Container Security with Halo Container Secure

Container Secure automates security and compliance coverage for Docker, Kubernetes, and continuous-delivery pipeline infrastructure. Built on top of the Halo platform, it provides container security as a standalone service, or in concert with Halo Server Secure (CWPP) and Cloud Secure (CSPM). 

The Comprehensive Solution for Container Security

Expanding the Halo platform, Container Secure provides security and compliance automation for containerized applications running in public, private, or hybrid cloud hosting environments. 

Halo Container Secure is more than just container securityit secures the runtime and development environments.



Assesses the DevOps toolchain for security and compliance


Assesses images before they go into production


Verifies safety and compliance of container runtime environments


Immediately detects and inventories containers launched from unknown or “rogue” container images

Key Container Security Capabilities ​

Halo automates key security and compliance functions through a set of customizable policies and technical rules that support common Docker and Kubernetes standards such as CIS benchmarks. These policies and rules are used to determine if container-related assets are compliant with best-practice security controls.



Automatically discovers, interrogates, and inventories Docker hosts, AWS ECS container instances, AWS Fargate, Azure Container instances, Kubernetes nodes, AWS EKS clusters, and Azure AKS clusters


Detects vulnerabilities in host operating systems, container runtimes, orchestration configurations, unpatched packages, access privileges, security control configurations, network services, process whitelists/blacklists, and more


Continually monitors Docker hosts, AWS ECS instances, Azure Container instances, Fargate deployments, Kubernetes nodes, AWS EKS clusters, and Azure AKS clusters to detect new vulnerabilities and exposures introduced by innocent changes or malicious activity


Automatically detects Docker host and Kubernetes node intrusions through log monitoring, file and system integrity monitoring, and IoT/IoC detection for container security


Immediately delivers vulnerability and exposure issues to system owners via REST API and message queues—see list of integrations


Provides detailed issue evidence and remediation guidance, automatically detecting and reporting resolved issues

Secures Every Layer of the Container Environment

Complete Container Stack Coverage

Security and compliance requirements vary depending on the design of your container environment. Halo Container Secure not only secures containers, but also image registry platforms, Docker daemons, and orchestration software to ensure proper security and compliance.

When combined with Cloud Secure and Server Security,  it expands coverage to the service control plane, host, and host operating system.

Container Environment


Broad Container Environment Support

Halo Container Secure was designed to integrate directly with Docker hosts, Kubernetes nodes, and a range of image registries like AWS ECR, Docker Trusted Registry, and JFrog Artifactory.

Supported Technologies


  • AWS Elastic Container Service (ECS)
  • AWS Elastic Kubernetes Service (EKS)
  • AWS EC2 / AWS Fargate
  • Azure Kubernetes Service (AKS)
  • Azure Container Instances (ACI)
  • Kubernetes (self-managed)
  • Docker Enterprise
  • Docker Community Edition


  • AWS Elastic Container Registry (ECR)
  • Docker Private Registry
  • Docker Trusted Registry
  • JFrog Artifactory

CI Server

  • Jenkins

Container Runtime

  • Docker Engine
  • Containerd

Base Image OS

  • Alpine Linux
  • Amazon Linux
  • CentOS
  • Debian
  • Oracle Linux
  • Red Hat Enterprise Linux
  • Ubuntu

Host Operating System

  • Amazon Linux
  • CentOS
  • Debian
  • Oracle Linux
  • Red Hat Enterprise Linux
  • Ubuntu 

How Halo Container Secure Works​


Shifts Security Left

Halo Container Secure includes a Jenkins native plug-in that provides key Halo assessments to the build testing process. This integrates security teams directly with DevOps processes and technologies as part of the “shift left” strategy that eliminates security flaws before they reach production.


Builds a Database of Images and Vulnerabilities

Container Secure automatically builds a database of Docker images and their vulnerability status in the Halo Cloud by assessing images in one of three ways.


Halo’s registry connector scans container images-at-rest.


A Jenkins-native plugin scans images as changes are committed or as images are moved towards production.


Halo detects containers launched from unknown or “rogue” images, immediately scans rogue image instantiations, and seeks to associate them with known images.

Container Security - How Container Secure Works diagram

Running Containers

A lightweight 2MB software sensor (microagent) assesses running containers on Docker hosts, collects data about the container, and sends it to the Halo Cloud.

a single

Just specify if it’s a Docker or Kubernetes configuration and the control policies to use, such as intrusion detection and log monitoring—and turn on Docker runtime inspection.


Microagent can be installed directly as software on the container host environment or as a running container for easy  implementations of container security


The Halo Cloud does the heavy lifting for the microagent, comparing the data from the microagent with its container image database, known vulnerabilities, and security controls defined in policies and rules.

Extensive Security and Compliance Controls

Container Registries

Configuration assessment

Software vulnerability

Integrity monitoring

Event monitoring

Registry inventory

Container Software


Vulnerability assessment

Container Hosts


Configuration assessment

Software inventory

Software vulnerability

File integrity monitoring

Event monitoring

Traffic inventory

Traffic visualization

Images and Inventories

Automated container inventory

Container image software inventory

Purpose-built on the Unified Halo Cloud Security Platform

Many cloud security “suites” are mashups of old technology that require separate licensing, deployment, administration, and maintenance. Some even require that you purchase their legacy technologies or additional features that should be included to make their “next-generation” technology operate. Unlike “free” IaaS provider tools that don’t provide parity in their competitors’ clouds, Halo works across CSPs.

Halo was designed from the ground up to be a truly unified solution. The Halo Container Secure service uses the same API connectors, microagents, console, API, policy engine, data model, and analytics engine as our Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM) services.


To Learn More About Cloud Security

Containerization and Container Orchestration

Read why we believe we scored 5 out of 5 in The Forrester Wave™: Cloud Workload Security Q4 2019

The Forrester Wave™: Cloud Workload Security Q4 2019

Download the full report with an introduction to guide you through your own evaluation

API-level Connectivity and Control for IaaS and PaaS

Explore ways to accomplish more and gain value with our comprehensive Halo REST API