Platform / Container Security

Container Security

Vulnerabilities, SBOMs, signatures, and embedded secrets — before images ship.

The problem

What this replaces

Images are built daily and scanned never — or scanned in CI once and forgotten while new CVEs land. Registries multiply across clouds, and nobody knows which running image carries last week's critical.

The solution

What Offload does

Container images scanned across private and public registries for vulnerabilities, SBOMs generated, signatures verified, Dockerfiles linted, and embedded secrets detected — connected to the source repositories and clusters where images are built and run.

Capabilities

What you get

  • Registry coverage: AWS ECR, Google Artifact Registry, Azure ACR, Docker Hub, GitHub Container Registry
  • Dual-engine scanning (Trivy + Grype) with CISA KEV exploited-vulnerability enrichment
  • SBOM generation (Syft) in CycloneDX, SPDX, and syft-json
  • Dockerfile linting (Hadolint) and image signature verification (Cosign)
  • Embedded-secret detection inside image layers (TruffleHog)
  • Scheduled registry re-validation so findings stay current as new CVEs publish
  • CI/CD image and artifact scanning via GitHub Action and scoped API keys
Under the hood

How it works

Every scan runs in an isolated, single-use scanner container — tools are never installed into the platform runtime. Registry credentials are encrypted at rest and passed through a read-only authentication flow; auth failures are classified honestly rather than reported as scan results.

Results are normalized per image with severity summaries and history for trending.

One platform, one risk view

Image findings join unified vulnerability management, link to the repositories that build them and clusters that run them, and can gate CI/CD pipelines through the release-gate integration.

See Container Security on your own data.