Improve your container security, deliver security-imperative apps, increase security productivity, and enforce compliance.
gVisor is an open-source Linux-compatible sandbox that runs anywhere existing container tooling does. It enables cloud-native container security and portability. gVisor leverages years of experience isolating production workloads at Google.
Isolate Linux hosts from containers so you can safely run user-uploaded, LLM-generated, or third-party code. Add defense-in-depth measures to your stack, bringing additional security to your infrastructure.
Fortify hosts and containers against escapes and privilege escalation CVEs, enabling strong isolation for security-critical workloads as well as multi-tenant safety.
Deliver runtime visibility that integrates with popular threat detection tools to quickly identify threats, generate alerts, and enforce policies.
Give your K8s, SaaS, or Serverless infrastructure additional layers of protection when running end-user code, untrusted code, LLM-generated code, or third-party code. Enable strong isolation for sharing resources and delivering multi-tenant environments.
gVisor adds defense-in-depth measures to your containers, allowing you to safeguard security-sensitive workloads like financial transactions, healthcare services, personal identifiable information, and other security-imperative applications.
Isolate your K8s, SaaS, Serverless, DevSecOps lifecycle or CI/CD pipeline. gVisor helps you achieve a secure-by-default posture. Spend less time staying on top of security disclosures, and more time building what matters.
gVisor safeguards against many cloud-native attacks by reducing the attack surface exposed to your containers. Shield services like APIs, configs, infrastructure as code, DevOps tooling, and supply chains, lowering the risk present in a typical cloud-native stack.
gVisor implements the Linux API: by intercepting all sandboxed application system calls to the kernel, it protects the host from the application. In addition, gVisor also sandboxes itself from the host using Linux's isolation capabilities. Through these layers of defense, gVisor achieves true defense-in-depth while still providing VM-like performance and container-like resource efficiency.
gVisor runs with the least amount of privileges and the strictest possible system call filter needed to function. gVisor implements the Linux kernel and its network stack using Go, a memory-safe and type-safe language.
gVisor runs anywhere Linux does. It works on x86 and ARM, on VMs or bare-metal, and does not require virtualization support. gVisor works well on all popular cloud providers.
gVisor works with Docker, Kubernetes, and containerd. Many popular applications and images are deployed in production environments on gVisor.
gVisor containers start up in milliseconds and have minimal resource overhead. They act like, feel like, and actually are containers, not VMs. Their resource consumption can scale up and down at runtime, enabling container-native resource efficiency.
gVisor can checkpoint and restore containers. Use it to cache warmed-up services, resume workloads on other machines, snapshot execution, save state for forensics, or branch interactive REPL sessions.
Observe runtime behavior of your applications by streaming application actions (trace points) to an external threat detection engine like Falco and generate alerts.
gVisor applications can use CUDA on Nvidia GPUs, bringing isolation to AI/ML workloads.