* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Container Security: Vulne...

# Container Security: Vulnerability Management from Build to Run

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-container-security%2F)  
[](https://twitter.com/share?text=Container+Security%3A+Vulnerability+Management+from+Build+to+Run&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-container-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F11%2Fcloud-container-security%2F&title=Container+Security%3A+Vulnerability+Management+from+Build+to+Run&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/11/cloud-container-security/&ts=markdown)  
\[\](mailto:?subject=Container Security: Vulnerability Management from Build to Run)  
Link copied  
By [Keith Mokris](https://www.paloaltonetworks.com/blog/author/keith-mokris/?ts=markdown "Posts by Keith Mokris")  
Nov 07, 2019  
6 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Container Security](https://www.paloaltonetworks.com/blog/tag/container-security/?ts=markdown)

Author: Keith Mokris, Product Marketing Manager, Container Security

Today's enterprises have embraced containers for their simplicity and contribution to improved development velocity. While developers and devops enjoy this new-found speed to deliver software and value to customers more quickly, security teams are looking to ensure container pipelines are secure and improve the risk posture of applications when they are deployed.

In my work with the container security startup Twistlock, which is now part of Palo Alto Networks, I ended up speaking with a security engineer at a large industry event. He works with development and devops management to ensure the organization's modern web and mobile applications are built and deployed successfully. The organization was looking to better embed security throughout the application lifecycle.

## Key Steps to Secure Container Pipelines

As this security engineer and I continued talking, I learned his company had leveraged various open source tools for short periods to perform some image scanning, but they had never leveraged a tool to continuously scan their registry or deployed a solution to get visibility into their runtime environments. The organization was looking to:

* Scan images to identify high risk issues
* Leverage tooling that helps to prevent vulnerabilities from making it into production in the first place
* Provide developers with trusted images
* Gain runtime visibility into various containerized environments

This engineer made the implications clear, saying, "We're using containers in production and praying we're secure, which probably isn't a winning strategy. If I started using Twistlock, what would be the immediate benefits that my team could implement and begin to build on?"

This is a good question, and one we get a lot from developers, devops managers and architects. In the next few sections, I'll share some details on how we can quickly and effectively help by providing security during the continuous integration (CI) / continuous delivery (CD) process, ensuring the security of the registry and offering visibility at runtime.

## Integrating Security into the CI Process

Users leverage Twistlock by integrating security and compliance throughout the CI process. In our view, the easiest way to secure cloud native applications is by preventing vulnerable images from making their way through the software development lifecycle (SDLC) in the first place.

Twistlock helps here by integrating with your current build and deploy process. For example, a user can set granular policies to pass or fail a build based on the types of vulnerabilities and compliance issues found before images can be pushed to the registry or deployed to production.

![Container Security from Twistlock, Palo Alto Networks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/image5.png)

One of those policies might look something like this:

In the build for my payment app, block any build impacted by a CVE with high CVSS rating and for which a vendor fix is available.

Twistlock provides a standalone Jenkins plugin---shown within the Blue Ocean view in the screenshot above---as well as the ability to integrate with any other CI tools such as [CircleCI](https://circleci.com/blog/integrating-container-image-scanning-into-circleci-builds-with-the-twistlock-orb/), [Azure Devops](https://www.twistlock.com/2019/05/07/twistlock-azure-devops-extension-vulnerability-scanning-containers-functions/), [AWS Codebuild](https://www.twistlock.com/2018/11/28/cloud-native-security-intelligence-integrating-aws-security-hub/), or [Google Cloud Container Builder](https://www.twistlock.com/2017/03/09/google-cloud-container-builder/) using twistcli (our command line scanner), so developers can see vulnerability status every time they run a build. In this conversational example I've been using for this blog post, the security engineer would work with the development group to identify and fix images with the highest vulnerabilities in their environments first, then create policies that ensure that proper vulnerability and compliance thresholds are set.

