Build, registry, and runtime coverage
One scanner across the container lifecycle. Programs that scan at one stage and miss the other two leave vulnerabilities to surface in production unscanned.
Checkmarx • Application security
Checkmarx Container Security
Checkmarx Container Security scans images at build, registry, and runtime, detects secrets baked into layers, validates against CIS Docker and Kubernetes benchmarks, and runs layer-aware vulnerability tracking inside the same Checkmarx One backlog as SAST and SCA.
Container security gets wired into the build-to-runtime path through a Merito engagement that configures CIS benchmark policies, deploys runtime agents, and routes findings through Triage and Remediation so AppSec stops running containers as a standalone silo.
- Best for
- AppSec leaders extending coverage to containerized applications, Platform engineering leads operating container build pipelines and registries, Kubernetes platform owners running pod-level runtime security
- Hosting
- SaaS
- Time to value
- First registry scanned in days. Build-time and runtime gates live in two to four weeks. Enterprise rollout across container fleet typically runs three to six months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
Checkmarx Container Security in the enterprise stack
Checkmarx Container Security is the container scanner inside the Checkmarx One Cloud pillar. It covers the three lifecycle stages where container risk emerges. The build stage scans Dockerfiles and image-build pipelines. The registry stage scans images at rest in Docker Hub, ECR, GCR, ACR, Harbor, and Artifactory. The runtime stage scans running pods in Kubernetes clusters. Most container security programs scan at one stage and miss the other two, while Checkmarx covers the chain so vulnerabilities introduced at build do not survive into production unscanned.
Layer-aware vulnerability tracking is the load-bearing capability. Container images are layered file systems, and a CVE in a base image affects every image built on top of that base. Checkmarx tracks vulnerabilities per layer, so when a base-image CVE gets fixed upstream, every dependent image gets re-evaluated automatically. Programs running flat image scans get one finding per image. Programs running layer-aware scans get one finding per logical issue with full image-fleet exposure visible.
Secrets-in-images detection catches one of the most common container security incidents: AWS access keys, GitHub tokens, database passwords, and TLS private keys baked into image layers because someone copied a config file into the build context. Checkmarx scans every layer for known secret patterns and flags them before the image reaches the registry. CIS benchmark validation rounds out the build-time picture, validating that Dockerfile patterns and Kubernetes manifests follow the CIS-prescribed practices for hardened containers.
What stalls Container Security adoption is treating containers as separate from the rest of AppSec. Container vulnerabilities cross-link with SCA findings on the OSS dependencies inside the image, with SAST findings on the application code that runs inside the container, with IaC Security on the Kubernetes manifest deploying the container, and with Triage and Remediation clustering across the chain. Programs running container security through Wiz or Aqua while running AppSec through Checkmarx end up with two backlogs, two policies, and a gap. Merito's engagement integrates container security into the broader Checkmarx One footprint from day one.
Ideal use cases
- Container image scanning at build, registry, and runtime
- Secrets detection in image layers before registry push
- CIS Docker and Kubernetes benchmark validation
- Layer-aware vulnerability tracking on shared base images
- Container security integrated with SAST, SCA, and IaC Security inside Checkmarx One
What it is best at
Where Checkmarx Container Security earns its seat
Layer-aware vulnerability tracking
Tracks vulnerabilities per image layer. Base-image fixes propagate automatically to every dependent image. Flat-image scanners cannot do this.
Secrets-in-images detection
Scans every image layer for AWS keys, GitHub tokens, database passwords, and TLS private keys baked in by accident. Catches one of the most common container security incidents.
CIS Docker and Kubernetes benchmark validation
Validates Dockerfile patterns and Kubernetes manifests against CIS-prescribed practices for hardened containers. Audit-ready for regulated programs.
Cross-product correlation with SAST, SCA, and IaC Security
Container findings cross-link to SCA on the OSS inside the image, SAST on application code, and IaC Security on the deploying manifest. AppSec runs one backlog, not four.
Core capabilities
Checkmarx Container Security capabilities, grouped by outcome
Lifecycle scanning
Build, registry, and runtime coverage in one scanner.
Build-time scanning
Dockerfile and image-build pipeline scanning. CI integration so PR-time gates can block on findings.
