Profiling of spawned processes in container images and enforcing security policies respective thereof

The invention claimed is: 1 . A method comprising: based on scanning a container image, generating a security profile for the container image; and enforcing the security profile for containers corresponding to runtime instances of the container image based on monitoring operation of the containers, wherein enforcing the security profile comprises, based on detecting a violation of the security profile for a first of the containers during operation of the first container, performing an enforcement action for the first container. 2 . The method of claim 1 , wherein performing the enforcement action for the first container comprises at least one of generating an alert, halting operation of the first container, halting or disabling execution of a process spawned by the first container, and quarantining the first container. 3 . The method of claim 1 , wherein monitoring operation of the containers comprises, for each of the containers, intercepting at least one of communications to the container and communications from the container. 4 . The method of claim 3 , further comprising analyzing intercepted communications based on the security profile to determine if the intercepted communications violate the security profile, wherein detecting the violation of the security profile the first container comprises determining that a first of the intercepted communications corresponding to the first container violates the security profile. 5 . The method of claim 1 , wherein the security profile comprises indications of safe or authorized actions to be performed by the runtime instances of the container image. 6 . The method of claim 1 , wherein scanning the container image comprises scanning the container image to determine at least one of callable units indicated in the container image and indications of processes to be spawned by the runtime instances of the container image. 7 . The method of claim 6 , wherein generating the security profile comprises adding to the security profile at least one of indications of system calls to which the callable units map and signatures of the processes to be spawned. 8 . The method of claim 1 further comprising analyzing a network configuration file of the container image to determine permissible network actions for network resources, wherein generating the security profile comprises adding indications of the permissible network actions to the security profile. 9 . One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to: scan a container image to generate a security profile for the container image; and enforce the security profile for containers corresponding to runtime instances of the container image based on monitoring operation of the containers, wherein the instructions to enforce the security profile comprise instructions to, based on detection of a violation of the security profile for a first of the containers, perform an enforcement action for the first container. 10 . The non-transitory machine-readable media of claim 9 , wherein the instructions to perform the enforcement action for the first container comprise at least one of instructions to generate an alert, instructions to halt operation of the first container, instructions to halt or disable execution of a process spawned by the first container, and instructions to quarantine the first container. 11 . The non-transitory machine-readable media of claim 9 , wherein the instructions to monitor operation of the containers comprise instructions to, for each of the containers, intercept at least one of communications to the container and communications from the container. 12 . The non-transitory machine-readable media of claim 11 , wherein the program code further comprises instructions to analyze the intercepted communications based on the security profile to determine if the intercepted communications violate the security profile, wherein the instructions to detect the violation of the security profile the first container comprise instructions to determine that a first of the intercepted communications corresponding to the first container violates the security profile. 13 . The non-transitory machine-readable media of claim 9 , wherein the instructions to scan the container image comprise instructions to scan the container image to determine at least one of callable units indicated in the container image and indications of processes to be spawned by the runtime instances of the container image. 14 . The non-transitory machine-readable media of claim 13 , wherein the instructions to generate the security profile comprise instructions to add to the security profile at least one of indications of system calls to which the callable units map and signatures of the processes to be spawned. 15 . An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, scan a container image; generate a security profile for the container image based on the scan of the container image; and enforce the security profile for containers corresponding to runtime instances of the container image based on monitoring operation of the containers, wherein the instructions to enforce the security profile comprise instructions to, based on detection of a violation of the security profile for a first of the containers during operation of the first container, perform an enforcement action for the first container. 16 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to perform the enforcement action for the first container comprise instructions executable by the processor to cause the apparatus to perform at least one of generating an alert, halting operation of the first container, halting or disabling execution of a process spawned by the first container, and quarantining the first container. 17 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to monitor operation of the containers comprise instructions executable by the processor to cause the apparatus to, for each of the containers, intercept at least one of communications to the container and communications from the container. 18 . The apparatus of claim 15 , further comprising instructions executable by the processor to cause the apparatus to analyze intercepted communications based on the security profile to determine if the intercepted communications violate the security profile, wherein the instructions executable by the processor to cause the apparatus to detect the violation of the security profile the first container comprise instructions executable by the processor to cause the apparatus to determine that a first of the intercepted communications corresponding to the first container violates the security profile. 19 . The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to scan the container image comprise instructions executable by the processor to cause the apparatus to scan the container image to determine at least one of callable units indicated in the container image and indications of processes to be spawned by the runtime instances of the container image, wherein the instructions executable by the processor to cause the apparatus to generate the security profile comprise instructions executable by the processor to cause the apparatus to