Sysdig Report Says 58% Of Container Images Run As Root

According to the Sysdig report, 58% of all container images run as root. Container images, unless specifically needed, should be run in the context of a less privileged user than the root to minimize the chances of a breach.

The report also says that organizations have only just begun addressing the need for runtime security for Kubernetes. A container runtime is software that executes containers and manages container images in a machine.

The 2021 Container Security and Usage report also listed the top 7 runtime policy violations:

1. Write below etc: Adding or altering files may be an attempt to change the application behavior.
2. Launch Privileged Container: These can interact with host system devices causing harm to the host OS.
3. Write below root: Modifying data in these directories could be an illegal attempt to install software on the container.
4. Suspicious Filesystem changes: It could be an attempt to access sensitive data.
5. Launch Sensitive Mount Container: Indicates the container may have access to data volumes containing sensitive information.
6. Suspicious Container activity: May indicate compromise within the container system.
7. Terminal shell in container: Enables the attacker to manipulate or initiate malicious activity on the system.

Recommended read: 51% of 4 million Docker images have critical vulnerabilities