## Gaining Control with Trusted Images

As organizations get more familiar with their images and environment, they typically leverage our Trusted Images feature to control developer access to a specific registry or even specific images or layers. Trusted Images ensure that developers are using verified or approved sources for their images, as well as provide a straightforward way to implement the CIS best practices for container security.

## ![Container Security from Twistlock, Palo Alto Networks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/image4.png)

## Visibility into your Registry

First and foremost, Twistlock provides the ability to scan and continuously monitor your registry for vulnerabilities. This vulnerability management capability solves a key problem for the engineer I was chatting with at the event. I didn't ask what type of registry the company was using, but Twistlock works with any of them! Twistlock easily integrates with any registry used today, continually scans those images for vulnerabilities and provides detailed findings with risk prioritization.

![Container Security from Twistlock, Palo Alto Networks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/image3.png)

In the above screenshot of a demo environment, you can see public images I am scanning on Docker Hub. Twistlock will continuously monitor these images to provide vulnerability and compliance status with the ability for you to get granular analysis at a [layer-by-layer view of issues in each image](https://www.twistlock.com/2018/01/15/twistlock-per-layer-vulnerability-analysis-2-3-deep-dive/).

## Runtime Makes Prioritization Better

While most of this post has focused solely on vulnerability management during the build and in the registry, I want to touch on one of our key differentiators when it comes to [runtime](https://www.twistlock.com/platform/runtime-defense/): managing risk in running containers and helping teams prioritize efforts to remediate risk in their environments.

Twistlock scans all of the images in the registry, scans images during the build and deploy process, and also continuously monitors any vulnerability changes in your running containers. Twistlock generates a risk score for each of the vulnerabilities we find that are actually running in your environment, taking into account not only risk metrics like CVSS but also a whole host of other metrics. For example:

* Is this container connected to the internet?
* Does it have open listening ports?
* Does it have a security profile attached?

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/image1.png)

These key factors allows Twistlock to stack rank your vulnerabilities specifically for your environment and let you know where you are most likely to be exploited. This helps to prioritize the mitigation of vulnerabilities for your most vulnerable assets. At the same time, a user can search for any new CVE or security issue in the running environment to know exactly which container is impacted.

![Twistlock Vulnerability Explorer - Container Security from Twistlock, Palo Alto Networks](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/11/image2.png)

In the example above, I've shared a screenshot from Twistlock Vulnerability Explorer with the top 10 critical vulnerabilities in my environment. In the first row, I've expanded the Risk Tree, which allows a user to see the exact image, container name and name of the host where it is running. The risk score includes contextual data about the specific risk to that container alongside risk factors that allow teams to better assess the impact of a particular vulnerability in a specific deployment.

## Conclusion

Prisma Cloud and Twistlock provide distinct advantages for enterprises looking to analyze their images for vulnerabilities and compliance issues, integrate security into their current build and deploy process and remediate risk easily in their running environments. While I touched on our features for vulnerability management and compliance as part of this example, there are many other immediate advantages of deploying Prisma Cloud and Twistlock.

To learn more about Twistlock, [check out our latest demo recording](https://www.paloaltonetworks.com/resources/videos-customers/twistlock-demo-video).

*** ** * ** ***

## Related Blogs

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 9 Essential Infrastructure Security Considerations for Kubernetes](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-infrastructure-security-considerations/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Zero Trust: Securing Applications](https://www2.paloaltonetworks.com/blog/2020/09/cloud-native-zero-trust/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Announcing CN-Series: The Industry's First NGFW for Kubernetes](https://www2.paloaltonetworks.com/blog/2020/06/network-cn-series/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Need to Secure Cloud Native Applications? Take a Look at Airport Security](https://www2.paloaltonetworks.com/blog/2020/05/network-cloud-native-applications/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Twistlock Is Now Prisma Cloud Compute Edition](https://www2.paloaltonetworks.com/blog/2019/11/cloud-prisma-cloud-compute-edition/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Runc and CVE- 2019-5736: A Container Security Triad Love Story](https://www2.paloaltonetworks.com/blog/2019/02/runc-cve-2019-5736-container-security-triad-love-story/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language