Kubernetes / Container Security Tools You Must be Aware Of

Whether paid or free, the web is full of container security tools allowing developers and organizations to maintain a secure environment. This blog post will focus on Kubernetes / container open source security tools as we believe some free tools deliver no less than their commercial equivalents.

What is a container security tool?

Container security tools ensure that everything in your container is running as you programmed it to. The process of securing containers must run continuously while securing the container host, its network traffic, and its management stack but also monitoring the integrity of the build pipeline, your application security, and its foundation layers within the container.

The 6 container security tools below cover most of these aspects:


clair logoClair is a comprehensive auditing tool based on multiple CVE databases, that analyzes container vulnerabilities statically. The process of identifying security vulnerabilities is based on indexing a list of features within a container image and then querying the database for vulnerabilities connected to that image. 


Anchore is another container security tool based on CVE data. It enables Docker container image inspection and analysis with the use of custom policies.
The tool can run as stand-alone or on platforms such as Kubernetes, including Jenkins integration for CI/CD.

Scanning an image provides a list of vulnerabilities, risk levels etc.


Grafeas logo Grafeas is a component metadata API based container security tool created by IBM & Google that allows for the creation of container security scanning projects.

Grafaes can enforce security policies on Kubernetes clusters that use Grafaes metadata.

Sysdig Falco

Falco logoFalco is a Kubernetes security auditing tool by Sysdig that monitors containers, hosts, and network activities. It is used for continuous infrastructure checks and anomalies detection.

OpenSCAP Workbench

OpenSCAP logoOpenSCAP is a cluster of multiple tools that affords organizations efficient development of security content.
OpenSCAP is proud of its ability to reduce the costs of performing security audits.



Kube-hunter is an open source tool for pen-testing both your cluster and its nodes, or as described on its own github page - the kube-hunter "hunts for security weaknesses in Kubernetes clusters". It allows you to attack your kubernetes environment in order to identify blind spots and gaps before someone else will do it.



The kube-bench security tool checks the Kubernetes cluster's deployment, making sure it was done while following security best practices as the Center for Internet Security defines them (click here for CIS Kubernetes Benchmark). One can run the kube-bench within a pod. The result of this series of tests running is highlighted areas of the Kubernetes environment that do not comply with CIS benchmarks as well as optional solutions to resolve them.


Kubeaudit by Shopify audits Kubernetes clusters while comparing them to security tests known as "auditors". The tests check all kind of parameters, including the pods' security context and clusters' misconfigurations. 
As in kube-bench mentioned above, this kubernetes security tool not only identifies vulnerabilities in Kubernetes clusters but also offers recommended solutions to solve each and everyone of them. 



Want to share your own favorite open source container security tools?
Contact us  >>



About Lightspin

Lightspin’s context-based cloud security empowers cloud and security teams to eliminate risks and maximize productivity by proactively and automatically detecting all security risks, smartly prioritizing the most critical issues, and easily fixing them. For more information, visit https://www.lightspin.io/