For container security, you'll find plenty of open-source tools that can help prevent a debacle such as the one that befell Tesla, which suffered a Kubernetes cluster breach. But container security is still tricky, so you need to know which utilities to add to your arsenal.
If you've spent significant time choosing the best application security testing tool and ensuring your application is as secure as possible, you don't want it run on an insecure container. Fortunately, there are commercial container security products out there, but open-source projects can also take you pretty far.
Many focus on auditing and tracking Common Vulnerabilities and Exposures (CVE) databases and benchmarks established by the Center for Internet Security (CIS), the National Vulnerability Database, and other bodies. Tools then scan the container image, reveal its contents, and compare the contents against these manifests of known vulnerabilities.
Automating container auditing, as well as using other container security processes, can be a huge boon for enterprises by helping teams catch problems early in the build pipeline.
While there are plenty of open-source container security tools out there, here are the best, most mature ones with the largest user communities.
1. Docker Bench for Security
Script to audit Docker containers against security benchmarks
Aimed at developers who manage containers with the Docker community edition, Docker Bench for Security is Docker's open-source script for auditing containers against common security best practices.
Docker Bench bases its tests on the industry-standard CIS benchmarks, helping automate the tedious process of manual vulnerability testing.
Docker's security lead, Diogo Mónica, describes it as a "container that tests containers." You can run tests in this way:
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker/docker-bench-security
The results spit out response logs for each security configuration benchmark to the current directory. You can also run this utility from the Docker host, clone it through Docker Compose, or run it straight from your base host.
One drawback is a lack of machine readability in output results. Many community packages, such as Docker Bench Test, drydock, and Actuary, improve upon Docker Bench.
2. Clair
API-driven static container security analysis with a large CVE database
Clair performs static analysis of container vulnerabilities. It currently works with OCI and Docker containers. Clair ingests many vulnerability data sources such as Debian Security Bug Tracker, Ubuntu CVE Tracker, and Red Hat Security Data. Since Clair consumes so many CVE databases, its auditing is comprehensive.
Clair first indexes a list of features within a container image. Then, using the Clair API, developers can query the database for vulnerabilities related to a particular image. To get started with Clair, see the Clair documentation guide.
Clair's feature set is flexible. It lets you add your own drivers for additional behaviors. Also, making separate API calls to audit specific container images is a sleek, machine-driven alternative to scouring through massive report logs.
3. Cilium
API-aware networking and security at the kernel layer
Cilium is all about securing network connectivity. Compatible with Linux container platforms such as Docker and Kubernetes, Cilium adds security visibility and control logic.
It’s powered by BPF (formerly known as Berkeley packet filter), a Linux kernel technology. The interesting aspect of its low-level implementation is that you can apply and update Cilium security policies without changing the application code or container configuration.
Cilium was developed in response to the volatile lifecycles of modern microservices development and quick container deployment. For an open-source project, the support and community around Cilium are fantastic. There are extensive guides and documentation, a dedicated Slack channel, and even a weekly developer meeting.
4. Anchore
Container security based on CVE data and user-defined policies
The Anchore Engine is an open-source tool for analyzing container images. In addition to CVE-based security vulnerability reporting, the Anchore Engine can evaluate Docker images using custom policies to allow for automated validation and certification.
Policies result in a pass or fail outcome, and can be whitelists or blacklists, based on credentials, file contents, configuration types, or other user-generated cues. Packaged as a Docker container image, Anchore can be run stand-alone or on an orchestration platform such as Kubernetes. There are also Jenkins and GitLab integrations for CI/CD.
The command-line interface (CLI) is an easy way to manipulate the Anchore Engine. For example, you can use a command to return detailed information on the contents of an image. Performing a scan on an image will output a list of vulnerability details, threat levels, CVE identifiers, and other pertinent information.
Because user-defined rules are created with the Anchore Enterprise GUI, it operates a bit like SaaS. For more information, visit the Anchore documentation.
5. Dockle
Verifies container best practices, and scans for CIS benchmarks
You should be ensuring that your containers meet standard security best practices. Dockle is an open-source tool that helps verify that containers meet Docker's compilation of best practices for writing Dockerfiles. Like others on our list, Dockle can also be used to lint container images against common CIS benchmarks, helping to avoid exposed secrets, user privilege escalation, and potentially vulnerable commands.
You can install Dockle in various ways, including Homebrew on Mac OS X or Linux:
$ brew install goodwithtech/r/dockle
6. Trivy
Scans images for vulnerabilities within your CI pipeline
Trivy, by Aqua Security, is a simple vulnerability scanner for containers and other artifacts. It can scan container images, Git repositories, and file systems to catch vulnerabilities within OS packages and programming-language dependencies. Trivy is also designed to be used within a CI/CD process to scan for vulnerabilities before sending to a container registry or deploying an application. Complete documentation for Trivy can be found here.
