Improve your container security, deliver security-imperative apps, increase security productivity, and enforce compliance.
gVisor is the missing security layer for running containers efficiently and securely.
gVisor is an open-source Linux-compatible sandbox that runs anywhere existing container tooling does. It enables cloud-native container security and portability. gVisor leverages years of experience isolating production workloads at Google.
Run Untrusted Code
Isolate Linux hosts from containers so you can safely run user-uploaded, LLM-generated, or third-party code. Add defense-in-depth measures to your stack, bringing additional security to your infrastructure.
Protect Workloads & Infrastructure
Fortify hosts and containers against escapes and privilege escalation CVEs, enabling strong isolation for security-critical workloads as well as multi-tenant safety.
Reduce Risk
Deliver runtime visibility that integrates with popular threat detection tools to quickly identify threats, generate alerts, and enforce policies.
The way containers should run
Improve your container security
Give your K8s, SaaS, or Serverless infrastructure additional layers of protection when running end-user code, untrusted code, LLM-generated code, or third-party code. Enable strong isolation for sharing resources and delivering multi-tenant environments.
Deliver security-imperative apps
gVisor adds defense-in-depth measures to your containers, allowing you to safeguard security-sensitive workloads like financial transactions, healthcare services, personal identifiable information, and other security-imperative applications.
Increase security productivity
Isolate your K8s, SaaS, Serverless, DevSecOps lifecycle or CI/CD pipeline. gVisor helps you achieve a secure-by-default posture. Spend less time staying on top of security disclosures, and more time building what matters.
Enforce compliance
gVisor safeguards against many cloud-native attacks by reducing the attack surface exposed to your containers. Shield services like APIs, configs, infrastructure as code, DevOps tooling, and supply chains, lowering the risk present in a typical cloud-native stack.
gVisor Features
Defense in Depth
gVisor implements the Linux API: by intercepting all sandboxed application system calls to the kernel, it protects the host from the application. In addition, gVisor also sandboxes itself from the host using Linux's isolation capabilities. Through these layers of defense, gVisor achieves true defense-in-depth while still providing VM-like performance and container-like resource efficiency.
Secure by Default
gVisor runs with the least amount of privileges and the strictest possible system call filter needed to function. gVisor implements the Linux kernel and its network stack using Go, a memory-safe and type-safe language.
Runs Anywhere
gVisor runs anywhere Linux does. It works on x86 and ARM, on VMs or bare-metal, and does not require virtualization support. gVisor works well on all popular cloud providers.
Cloud Ready
gVisor works with Docker, Kubernetes, and containerd. Many popular applications and images are deployed in production environments on gVisor.
Fast Startups and Execution
gVisor containers start up in milliseconds and have minimal resource overhead. They act like, feel like, and actually are containers, not VMs. Their resource consumption can scale up and down at runtime, enabling container-native resource efficiency.
Checkpoint and Restore
gVisor can checkpoint and restore containers. Use it to cache warmed-up services, resume workloads on other machines, snapshot execution, save state for forensics, or branch interactive REPL sessions.
Runtime Monitoring
Observe runtime behavior of your applications by streaming application actions (trace points) to an external threat detection engine like Falco and generate alerts.
GPU & CUDA Support
gVisor applications can use CUDA on Nvidia GPUs, bringing isolation to AI/ML workloads.