Kubernetes / Container Security Tools You Must be Aware Of

Whether paid or free, the web is full of container security tools allowing developers and organizations to maintain a secure environment. This blog post will focus on Kubernetes / container open source security tools as we believe some free tools deliver no less than their commercial equivalents.

What is a container security tool?

Container security tools ensure that everything in your container is running as you programmed it to. The process of securing containers must run continuously while securing the container host, its network traffic, and its management stack but also monitoring the integrity of the build pipeline, your application security, and its foundation layers within the container.

The 6 container security tools below cover most of these aspects:

Clair

clair logoClair is a comprehensive auditing tool based on multiple CVE databases, that analyzes container vulnerabilities statically. The process of identifying security vulnerabilities is based on indexing a list of features within a container image and then querying the database for vulnerabilities connected to that image. 

Anchore

Anchore is another container security tool based on CVE data. It enables Docker container image inspection and analysis with the use of custom policies.
The tool can run as stand-alone or on platforms such as Kubernetes, including Jenkins integration for CI/CD.

Scanning an image provides a list of vulnerabilities, risk levels etc.

Grafeas

Grafeas logo Grafeas is a component metadata API based container security tool created by IBM & Google that allows for the creation of container security scanning projects.

Grafaes can enforce security policies on Kubernetes clusters that use Grafaes metadata.

Sysdig Falco

Falco logoFalco is a Kubernetes security auditing tool by Sysdig that monitors containers, hosts, and network activities. It is used for continuous infrastructure checks and anomalies detection.

OpenSCAP Workbench

OpenSCAP logoOpenSCAP is a cluster of multiple tools that affords organizations efficient development of security content.
OpenSCAP is proud of its ability to reduce the costs of performing security audits.

 

Kube-hunter

Kube-hunter is an open source tool for pen-testing both your cluster and its nodes, or as described on its own github page - the kube-hunter "hunts for security weaknesses in Kubernetes clusters". It allows you to attack your kubernetes environment in order to identify blind spots and gaps before someone else will do it.

 

Want to share your own favorite open source container security tools?
Contact us  >>

 

-----------------------------------

About Lightspin

Lightspin’s next-gen cloud security posture management (CSPM) solution uses contextual cloud security to protect cloud and Kubernetes environments from build to runtime, and simplifies cloud security for security and DevOps teams. Using patent-pending advanced graph-based technology, Lightspin empowers cloud and security teams to eliminate risks and maximize productivity by proactively and automatically detecting all security risks, smartly prioritizing the most critical issues, and easily fixing them. For more information, visit https://www.lightspin.io/, or see the Lightspin video