7. Hadolint
In-line Dockerfile linting using Shellcheck
Written in Haskell, Hadolint is a linter to help teams build and deploy best-practice Docker containers. Hadolint takes a Dockerfile and parses it as an abstract syntax tree (AST). The results are in-line comments that help identify things such as invalid ports, faulty or unnecessary commands, missing tags, and other anti-patterns. By resolving these issues, DevSecOps could harden its Docker container security posture.
Hadolint is being maintained by a small team, so possible deterrents include a number of unresolved issues at the time of publication. You can view an interactive example of Hadolint here.
8. OpenSCAP Workbench
Creates and maintains security policies for various platforms
OpenSCAP is an ecosystem of tooling for admins and security auditors with many open security benchmark guides, configuration baselines, and open-source tools.
If you are operating on Fedora, Red Hat Enterprise Linux, CentOS, or Scientific Linux, you can install the OpenSCAP Workbench as a GUI to run scans on virtual machines, containers, and images.
Install OpenSCAP Workbench with the following command:
# yum install scap-workbench
OpenSCAP uses the NIST-certified Security Content Automation Protocol (SCAP), and provides many machine-readable security policies. The OpenSCAP Security Guide states that the project's goal is to "allow multiple organizations to efficiently develop security content by avoiding redundancy."
Since OpenSCAP is more broad-based than others on this list, some may prefer using it to create security policies for the operating system or environment as well as for containers.
To verify containers against SCAP policy guides and CVEs, you can also use the oscap-docker utility that ships with OpenSCAP.
9. Notary
Boosts container security with a server for cryptographically delegating responsibility
Originally developed by Docker, Notary was donated to the Cloud Native Computing Foundation in 2017. Notary is the de facto Docker image-signing framework, now open sourced for other implementations.
Notary is all about separating responsibilities; using Notary, developers can delegate roles and define responsibilities among containers. The package provides a server and a client to provide a cryptographically secure method of publishing and verifying content.
To deploy Notary locally, get started by cloning the repo. Next, use Docker Compose to deploy a local configuration:
$ docker-compose build
$ docker-compose up -d
$ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
Relying on The Update Framework (TUF) and the Go language as dependencies, Notary can be used to "verify the cryptographic integrity of a container application image."
10. Grafeas
A metadata API to help govern internal security policies
IBM and Google have partnered on a container security tool called Grafeas, which was announced in late 2017. This could greatly help you create your own container security scanning projects.
Described as a "component metadata API," developers can use Grafeas to define metadata for virtual machines and containers. IBM's Vulnerability Advisor is also integrated into the project.
For a case study, see "How Shopify Uses Grafeas to Manage Metadata for 500k Container Images." Grafaes can be used with Kritis, another open-source package, to enforce security policies on Kubernetes clusters that use Grafaes metadata.
Being able to quickly source container metadata helps accelerate remediation attempts, thus decreasing the window from zero-day exploit to resolution. Though Grafeas is open source, it's maintained by large software providers, a benefit for long-term support.
11. Sysdig Falco
Behavioral activity monitoring with deep container visibility
Falco is a Kubernetes-aware security auditing tool by Sysdig that emphasizes behavioral monitoring for containers, hosts, and network activities. Use Falco to set up continuous checks on your infrastructure, detect anomalies, and set up alerts for any type of Linux system calls.
Falco's documentation recommends that users run it as a Docker container. You can install it using these commands. When implemented, a standard-output Falco alert looks like this:
stdout_output:
enabled: true
10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program
Use Falco to monitor when a shell is run in a container, where a container is mounted, and to find out about unexpected reads of sensitive files, outbound network attempts, or other suspicious calls. Sysdig provides further container troubleshooting materials here.
Honorable mentions
- Dagda: Scans for vulnerabilities, Trojans, viruses, and malware in Docker containers
- Dockscan: Scans for security vulnerabilities with a low number of commits
- Batten: Provides an auditing toolkit similar to Docker Bench, but with inactive support
- BlackDuck Docker security: Offers a container image security scanning tool built as a web service; unfortunately, production use is not advised in its current form
- Inspec: Provides an auditing and testing framework with Docker container testing capabilities
- Project Calico: Provides network security
A strong ecosystem of open-source tools
Because containerization has evolved into a popular deployment style, the need to augment these containers with proper security controls is paramount. Thankfully, you'll find a strong ecosystem of open-source security tools that have been custom-built for many different environments.
The overall strength of these tools relies on the depth of the inspection performed. Effectiveness also depends on the CVE databases and benchmarks themselves continuing to update data with new exploits and to issue new best practices. Thankfully, efforts are being made to decrease the time between a zero-day exploit and the container vulnerability detection.
In addition to container security, you also need to secure the network layer. Similarly, many open-source Kubernetes scanners, such as kube-bench, kube-hunter, and kube-score, can help prevent security misconfigurations and over-permissive states.
Developers will also gravitate toward tools that provide a better experience, which will reduce noise and duplication in log results. That kind of granular preference can only be determined through trial and error, depending on your build routines and personal preferences.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.