Registry scanning
Images at rest in Docker Hub, ECR, GCR, ACR, Harbor, and Artifactory. Continuous re-evaluation as new CVEs surface.
Runtime scanning
Running pods in Kubernetes clusters. Detects drift between the scanned image and what is actually deployed.
Layer-aware tracking
Vulnerabilities tracked per image layer. Base-image fixes propagate to every dependent image automatically.
Hardening and compliance
Beyond CVE counting, into hardened-container governance.
Secrets-in-images detection
Scans every image layer for AWS keys, GitHub tokens, database passwords, TLS keys, and other secret patterns baked into images.
CIS Docker benchmark validation
Dockerfile and image patterns validated against CIS-prescribed hardening practices.
CIS Kubernetes benchmark validation
Kubernetes manifests validated against CIS-prescribed pod-security and cluster-hardening practices.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, SOC 2, ISO 27001, and FedRAMP attestations on containerized workloads.
Integration and triage
Container findings flowing into the broader AppSec backlog.
Cross-product correlation
Container findings cross-link to SCA on the OSS inside the image, SAST on application code, and IaC Security on the deploying manifest.
Triage and Remediation clustering
Container findings cluster with related SCA, SAST, and IaC findings on root cause for single-fix remediation.
CI/CD and registry integration
PR-time and registry-push gates inside the customer's CI fabric and registry policy.
Where it fits in the stack
How Checkmarx Container Security connects to the rest of your landscape
Checkmarx One platform (native)
Native- Checkmarx SCAOSS dependencies inside images cross-link with SCA findings on the same dependency tree.
- Checkmarx SASTApplication code running inside containers analyzed alongside container findings.
- Checkmarx IaC SecurityKubernetes manifests deploying containers cross-link with IaC findings.
- Checkmarx Triage and RemediationContainer findings cluster with related SCA, SAST, and IaC findings.
Container ecosystem (certified)
Certified- Docker Hub, AWS ECR, Google GCR, Azure ACR, Harbor, ArtifactoryRegistry-level scanning across the major container registries.
- Kubernetes (EKS, GKE, AKS, OpenShift, vanilla)In-cluster runtime scanning across managed and self-hosted Kubernetes.
- Jenkins, GitHub Actions, GitLab CI, Azure DevOpsBuild-time scanning inside CI pipelines.
- Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items.
Custom integrations
Custom- Internal Kubernetes clusters and air-gapped environmentsRuntime scanning agents for clusters that cannot reach Checkmarx SaaS directly.
- Custom registries and base-image pipelinesIntegration with internal base-image policies and golden-image pipelines.
- GRC and compliance reportingContainer findings and CIS benchmark evidence flowed into internal GRC platforms.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First registry scanned in days. Build-time and runtime gates live in two to four weeks. Enterprise rollout across container fleet typically runs three to six months.
- Prerequisites
- Inventory of container registries and Kubernetes clusters in scope
- CI/CD platform decision for build-time scanning
- Named platform engineering or DevSecOps owner
- CIS benchmark target levels (Level 1 baseline, Level 2 for regulated)
- Triage and findings-routing operating model
- What Merito usually handles
- Container Security runs as Checkmarx One SaaS with optional in-cluster scanning agents for runtime coverage in air-gapped environments. Merito handles tenant setup, registry integration, build-time scanning configuration, runtime agent deployment, and CIS benchmark policy design.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- Checkmarx Container Security is part of the Checkmarx One Essentials, Advanced, and Enterprise bundles and licensed by application count, image volume, and bundle. Pricing depends on registry count, cluster count, and bundle. License acquisition flows through Merito; the container security program scopes under a separate engagement.
- Editions and modules
Checkmarx One Essentials
Container Security plus baseline SAST and SCA in a single bundle.
Best for: Programs starting consolidation onto Checkmarx One.
Checkmarx One Advanced
Adds DAST, API Security, IaC Security, Malicious Package Protection, and Repository Health.
Best for: Mature AppSec programs running container alongside multiple scan types.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running container security inside a fully consolidated AppSec platform.
