Among the various tools in the Kaspersky portfolio is a dedicated platform for securing containerized environments. But in this post, I want to talk about Kaspersky Container Security (KCS) \u2014 not as a vendor representative, but rather as a member of a team that actively uses this solution in their daily work. Our Product Security Team is responsible for establishing secure development processes across the company. We\u2019re involved in every stage of the software development life cycle, and our priority is helping product teams catch security issues early so they can stay on schedule for their releases. To achieve this, we\u2019ve built several workflows, one of which focuses specifically on container security. That\u2019s exactly where we lean on our own Kaspersky Container Security platform.<\/p>\n
Container security solutions are typically viewed first and foremost as image scanners for the container registry. However, Kaspersky Container Security (KCS) is more of a comprehensive security platform for container environments that handles multiple tasks by virtue of its end-to-end integration into the container workflow. While it certainly includes a container image scanning scenario \u2014 which is undeniably important \u2014 our experience with KCS has shown that its real value becomes apparent when it\u2019s integrated into several points along the workflow at once:<\/p>\n
At its core, the process is a standard one. KCS checks images for typical container issues: known vulnerabilities, malware, hardcoded secrets, and misconfigurations. However, the scan result isn\u2019t just a single, abstract verdict. The system calculates a risk rating based on the findings, providing a clear picture of the asset\u2019s security posture. In practice, this is incredibly useful because teams don\u2019t just see a \u201cbad image\u201d message; they get a transparent breakdown of exactly what\u2019s driving the risk and what needs to be fixed first.<\/p>\n
But that\u2019s not all. KCS works well for scenarios where it\u2019s not enough to just find a problem \u2014 you need to tie it to the artifact\u2019s life cycle. When a team is managing hundreds of builds, periodic registry scanning isn\u2019t enough, and it almost always requires manual intervention. You need to know which pipeline introduced the risk, which policies were triggered, and what the next steps are. KCS provides this essential link.<\/p>\n
One lesser-known KCS feature is its full-scale scanning capability within CI\/CD pipelines. For our team, this is the most effective way to use KCS. The logic is straightforward: you integrate the scanner into the pipeline, and the scan results appear directly in the execution logs. They\u2019re also sent to the solution\u2019s central console, where they\u2019re logged in a dedicated CI\/CD section that links the findings to the artifact name, scan time, pipeline, and severity level.<\/p>\n
In a CI\/CD environment, you can scan images from tar-archives or directly from Git repositories. Out of the box, it supports GitLab, Jenkins, TeamCity, and GitHub Actions; in practice, KCS can be integrated into any pipeline orchestrator.<\/p>\n
Another critical aspect of using KCS in CI\/CD involves security policies. Our solution uses a model where policies allow for not just collecting results, but also controlling the behavior of the pipeline itself. This comes in handy for phased rollouts. You can start in audit mode, and then gradually move toward failing builds when secrets, critical misconfigurations, or vulnerabilities are detected. This evolutionary approach generally works better than simply flipping a switch to block it all at once.<\/p>\n
We run our own composition analysis system, so we don\u2019t treat KCS as a single source of truth. Instead, it serves as a powerful extra layer in our workflows, and that\u2019s exactly where we find the most value.<\/p>\n
While our in-house composition analysis system handles component tracking, dependencies, and code-level risk assessment, KCS excels at securing the container perimeter. It takes care of technical image scanning and CI\/CD security, while aggregating reports on container artifacts. It doesn\u2019t conflict with our internal analysis; it reinforces it right where containers receive actual workloads.<\/p>\n
This is particularly useful for us in two scenarios. First, it provides early-stage artifact control during development. Second, it acts as a gatekeeper during release acceptance. We no longer debate risks sometime after the release; we catch them at the exact point where the team can still quickly fix a Dockerfile, Helm chart, or config set without a lengthy approval chain.<\/p>\n
The way it handles a software bill of materials (SBOM) is also noteworthy. Our system relies primarily on up-to-date, relevant SBOMs. KCS offers modes specifically for processing SBOMs, and can even output scan results in that same format. In this regard, KCS integrates seamlessly with our internal processes, allowing us to fit it into our existing workflows rather than the other way around.<\/p>\n
Its other powerful layer is cluster security. At this stage, KCS evolves beyond being just an image-scanning tool. It features runtime policies for containers and nodes, audit and blocking modes, and a set of security profiles. In practical terms, this means KCS can be used not only to find vulnerabilities within an image, but also to monitor what the container is actually doing once it\u2019s live. Policies can account for image provenance, digital signatures, restrictions on capabilities and volumes, and even the processes and network connections running inside the container.<\/p>\n
When a problem is detected, you have the option to log the results in audit mode first rather than blocking the process immediately. In production environments, this is always the smarter move. Another vital tool is ensuring trusted image provenance. KCS supports digital signature verification, which shifts the focus from simply finding CVEs to securing the company\u2019s entire software supply chain.<\/p>\n
KCS does more than just display the issues it detects; it serves as a comprehensive reporting source. It can generate reports on images, accepted risks and Kubernetes benchmarks.<\/p>\n
Generated reports are available in HTML, PDF, CSV, JSON and XML formats, with specific support for SARIF for detailed reporting \u2014 which is ideal for integrating into AppSec workflows. As for the SBOMs mentioned above, the scanning scenarios can output artifacts and results in CycloneDX and SPDX formats, making it easy to plug into existing processes.<\/p>\n
To put it simply, KCS complements our workflows perfectly \u2014 not because it solves every single problem, but because it integrates so effectively into engineering scenarios.<\/p>\n
We also appreciate that the product team listens to our feedback. The KCS team actually incorporates our practical operational requests into their development roadmap. For example, deep SBOM integration and specific report types were added to KCS as a direct result of our hands-on experience.<\/p>\n