Container Detection

Protection Module: ContainerDetection

Detects if the application is running inside a container or orchestration environment.

Available for:

Server Applications
Desktop Applications
Cloud Services

How It Works

Container Detection identifies containerized environments through system artifacts and environment characteristics.

Detection Methods:

Cgroup Analysis - Examines /proc/self/cgroup for container indicators
Environment Variables - Detects container-specific variables
Filesystem Markers - Identifies .dockerenv, container overlays
Init Process Detection - Checks if PID 1 is a container runtime
Namespace Analysis - Detects Linux namespaces isolation
Orchestrator Metadata - Identifies Kubernetes, Docker Swarm

Detected Environments:

Docker
Kubernetes (K8s)
Docker Compose
Docker Swarm
LXC/LXD
Podman
containerd
CRI-O

Configuration

JSON

{
  "protections": {
    "ContainerDetection": {
      "enabled": true,
      "action": "log",
      "intervalMs": 120000
    }
  }
}

{
  "protections": {
    "ContainerDetection": {
      "enabled": true,
      "action": "log",
      "intervalMs": 120000
    }
  }
}

Code-Based Configuration

await Payload.ConfigureAsync(config =>
{
    config.AddProtection(ProtectionModuleType.ContainerDetection, ActionType.Log);
});

await Payload.ConfigureAsync(config =>
{
    config.AddProtection(ProtectionModuleType.ContainerDetection, ActionType.Log);
});

Available Actions

Action	Behavior	Recommended For
Log	Record container environment	Analytics, monitoring
Custom	Execute container-specific logic	Configuration adjustment
None	Detect only (for telemetry)	Cloud deployments

Container Environments

Most modern cloud deployments use containers. Use log or custom actions for analytics rather than blocking execution.

When to Use

Recommended for:

License Enforcement - Different pricing for containerized deployments
Configuration Adjustment - Optimize settings for container environments
Analytics - Track deployment methods
Security Monitoring - Detect unexpected containerization
Feature Enablement - Enable/disable features based on environment

Not for blocking unless:

License terms prohibit containerized deployments
Application incompatible with containers
Security policy requires bare-metal only

Code Examples

License-Based Detection

config.RegisterCustomAction("container-license-check", async (threat) =>
{
    var containerType = threat.Metadata["containerType"]?.ToString();
    var orchestrator = threat.Metadata["orchestrator"]?.ToString();

    await LogDeploymentInfoAsync(new
    {
        ContainerType = containerType,
        Orchestrator = orchestrator,
        Timestamp = DateTime.UtcNow
    });

    // Check if license allows containerized deployment
    var license = await GetLicenseAsync();

    if (!license.AllowsContainers && containerType != null)
    {
        await ShowMessageAsync(
            "License Restriction",
            "Your license does not permit containerized deployments. " +
            "Please upgrade to an Enterprise license for Docker/Kubernetes support."
        );
        Environment.Exit(-1);
    }
});

config.RegisterCustomAction("container-license-check", async (threat) =>
{
    var containerType = threat.Metadata["containerType"]?.ToString();
    var orchestrator = threat.Metadata["orchestrator"]?.ToString();

    await LogDeploymentInfoAsync(new
    {
        ContainerType = containerType,
        Orchestrator = orchestrator,
        Timestamp = DateTime.UtcNow
    });

    // Check if license allows containerized deployment
    var license = await GetLicenseAsync();

    if (!license.AllowsContainers && containerType != null)
    {
        await ShowMessageAsync(
            "License Restriction",
            "Your license does not permit containerized deployments. " +
            "Please upgrade to an Enterprise license for Docker/Kubernetes support."
        );
        Environment.Exit(-1);
    }
});

Configuration Optimization

config.RegisterCustomAction("container-optimization", async (threat) =>
{
    var isContainer = threat.Metadata["isContainer"] as bool? ?? false;
    var containerType = threat.Metadata["containerType"]?.ToString();

    if (isContainer)
    {
        // Optimize for container environment
        AppConfig.EnableStatelessMode = true;
        AppConfig.UseDistributedCache = true;
        AppConfig.LogToStdout = true;

        await LogInfoAsync($"Detected {containerType} - enabling container optimizations");

