惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 三生石上(FineUI控件)
Martin Fowler
Martin Fowler
月光博客
月光博客
AI
AI
B
Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CXSECURITY Database RSS Feed - CXSecurity.com
WordPress大学
WordPress大学
GbyAI
GbyAI
L
Lohrmann on Cybersecurity
O
OpenAI News
Schneier on Security
Schneier on Security
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
L
LINUX DO - 最新话题
人人都是产品经理
人人都是产品经理
S
Security Affairs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
A
Arctic Wolf
Recorded Future
Recorded Future
Microsoft Security Blog
Microsoft Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
C
Check Point Blog
Scott Helme
Scott Helme
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Vercel News
Vercel News
The Hacker News
The Hacker News
Y
Y Combinator Blog
Latest news
Latest news
SecWiki News
SecWiki News
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Google Online Security Blog
Google Online Security Blog
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
博客园_首页
H
Hackread – Cybersecurity News, Data Breaches, AI and More
宝玉的分享
宝玉的分享
L
LINUX DO - 热门话题

Sysdig Blog

Masterclass: AI is more than ChatGPT and LLMs CVE-2026-39987 update: How attackers weaponized marimo to deploy a blockchain botnet via HuggingFace Kubernetes 1.36 - New security features 5 steps to securing AI workloads Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours Security briefing: March 2026 The Sysdig MCP server is now available in AWS Marketplace Risk isn’t reduced until you take action: How teams resolve issues in the cloud AI infrastructure security: Why it deserves its own category Three pillars for building effective runtime-powered cloud defense, the right way Closing the cloud security gap with runtime security Seeing risk isn’t stopping it: Why visibility alone isn’t enough TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions AI coding agents are running on your machines — Do you know what they're doing? Runtime security for AI coding agents: Protecting AI-assisted development How runtime insights power every cloud security use case CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours Inline Cloud Response: Accelerating AWS threat containment for SOC teams Runtime malware detection for AWS Fargate Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes Malware detection with Sysdig Security briefing: February 2026 Leveling up Kubernetes Posture: From baselines to risk-aware admission LLMjacking: From Emerging Threat to Black Market Reality Real risks live at runtime: Why CISOs must care about deep telemetry in 2026 Sysdig named a Leader in the Forrester Wave™: Cloud Native Application Protection Solutions, Q1 2026 How to run rootless containers AI-assisted cloud intrusion achieves admin access in 8 minutes Security briefing: January 2026 Securing GPU-accelerated AI workloads in Oracle Kubernetes Engine Bringing OSS runtime security to AWS: Falco integration with AWS Security Hub CSPM Our customers have spoken: Sysdig rated a Strong Performer in Gartner® Voice of the Customer for Cloud-Native Application Protection Platforms Protecting sensitive business data in preparation for the organization's Gen AI VoidLink threat analysis: Sysdig discovers C2-compiled kernel rootkits AI is still a workload: A practical guide to securing AI workloads How threat actors are using self-hosted GitHub Actions runners as backdoors How Sysdig Sage delivers AI-powered, real-world vulnerability management Security briefing: December 2025 Top 10 ways to get breached in 2026 EtherRAT dissected: How a React2Shell implant delivers 5 payloads through blockchain C2 Introducing runtime file integrity monitoring and response with Sysdig FIM How to detect multi-stage attacks with runtime behavioral analytics EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks Detecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js The rise of AI agents: How autonomous AI Is transforming cloud security Kubernetes 1.35 - New security features The Urgency of Securing AI Workloads for CISOs Security briefing: November 2025 Quantum and the cloud: Science fiction turned security strategy Cloud security, the right way: What the industry should demand (and why "good enough" isn't) Return of the Shai-Hulud worm affects over 25,000 GitHub repositories Detecting CVE-2024-1086: The decade-old