 — AC-6, SC-7, SC-12, SI-2, CM-7
  • GDPR — Article 32 Security of Processing
  • HIPAA — 164.312 Access Control and Encryption
  • FedRAMP — AC-6, SC-7, SC-12, SI-2

Output Formats

  • Enterprise JSON — Multi-tenant SaaS-ready with scan_id, tenant_id, CSPM/Container separation
  • SARIF 2.1.0 — GitHub Code Scanning, Azure DevOps, GitLab Security compatible
  • SPDX 2.3 — ISO standard Software Bill of Materials
  • CycloneDX 1.5 — OWASP standard SBOM with vulnerability data (JSON and XML)

Using Codepure Container Security

Quick Start Guide

1. Initiate Scan

Configure and launch your container security analysis:
Steps:
  • Navigate to your project dashboard
  • Select the repository or upload your infrastructure code
  • Choose Container Security from the scanner options
  • Configure scan parameters:
    • Select scan types (Dockerfile, Compose, K8s, Terraform, Image CVE, Secrets)
    • Enable CVE scanning for Docker images
    • Enable secret scanning
    • Set severity thresholds
    • Select compliance frameworks (all enabled by default)
  • Click Start Scanning to begin analysis

2. Review Results

Access detailed vulnerability findings with contextual information:
Understanding Results:
  • Severity Levels: Critical, High, Medium, Low
  • CSPM Categorization: Findings organized by cloud provider (AWS/GCP/Azure) and security domain (IAM/Network/DataAtRest/Logging)
  • Container CVEs: Package-level vulnerability details with installed version, fix version, and CVSS score
  • Compliance Tags: CIS, SOC2, PCI-DSS, NCA, SAMA, NIST, GDPR, HIPAA, FedRAMP mappings per finding
  • Remediation Guidance: Step-by-step fix instructions with example commands and configuration snippets
Filtering Options:
  • By severity level
  • By scan type (Dockerfile, Compose, K8s, Terraform, CVE, Secret)
  • By cloud provider (AWS, GCP, Azure)
  • By compliance standard (CIS, SOC2, PCI-DSS, NCA, SAMA)
  • By resource type or file path

3. Remediate Vulnerabilities

Get actionable fix guidance with code examples:
Remediation Features:
  • Detailed Description: Understanding the misconfiguration or vulnerability
  • Attack Scenario: How the misconfiguration could be exploited
  • Compliance Impact: Which frameworks are violated and which controls apply
  • Fix Suggestions: Step-by-step remediation guidance with code examples
  • Verification: Re-scan to confirm successful remediation

Advanced Features

SBOM Export

Generate Software Bill of Materials for scanned container images: SPDX 2.3
  • ISO standard SBOM format
  • Package inventory with name, version, and supplier information
  • Relationships between packages and the scanned image
  • Vulnerability mappings per package
CycloneDX 1.5
  • OWASP standard SBOM format
  • Component inventory with Package URLs (PURL)
  • Dependency graphs showing package relationships
  • Vulnerability data with severity, CVSS scores, and remediation recommendations
  • Evidence of package discovery (file paths, layer information)

SARIF 2.1.0 Integration

Export findings in Static Analysis Results Interchange Format for platform integration:
  • GitHub Code Scanning: Upload SARIF files to the Security tab
  • Azure DevOps: Use the Security extension for SARIF import
  • GitLab Security Dashboard: Import SARIF results into the vulnerability report
  • Microsoft Defender for Cloud: Feed SARIF findings into the cloud security posture
Each SARIF result includes findingType property to distinguish CSPM misconfigurations from container CVEs, plus full compliance tag arrays.

Air-Gapped Deployment

Container Security works fully offline:
  • All CVE databases bundled on disk
  • All rule sets embedded in the binary
  • No internet connectivity required
  • Custom CVE databases loadable via --advisory-db flag

What Makes Codepure Container Security Different

100% Native Engine

Unlike tools that wrap Trivy for image scanning, Checkov for Terraform, and custom scripts for secrets, Codepure built our Container Security engine entirely from the ground up in native Go:
CapabilityTraditional ApproachCodepure Approach
Docker image scanningRequires Trivy binary and Python runtimeNative layer parser reads APK/DPKG/RPM directly
Terraform scanningRequires Checkov subprocessNative HCL parser with 90+ rules
Secret scanningRequires external tool (gitleaks, trufflehog)Built-in regex + entropy engine
SBOM exportRequires syft or separate toolBuilt-in SPDX 2.3 and CycloneDX 1.5
CVE databaseDownloads at runtime, needs internetBundled on disk, works fully offline
DependenciesPython, pip, multiple packagesZero — single compiled binary
Startup timeSeconds (runtime initialization)Milliseconds (compiled binary)

Real Image Layer Parsing

Our engine doesn’t guess what packages might be in an image — it reads the actual package manifests: 
Docker Image .tar (from docker save)


  Read manifest.json → Identify layer.tar files


  Parse each layer for:
    • /var/lib/apk/db/installed  → Alpine packages (APK format)
    • /var/lib/dpkg/status        → Debian/Ubuntu packages (DPKG format)
    • RPM manifest files          → RHEL/CentOS packages (RPM format)
    • /etc/os-release             → Operating system detection


  Cross-reference packages against CVE database


  Report: CVE ID, severity, installed version, fix version
This means accurate vulnerability detection based on what’s actually installed in your container, not what we think might be there.

Unified Multi-Cloud CSPM

One scan covers security posture across all three major cloud providers with domain categorization:
DomainWhat It Covers
IAMOverly permissive policies, admin access, missing MFA, root access keys
NetworkOpen security groups, missing VPC flow logs, exposed API endpoints, public subnets
Data at RestMissing KMS encryption, unencrypted databases, public storage buckets
LoggingDisabled CloudTrail, missing diagnostic settings, no threat detection