What’s new in Calico Cloud: General availability of new container security features

The official release of Tigera’s new container security features is here! With this official launch, Calico Cloud leads the industry as a complete solution that secures every stage of a cloud-native application CI/CD pipeline. From a new and improved approach to scanning container images for vulnerabilities to strengthening runtime security with improved performance, we’ve significantly improved and enhanced our Image Assurance and Runtime Threat Defense features for this exciting new phase of our Calico Cloud offering. Let’s take a look at the new container security features of this release.

Vulnerability management through Image Assurance

Scanning container images for vulnerabilities is a critical first step in stopping malicious software from being deployed. As business demands grow, development teams are pushed to churn out updates and new features faster. As a result, DevOps teams require assistance to help them quickly identify vulnerabilities in the registries where the container images are pulled from. Calico Cloud is now offering a CLI-based scanner for on-demand scanning, where customers can locally scan for vulnerabilities in their build stage. A lightweight downloadable binary is all it takes to perform these scans and integrate the process into a CI/CD pipeline.

The Calico CLI-based Image Scanner helps you to scan images locally and push the results to the Calico Cloud dashboard. It also allows you to do an offline scan to keep the results locally. You can scan images from any registry and filter, export, and share the results of the scan with different teams to assess these vulnerabilities.

Fig 1: CLI-based Calico Image Scanner

It is imperative to scan not just images, but also the pods and containers that are running to assess the risk of any vulnerability and prioritize mitigation efforts for existing deployments. Calico provides a runtime view that lists images running in the cluster. Scan results are correlated with Kubernetes workloads so users can assess the risk of existing and newly-discovered vulnerabilities on the running applications and set the right plan to mitigate the risks as quickly as possible.

Fig 2: Image scan results with runtime view of workloads

In addition to on-demand and runtime vulnerability scanning, Calico’s admission control policy provides a powerful mechanism to stop any deployment that uses a vulnerable image. Using the latest vulnerability data and scan results, the admission control policy automatically blocks resources that would create containers with vulnerable images from entering your cluster.

Fig 3: Admission policy to allow/block image deployment

Runtime threat defense with malware protection

Imagine you are driving your car, enjoying the views, and all of a sudden, you hear a beep—you look down, and a symbol appears on your dashboard telling you something is wrong with your car. The dashboard of your car is just like runtime threat defense in Kubernetes.

The power of the runtime threat defense comes from its ability to collect data from different data points and then analyze, alert, and mitigate any anomalous behavior in the environment. That’s why Calico leverages all the possible technologies like machine learning and eBPF to collect and analyze workload data points, including cluster logs, syscalls, network traffic, file system, processes, and binaries.

Runtime security: Malware detection

Calico Cloud malware detection uses eBPF probes to monitor container activity and detect the presence of any malware running in your cloud-native environment.

As part of its threat intelligence library, Calico Cloud maintains a database of malware file hashes. This database consists of SHA256, SHA1, and MD5 hashes of executable file contents that are known to be malicious. Whenever a program is launched in a Calico Cloud cluster and if the program’s hash matches one that is known to be malicious, malware detection will generate an alert in the Alerts dashboard.

Fig 4: Alert for a ransomware

Check out the Calico malware detection guide to learn more.

Runtime security: Anomaly detection

Calico’s anomaly detection is a set of machine learning algorithms that allows you to proactively determine whether there is an issue, and potentially resolve problems before service levels are compromised.

Anomaly detection uses Calico Cloud Elasticsearch logs (flows logs, L7 logs, and DNS logs) to learn the behavior of cluster nodes, pods, services, and other entities that send log records (applications, load balancers, databases, etc.). Anomaly detection will then create a baseline behavior of the workload to monitor and alert any changes to this baseline that could be Indicators of Compromise (IoC).

Calico detects anomalies and classifies them into two categories: security anomalies and performance anomalies.

Here are some examples of security anomalies:

  • Domain Generation Algorithms (DGA)
  • Port scan
  • IP sweep
  • HTTP response codes
  • HTTP request verbs
  • HTTP connection  spike
  • Inbound service bytes
  • Outbound service bytes

And below are some examples of performance anomalies. These anomalies may be the result of malicious activity or the result of increased activity of legitimate applications:

  • DNS latency
  • L7 latency
  • L7 bytes
  • Process restarts
  • Process bytes

Each Anomaly Detector can be enabled and disabled individually in Calico UI:

Fig 5: Anomaly detection using Calico Cloud

You can monitor anomaly alerts on the Alerts page and/or Service Graph:

Fig 6: Alerts for anomaly detection using Calico Cloud

Check out the Calico security anomalies guide to learn more.

Risk mitigation

For runtime security, we talked about malware detection and anomaly detection. However, Calico provides even more capabilities during the runtime stage, including workload-based web application firewall (WAF), Deep Packet Inspection (DPI) based on snort signature, honypods, and more.

All of these techniques can produce context-based alerts so that DevOps and security teams can effectively use segmentation policies to isolate vulnerable workloads.

To apply zero-trust policies and reduce your attack surface and risks, we recommend the following:

  •  Ensure that all expected and allowed network flows are explicitly allowed; any connection not explicitly allowed is denied.
  • Create a quarantine policy that denies all traffic that can be quickly applied to workloads when you detect suspicious activity or threats.
Fig 7: Automated mitigation policies using Calico Cloud


Cloud-native applications come with challenges on both the security and operation levels. This is why it is paramount to manage and secure your environment effectively with the minimum amount of tools required. This is where Calico Cloud shines, as it is the industry’s only active Cloud-Native Application Protection Platform (CNAPP) for all stages of the application development lifecycle with context-based alerts to help you fix and troubleshoot issues faster.

Want to test drive Calico Cloud yourself? Try a free trial, or read our learn guide on container security best practices.

Join our mailing list

Get updates on blog posts, workshops, certification programs, new releases, and more!