These days, the software running inside containers represents itself a complex pyramid of code
dependencies on various libraries.
Do you know who has built your dependencies?
Do you trust these developers?
The Risk of Breach
One of the main problems of CI/CD built around containers
Container breaches that keep taking place️ identify one fundamental issue
with containerization – the lack of visibility
on what happens inside the running containers.
Consider these challenges:
Bespoke malware can bypass an antivirus, if the attackers first try it out with VirusTotal to
make sure it's not detected
Attackers may fingerprint all container's services and launch an attack as soon as new
vulnerability is discovered
System event interception will not flag a cryptominer, if its functionality largely consists of
A container with no vulnerabilities whatsoever could still easily be exploited, if its service
relies on a weak password
A Github repository can be broken into or typosquatted, so that the entire supply chain is
For example, the attackers may clone goodpackage.git
repository into good-package.git, and then trojanise it – such dependency would be very
hard to spot
No single technology can be a magic wand.
Prevasio combines several cutting-edge techniques to make sure an analysed container is free of
malware, does not expose weak passwords, has no vulnerabilities, and is bullet-proof against any
form of attack.
How It Works
Dockerfile is a 'recipe' with instructions on how to build a new container image. Coupled with
optional run options and extra commands, it will tell Prevasio how to build an image and how to
spawn a new container from it.
Building Container Image
Prevasio then creates a new dedicated virtual environment. Next, it builds a new container image
inside that environment in accordance with the instructions contained within the received
Once the image is built, a new container is spawned from that image. This action takes place
inside the virtual environment, absolutely decoupled from any production environment.
Static & Dynamic Analysis
The executed container is then vigorously analysed, scanned, and exposed to a pen-test. Multiple
invasive actions are performed in order to produce a final report with all the findings.
Static & Dynamic Analysis
Instant identification of any security problems within containers, by using a wide range of
Full inspection of network traffic, including HTTPS
Identification of the vulnerable packages/libraries
Secure pen-testing of the services exposed by containers
Machine Learning classifier of x32/x64 ELF executables
System Event Graph
Visual representation of system events, intercepted on kernel-level
Reporting of weak/clear-text passwords, github repos, ports/services exposed to hackers