Linux kernel vulnerability that’s being actively exploited in ransomware campaigns What’s old is new again: How to demystify AI security with AIBOMs Securing Kubernetes with agentic cloud security How agentic cloud security reduces real risks Hunting reverse shells: How the Sysdig Threat Research Team builds smarter detection rules Shifting left with AI and MCP: Sysdig + Amazon Q Developer How Falco and Stratoshark close the gap between open source runtime detection and deep forensic analysis Investigating security issues with ChatGPT and the GitHub MCP server New runc vulnerabilities allow container escape: CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 Harden your LLM security with OWASP Security briefing: October 2025 How agentic AI is changing cloud security Kubernetes Incident Response: Detect, investigate, and contain in under 10 minutes Sysdig recognized as a Cloud Security Leader in Latio Tech Cloud Security Market Report AI echolocation of cloud risks using Sysdig & Snyk MCP servers Sysdig MCP Server: Bridging AI and cloud security insights Understanding CVE-2025-49844: “RediShell” Critical Remote Code Execution in Redis How Sysdig secures your containers and Kubernetes Sysdig Security Briefing: September 2025 Cloud security, the right way: The 3 pillars of real-time defense Open source spotlight: Bringing web application security to Falco with Falcoya's Nginx plugin Malicious NPM packages: Are you exposed? AI for SOC teams: 5 cloud security prompts to start your day with Sysdig Sage™ Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages ZynorRAT technical analysis: Reverse engineering a novel, Turkish Go-based RAT Modern vulnerability management, built for the cloud Build your AWS incident response playbook with open source tools 2025 Gartner® CNAPP Market Guide: Runtime visibility is no longer optional Threat hunting with Sysdig: Uncovering “IngressNightmare” Open source spotlight: From alerts to action with AI-powered Falco Vanguard From triage to action: How Sysdig’s agentic cloud security platform slashes noise and accelerates remediation The vision comes to life: Agentic cloud security with Sysdig Sage™ Data security findings: A technical deep dive Connecting runtime to source: Sysdig and Semgrep integration Fix what matters, faster: How Sysdig and Semgrep are unifying security without silos – from code to runtime Defending sensitive data with Sysdig Secure Redefining cloud security, the right way Join the movement: The Sysdig Open Source Community is live A smarter, safer cloud in the age of AI Unifying detection and response: Sysdig + Cortex XSOAR for security at cloud speed The future of security is open, and it needs a unified hub: The Sysdig Open Source Community is here CVE-2025-53104: Command injection via GitHub Actions workflow in gluestack-ui Why MCP server security is critical for AI-driven enterprises What’s new in Sysdig — June 2025 AI-powered CNAPP with Sysdig Sage™ Revolutionizing Cybersecurity Search with Sysdig Sage™ Sysdig Threat Bulletin: Iranian Cyber Threats The end of the prioritization-only era: Vulnerability management needs action Dangerous by default: Insecure GitHub Actions found in MITRE, Splunk, and other open source repositories
Eliminating runtime blind spots: How CleanStart and Sysdig build continuous trust across the container lifecycle
Taradutt Pant · 2026-02-25 · via Sysdig Blog

The container security paradox

Container adoption has transformed how software is built and delivered. That same speed and flexibility, however, has dramatically expanded the attack surface. When teams pull a base image from a public registry, they do not just inherit functionality. They inherit every vulnerability, misconfiguration, and potential backdoor embedded in that image.

A single compromised dependency can silently propagate across development, staging, and production environments long before traditional scanners raise an alert.

The Tesla Kubernetes breach illustrates this paradox clearly. Attackers did not exploit a zero-day in application code. Instead, they abused misconfigured container infrastructure, exposed credentials, and insufficient runtime controls to hijack compute resources. The workloads were running, but no one was watching closely enough at runtime to detect the abuse early.

This pattern is far from unique.

