What 2021 Container Security Trends Reveal About Runtime Risks and Tool Adoption

Executive Summary

Over the past four years Sysdig has continuously analyzed real‑world customer data, gaining deeper insight into container usage, security, and compliance. The 2021 Container Security and Usage Report presents findings from millions of containers, highlighting trends that help organizations understand their environments.

Container Lifespan and Usage Patterns

Enterprise customers report that containers often have very short lifespans—about half terminate within five minutes. The report emphasizes detailed logs for fault response, localization, and resolution, and shows a growing focus on runtime security as teams move workloads to production.

Runtime Adoption Shifts

While Docker’s share dropped from 79% to 50% year‑over‑year, usage of containerd and CRI‑O increased by 18% and 4% respectively. Kubernetes announced the deprecation of Docker by the end of 2021, prompting many teams to adopt alternative runtimes.

Orchestration Platform Landscape

Kubernetes remains the dominant orchestration platform with only minor changes from the previous year. OpenShift grew from 9% to 15% market share, Docker Compose is used for single‑host scenarios, and the shares of Swarm and Mesos stayed roughly constant.

Security and Compliance Focus

Teams are integrating security and compliance into DevOps pipelines, embracing “shift‑left” practices such as early image scanning. Over half of scanned images fail, indicating high‑severity vulnerabilities. Both operating‑system and non‑OS package vulnerabilities are prevalent, with 4% of OS flaws classified as high or critical and 53% of third‑party packages containing severe issues.

Image Scanning Practices

Two scanning approaches are described:

Backend scanning – Sysdig extracts the full image, analyzes metadata, and evaluates vulnerabilities, misconfigurations, and unsafe practices.

Embedded scanning – Scanning occurs directly in CI/CD pipelines or runtime, with results sent back to Sysdig for evaluation.

Seventy‑four percent of customers scan images before deployment, a positive sign for early risk mitigation.

Registry Usage

34% of customers frequently use Docker registries, while Google Cloud Registry remains the most popular public registry (26% usage). Quay’s adoption grew from 14% to 24%.

Runtime Threat Detection

After fixing known vulnerabilities in the build stage, teams need runtime policies to detect anomalous behavior. The CNCF Falco project, contributed by Sysdig, saw pull counts increase by 300% year‑over‑year, and it now supports defining runtime security policies.

Policy Violation Rankings

Analysis of alert volumes shows rising incidents of suspicious filesystem and container violations. The top seven violations are listed with descriptions, illustrating common runtime risks.

Compliance Benchmarks

Compliance requirements such as PCI‑DSS, HIPAA, GDPR, and CIS benchmarks are evaluated. Sysdig sampled over 80 CIS rules, reporting median scores for host‑level container checks, highlighting gaps in best‑practice adherence.