- Common expansion areas
- Add Checkmarx IaC Security for Kubernetes manifest scanning at PR time
- Layer Triage and Remediation to cluster container findings with SCA and SAST
- Add Software Supply Chain Security for SLSA-aligned signing of container images
- Add Malicious Package Protection for fetch-time control of OSS feeding container builds
Merito services
How Merito helps you win with Checkmarx Container Security
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Container Security Implementation
Tenant setup, registry integration, build-time scanning, runtime agent deployment, CIS benchmark policy.
Explore service02MAPS Assessment
Container security scoping for Checkmarx Container Security alongside Wiz, Aqua Security, and Prisma Cloud.
Explore service03DevOps Consulting
Container scanning integrated into build, registry, and runtime governance.
Explore service04CRAFT Enablement
Platform engineering enablement around hardened-container discipline.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Container Security.
Explore service06Managed Services
Long-term run support including registry-integration maintenance, runtime-agent operation, and CIS policy evolution.
Explore service07Training and Enablement
Role-based training for platform engineers, DevSecOps owners, and AppSec architects.
Explore service08Staff Augmentation
Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx Container Security licensing
License the scanner. Write the CIS policy. Same engagement.
Pricing arrives with registry integration, build-time scanning, runtime agent deployment, and CIS benchmark policy that turn Checkmarx Container Security into a working container security program.
Merito point of view
Scanning at one lifecycle stage is half a container security program.
Merito has audited container programs that ran clean image scans at build and let production drift unsupervised, and other programs that ran rigorous runtime scanning while build-time gates passed images with secrets baked into layers. Both shapes are common; both are wrong. Container risk emerges at every lifecycle stage, so coverage has to span build, registry, and runtime. Checkmarx Container Security covers all three; programs that pick a build-only or runtime-only product get a partial answer.
Merito recommends Checkmarx Container Security specifically when AppSec is consolidating onto Checkmarx One and cross-product correlation with SCA, SAST, and IaC Security matters. For programs picking cloud security as the lead workload (CNAPP-shaped), Wiz or Prisma Cloud is sometimes the better anchor with Checkmarx as the AppSec-side companion. Two-anchor patterns are common in mature programs and Merito designs them honestly.
Layer-aware tracking and secrets detection are the two capabilities that separate Container Security from a generic image scanner. Programs running flat image scans get redundant findings on shared bases; programs without secrets-in-images detection ship credentials into production layers regularly. Both capabilities should be on by default during the rollout.
What buyers usually underestimate
- Scanning at build time only and letting production drift go unscanned at runtime.
- Treating container security as separate from SCA, SAST, and IaC Security, fragmenting the AppSec backlog.
- Skipping secrets-in-images detection and shipping credentials into production layers.
- Failing to validate against CIS Docker and Kubernetes benchmarks on regulated workloads.
- Picking a generic image scanner without layer-aware tracking, generating redundant findings on shared bases.
Related from Merito
Continue exploring Checkmarx Container Security on Merito
Related solutions
Related services
Related products
- Checkmarx IaC SecurityKubernetes manifest scanning that pairs with container image scanning.
- Checkmarx SCAOSS dependency analysis on libraries inside container images.
- Checkmarx SASTStatic analysis on application code running inside containers.
- Checkmarx Software Supply Chain SecuritySLSA-aligned signing of container images and build provenance.
- Checkmarx (vendor portfolio)Full Checkmarx One platform across Code, Supply Chain, Cloud, and Agentic AI.
Frequently Asked Questions
Checkmarx Container Security FAQs
Consultation request
Talk to Merito about Checkmarx Container Security
Share your container registry landscape, Kubernetes footprint, and current container security tool. A Merito Checkmarx specialist follows up within one business day.
Build, registry, runtime
One scanner across the lifecycle
Coverage at every stage where container risk emerges. Layer-aware tracking and secrets-in-images detection on by default.
Cross-product correlation
One backlog, not four
Container findings cross-link to SCA, SAST, and IaC Security inside Checkmarx One.
Next step
Cover build, registry, and runtime, not one of the three.
A Merito Container Security engagement covers the full container lifecycle. Programs that scan only at build let production drift go unsupervised; programs that scan only at runtime ship secrets in image layers.