High-profile incidents such as SolarWinds, Log4j, and the xz backdoor demonstrate that modern supply chain attacks do not stop at source code. Attackers target build systems, CI/CD pipelines, third-party dependencies, and live runtime environments simultaneously. Static scanning finds yesterday’s risks. Runtime-only tools detect anomalies but often lack the context needed to trace them back to the build or supply chain source.

The result is a familiar and dangerous state:

  • Security teams overwhelmed by CVE noise
  • Fragmented visibility across the software delivery pipeline
  • No verifiable way to prove that what was built, signed, and approved is actually what is running and behaving securely in production

This is where the CleanStart and Sysdig partnership changes the equation.

By combining build-time hardening, cryptographic provenance, and image trust with deep runtime intelligence and enforcement, CleanStart and Sysdig close the most dangerous gap in container security: the blind spot between build and runtime.

Understanding the attack surface across the container lifecycle

Modern container breaches rarely exploit a single weakness. Instead, attackers chain together gaps across multiple stages of the container lifecycle, from build to runtime.

Build-time risks in the container supply chain

Risk is often inherited long before an application is ever executed. Common build-time risks include:

  • Inherited vulnerabilities: Public base images frequently ship with hundreds of known CVEs
  • Dependency poisoning: Malicious or compromised packages introduced into open-source ecosystems
  • Build system compromise: CI/CD pipelines targeted to inject or modify code
  • Lack of provenance: No cryptographic proof of how, when, or by whom software was built and signed

Without provenance, teams cannot confidently verify whether an image is safe or trusted for organizational use. This erodes trust at the foundation of the software supply chain. Supply chains have become a preferred attack vector precisely because this trust is often assumed rather than verified.

Runtime risks: Where exploitability actually matters

Once containers are running, risk shifts from theoretical exposure to real exploitability. Adversaries can leverage several runtime risk factors:

  • Configuration drift: Containers deviating from approved, hardened states
  • Privilege escalation: Excessive permissions and misconfigured identities enabling abuse
  • Lateral movement: Compromised containers used to pivot across workloads
  • Zero-day exploitation: Pre-patch vulnerabilities abused in production

Critically, not every vulnerability present in an image represents real runtime risk.

Traditional vulnerability management treats all CVEs equally, forcing teams to chase thousands of findings. Many of these are tied to libraries that are never loaded, never executed, or never reachable. The result is wasted engineering effort on non-exploitable issues while truly dangerous risks remain buried in unprioritized alerts.

Runtime reality: In-use vulnerabilities matter more than CVE counts

What matters at runtime is execution context, but those details are often difficult to capture.

Teams struggle to identify:

  • Vulnerabilities in libraries present on disk but never loaded into memory
  • CVEs in code paths that are unreachable or not exposed to input
  • Low-risk findings that consume remediation cycles
  • What actually executes in production environments

Build-time scanners alone cannot answer these questions.

The gap between build and runtime security

The disconnect between build-time security and runtime security creates a dangerous blind spot.

Build-time scanners generate massive CVE lists but provide no insight into which components execute in production. Runtime tools may detect suspicious behavior, but often lack the context to trace it back to a specific image, build process, or source commit.

Without a continuous trust chain:

  • Security teams drown in noise
  • Engineering teams lose clear remediation priorities
  • Organizations cannot prove that what was built, approved, and signed is what is actually running

Why runtime intelligence changes the equation

Runtime intelligence bridges this visibility gap. When combined with in-use context, runtime telemetry enables teams to determine:

  • Which vulnerable libraries are actually loaded in memory
  • Which processes, binaries, and system calls are executed
  • Which vulnerabilities are exposed to real attack paths
  • Which CVEs can be safely deprioritized

This allows organizations to focus remediation efforts where they matter most: high-risk, in-use vulnerabilities.

Runtime intelligence reduces alert fatigue, accelerates patching, and lowers vulnerability backlogs and production risk. It enables a shift from volume-based scanning to risk-based, runtime-driven remediation.