        // Adjust resource limits
        if (containerType == "Kubernetes")
        {
            AppConfig.MaxWorkerThreads = Environment.ProcessorCount * 2;
            AppConfig.EnableHealthChecks = true;
        }
    }
});

config.RegisterCustomAction("container-optimization", async (threat) =>
{
    var isContainer = threat.Metadata["isContainer"] as bool? ?? false;
    var containerType = threat.Metadata["containerType"]?.ToString();

    if (isContainer)
    {
        // Optimize for container environment
        AppConfig.EnableStatelessMode = true;
        AppConfig.UseDistributedCache = true;
        AppConfig.LogToStdout = true;

        await LogInfoAsync($"Detected {containerType} - enabling container optimizations");

        // Adjust resource limits
        if (containerType == "Kubernetes")
        {
            AppConfig.MaxWorkerThreads = Environment.ProcessorCount * 2;
            AppConfig.EnableHealthChecks = true;
        }
    }
});

Analytics and Monitoring

config.RegisterCustomAction("container-analytics", async (threat) =>
{
    var metadata = threat.Metadata;

    await TelemetryClient.TrackEventAsync("ContainerDetected", new
    {
        ContainerType = metadata["containerType"],
        Orchestrator = metadata["orchestrator"],
        ContainerRuntime = metadata["runtime"],
        NamespaceId = metadata["namespaceId"],
        KubernetesPodName = metadata["kubernetesPodName"],
        KubernetesNamespace = metadata["kubernetesNamespace"]
    });
});

config.RegisterCustomAction("container-analytics", async (threat) =>
{
    var metadata = threat.Metadata;

    await TelemetryClient.TrackEventAsync("ContainerDetected", new
    {
        ContainerType = metadata["containerType"],
        Orchestrator = metadata["orchestrator"],
        ContainerRuntime = metadata["runtime"],
        NamespaceId = metadata["namespaceId"],
        KubernetesPodName = metadata["kubernetesPodName"],
        KubernetesNamespace = metadata["kubernetesNamespace"]
    });
});

Detection Metadata

JSON

{
  "isContainer": true,
  "containerType": "Docker",
  "orchestrator": "Kubernetes",
  "runtime": "containerd",
  "cgroupPath": "/kubepods/besteffort/pod123/container456",
  "namespaceId": "4026532456",
  "kubernetesPodName": "myapp-7d8f9c6b5-xk9m2",
  "kubernetesNamespace": "production",
  "kubernetesServiceAccount": "myapp-sa"
}

{
  "isContainer": true,
  "containerType": "Docker",
  "orchestrator": "Kubernetes",
  "runtime": "containerd",
  "cgroupPath": "/kubepods/besteffort/pod123/container456",
  "namespaceId": "4026532456",
  "kubernetesPodName": "myapp-7d8f9c6b5-xk9m2",
  "kubernetesNamespace": "production",
  "kubernetesServiceAccount": "myapp-sa"
}

Platform Compatibility

Platform	Support	Detection Methods
Linux	✔	cgroup, /proc analysis, env vars
Windows	✔	Process isolation, HCS detection
macOS	⚠️	Limited (Docker Desktop detection)
Docker	✔	Full support
Kubernetes	✔	Pod metadata, service account
LXC/LXD	✔	Container-specific markers

Environment-Specific Features

Kubernetes Detection

if (threat.Metadata["orchestrator"]?.ToString() == "Kubernetes")
{
    var podName = threat.Metadata["kubernetesPodName"]?.ToString();
    var namespace = threat.Metadata["kubernetesNamespace"]?.ToString();

    // Enable Kubernetes-specific features
    AppConfig.EnableK8sHealthProbes = true;
    AppConfig.EnableK8sServiceDiscovery = true;

    await LogInfoAsync($"Running in Kubernetes: {namespace}/{podName}");
}

if (threat.Metadata["orchestrator"]?.ToString() == "Kubernetes")
{
    var podName = threat.Metadata["kubernetesPodName"]?.ToString();
    var namespace = threat.Metadata["kubernetesNamespace"]?.ToString();

