Sysdig report: Most container deployments have vulnerabilities


For the fifth time now, the platform provider Sysdig, which focuses on Secure DevOps, has published its annual “Cloud-Native Security and Usage Report” (formerly “Container Security and Usage Report”). After the company was able to determine an increasing awareness of the topics of security and monitoring on the part of users last year – and with it a noticeable shift left in container security – the issue of the report for 2022 paints a mixed picture. Open source tools such as Prometheus and Falco help to automate the process of monitoring production environments and finding threats, but around three quarters of the container images examined are still running with vulnerabilities or even in root mode.

After all, 42 percent of the container images examined are scanned early in the build process in the sense of a shift security left strategy in the CI/CD pipelines, but in the case of more than half of the images, the check is carried out after deployment only at runtime . In doing so, companies apparently consciously accept the risk of patching any vulnerabilities later and instead giving preference to the faster provision of the software for users. However, according to the Sysdig report, 85 percent of container images used in production environments have at least one vulnerability. In three quarters of the images, the severity of the vulnerability can even be classified as high or critical.

Key trends from the 2022 Cloud-Native Security and Usage Report

(Image: Sysdig)

The situation is exacerbated by the trend to increasingly integrate container images from public repositories that are not consistently validated or checked for vulnerabilities – their share rose from 47 to 61 percent compared to the previous year. With a market share of 26 percent, Quay was able to place itself ahead of Docker Hub for the first time, and providers such as Red Hat and AWS were each able to double their share.

In addition, security problems often arise from misconfigurations in the production environment. An important factor is, for example, the rights settings for containers. The latest Sysdig research showed that 76 percent of images run with root privileges. This results in a significant increase compared to the 58 percent from the previous year’s report. In many companies, the implementation of recommended DevSecOps processes is apparently lagging behind cloud-native operating models.

Against this background, those responsible for Sysdig see it as a positive sign that the use of open source tools such as Prometheus or Falco is constantly increasing. While Prometheus has established itself as the most important tool for monitoring, logging and tracing with a share of 83 percent, Falco is used as a threat detection engine for Kubernetes, among other things to be able to detect unexpected behavior, intruders and data theft at runtime. The Docker Hub pulls of the project that Sysdig handed over to the CNCF incubator have doubled to a good 40 million within the past 12 months. Falco uses alerts to inform users, for example, about containers with terminal shells or images that run with root privileges.

The complete Cloud-Native Security and Usage Report 2022 provides a detailed insight into the security posture of cloud-native container and Kubernetes environments and their operation. The report is based on analyzes of the data from around three million container deployments from Sysdig customers. In addition, the provider also included data from publicly available sources such as GitHub, Docker Hub and the Cloud Native Computing Foundation (CNCF). The report is on the company website available for free download.


To home page