Container Security
Vulnerabilities, SBOMs, signatures, and embedded secrets — before images ship.
What this replaces
Images are built daily and scanned never — or scanned in CI once and forgotten while new CVEs land. Registries multiply across clouds, and nobody knows which running image carries last week's critical.
What Offload does
Container images scanned across private and public registries for vulnerabilities, SBOMs generated, signatures verified, Dockerfiles linted, and embedded secrets detected — connected to the source repositories and clusters where images are built and run.
What you get
- Registry coverage: AWS ECR, Google Artifact Registry, Azure ACR, Docker Hub, GitHub Container Registry
- Dual-engine scanning (Trivy + Grype) with CISA KEV exploited-vulnerability enrichment
- SBOM generation (Syft) in CycloneDX, SPDX, and syft-json
- Dockerfile linting (Hadolint) and image signature verification (Cosign)
- Embedded-secret detection inside image layers (TruffleHog)
- Scheduled registry re-validation so findings stay current as new CVEs publish
- CI/CD image and artifact scanning via GitHub Action and scoped API keys
How it works
Every scan runs in an isolated, single-use scanner container — tools are never installed into the platform runtime. Registry credentials are encrypted at rest and passed through a read-only authentication flow; auth failures are classified honestly rather than reported as scan results.
Results are normalized per image with severity summaries and history for trending.
One platform, one risk view
Image findings join unified vulnerability management, link to the repositories that build them and clusters that run them, and can gate CI/CD pipelines through the release-gate integration.