A computing device running a local enforcement agent is configured to instantiate at least one application container at the computing device, where the at least one application container is part of a containerized application. The computing device is also configured to associate the local enforcement agent with the least one application container so that the local enforcement agent operates as an intra-application communication proxy for the least one application container. The local enforcement agent receives an intra-application Application Programming Interface (API) call that is sent to the at least one application container from a second application container that is part of the containerized application. The local enforcement agent is configured to analyze the intra-application API call for compliance with one or more security policies associated with the at least one container.