CleanStart: Establishing trust at the source

CleanStart approaches container security from first principles. Starting from a clean foundation significantly reduces downstream risk. It accomplishes this through several critical capabilities.

Near-zero CVE base images

CleanStart delivers hardened container base images with a near-zero known CVE footprint at release time. This is architectural, not cosmetic:

  • Minimal by design: Only essential components are included
  • Continuously hardened: CIS benchmarks and industry best practices applied
  • Scanned and verified: Vulnerability and malware scanning before release
  • Signed for integrity: Cryptographic signatures enable verification and detection of tampering

SLSA-aligned build provenance

CleanStart aligns with Supply-chain Levels for Software Artifacts (SLSA) principles by enforcing hermetic, reproducible builds and generating cryptographically signed provenance:

  • Hermetic builds: Isolated, reproducible builds designed to produce deterministic outputs from identical inputs
  • Provenance attestations: Cryptographically signed metadata documenting:
    • Source repository and commit
    • Build system and configuration
    • Dependencies resolved at build time
    • Builder identity and timestamps
  • Verifiable chain of custody: Auditors can validate not just what was built, but how it was built

Distroless and minimal images

CleanStart provides development images with debugging tools and production-grade distroless images stripped to essential runtime components only.

No shells. No package managers. No unnecessary utilities.

Custom image building

Through the CleanStart Portal, teams can request images tailored to internal standards, including:

  • Operating system and version
  • Application runtimes (Node.js, Python, Java, Go, etc.)
  • Architectures (x64, ARM64)
  • Compliance profiles (FIPS, CIS hardened)

Nothing more than required and nothing less.

A diagram of a companyAI-generated content may be incorrect.

CleanStart and Sysdig: A continuous trust loop

CleanStart and Sysdig form a tightly coupled feedback loop that strengthens security posture across the container lifecycle.

Build-to-runtime traceability

CleanStart produces software bills of materials (SBOMs), cryptographic provenance attestations, and vulnerability scanning results. Sysdig consumes this metadata to validate that deployed images match verified builds, correlate runtime findings with exact component versions, and attribute suspicious behavior to specific images, layers, and source components.

Runtime-to-build feedback

Sysdig’s runtime insights inform future builds by identifying packages that are never used, prioritizing vulnerabilities actively targeted at runtime, and refining detection policies based on real-world behavior.

Verified deployment gates

Together, CleanStart and Sysdig enable:

  • Image signature verification via admission control at deploy time
  • Provenance validation before deployment
  • Risk-based vulnerability gates
  • Continuous compliance checks against policy

Sysdig: Runtime threat detection, prevention, and forensics

While CleanStart establishes trust at build time, Sysdig extends that trust into production through deep runtime visibility.

Sysdig uses eBPF-based instrumentation to monitor system calls, processes, file access, and network activity with minimal overhead and accurate workload attribution.

Falco, the CNCF standard for runtime security, applies behavioral rules to detect unexpected process execution, suspicious file system access, malicious network connections, privilege escalation attempts, and container escape techniques.

A screenshot of a computerAI-generated content may be incorrect.

Sysdig also prioritizes vulnerabilities based on actual runtime exposure by correlating in-use packages with exploitability, permissions, internet exposure, and live detections. Runtime drift detection further identifies unauthorized binaries, configuration tampering, cryptomining activity, and persistence mechanisms.

Conclusion

Container security is neither a build-time problem nor a runtime problem. It is both.

Together, CleanStart and Sysdig establish a continuous trust chain from source to production. CleanStart ensures images are built cleanly and verifiably. Sysdig ensures those images behave securely in production, with runtime intelligence feeding back into stronger builds.

The outcome is not just better security. It is provable security.

Organizations can demonstrate exactly how their software was built and how it is behaving right now. In an era of accelerating software supply chain attacks, this proof is no longer optional.

Ready to learn more about securing cloud workloads from source to production?

Download our whitepaper, Your Cloud Security Strategy is Backward.