    // Enable Kubernetes-specific features
    AppConfig.EnableK8sHealthProbes = true;
    AppConfig.EnableK8sServiceDiscovery = true;

    await LogInfoAsync($"Running in Kubernetes: {namespace}/{podName}");
}

Docker Compose Detection

if (Environment.GetEnvironmentVariable("COMPOSE_PROJECT_NAME") != null)
{
    var projectName = Environment.GetEnvironmentVariable("COMPOSE_PROJECT_NAME");
    await LogInfoAsync($"Running in Docker Compose project: {projectName}");
}

if (Environment.GetEnvironmentVariable("COMPOSE_PROJECT_NAME") != null)
{
    var projectName = Environment.GetEnvironmentVariable("COMPOSE_PROJECT_NAME");
    await LogInfoAsync($"Running in Docker Compose project: {projectName}");
}

Best Practices

Use for Telemetry, Not Blocking

// Most apps should just log container info
action: ActionType.Log

// Most apps should just log container info
action: ActionType.Log

Optimize Configuration for Containers

if (isContainer)
{
    // Enable stateless mode for horizontal scaling
    AppConfig.EnableStatelessMode = true;
}

if (isContainer)
{
    // Enable stateless mode for horizontal scaling
    AppConfig.EnableStatelessMode = true;
}

License Tier Differentiation

// Charge different pricing for container deployments
if (isKubernetes && !license.IsEnterprise)
{
    await ShowUpgradePromptAsync();
}

// Charge different pricing for container deployments
if (isKubernetes && !license.IsEnterprise)
{
    await ShowUpgradePromptAsync();
}

Feature Gating

// Enable advanced features for containerized deployments
if (isContainer)
{
    Features.Enable("distributed-tracing");
    Features.Enable("auto-scaling-hints");
}

// Enable advanced features for containerized deployments
if (isContainer)
{
    Features.Enable("distributed-tracing");
    Features.Enable("auto-scaling-hints");
}

Threat Detection Details

JSON

{
  "threatId": "CNT-2025-12-28-1234",
  "description": "Container environment detected",
  "moduleType": "ContainerDetection",
  "detectedAt": "2025-12-28T20:00:00Z",
  "confidence": 0.99,
  "metadata": {
    "isContainer": true,
    "containerType": "Docker",
    "orchestrator": "Kubernetes",
    "runtime": "containerd",
    "cgroupPath": "/kubepods/besteffort/pod-abc123/container-def456",
    "namespaceId": "4026532789",
    "kubernetesPodName": "myapp-deployment-7d8f9c6b5-xk9m2",
    "kubernetesNamespace": "production",
    "kubernetesServiceAccount": "myapp-service-account"
  }
}

{
  "threatId": "CNT-2025-12-28-1234",
  "description": "Container environment detected",
  "moduleType": "ContainerDetection",
  "detectedAt": "2025-12-28T20:00:00Z",
  "confidence": 0.99,
  "metadata": {
    "isContainer": true,
    "containerType": "Docker",
    "orchestrator": "Kubernetes",
    "runtime": "containerd",
    "cgroupPath": "/kubepods/besteffort/pod-abc123/container-def456",
    "namespaceId": "4026532789",
    "kubernetesPodName": "myapp-deployment-7d8f9c6b5-xk9m2",
    "kubernetesNamespace": "production",
    "kubernetesServiceAccount": "myapp-service-account"
  }
}

Actions

Configure responses

Custom Actions

Container-specific logic

How It Works

Configuration

Code-Based Configuration

Available Actions

When to Use

Code Examples

License-Based Detection

Configuration Optimization

Analytics and Monitoring

Detection Metadata

Platform Compatibility

Environment-Specific Features

Kubernetes Detection

Docker Compose Detection

Best Practices

Threat Detection Details

Related Protections