Whether paid or free, the web is full of container security tools allowing developers and organizations to maintain a secure environment. This blog post will focus on Kubernetes / container open source security tools as we believe some free tools deliver no less than their commercial equivalents.
What is a container security tool?
Container security tools ensure that everything in your container is running as you programmed it to. The process of securing containers must run continuously while securing the container host, its network traffic, and its management stack but also monitoring the integrity of the build pipeline, your application security, and its foundation layers within the container.
The 6 container security tools below cover most of these aspects:
Clair is a comprehensive auditing tool based on multiple CVE databases, that analyzes container vulnerabilities statically. The process of identifying security vulnerabilities is based on indexing a list of features within a container image and then querying the database for vulnerabilities connected to that image.
Anchore is another container security tool based on CVE data. It enables Docker container image inspection and analysis with the use of custom policies.
The tool can run as stand-alone or on platforms such as Kubernetes, including Jenkins integration for CI/CD.
Scanning an image provides a list of vulnerabilities, risk levels etc.
Grafeas is a component metadata API based container security tool created by IBM & Google that allows for the creation of container security scanning projects.
Grafaes can enforce security policies on Kubernetes clusters that use Grafaes metadata.
Falco is a Kubernetes security auditing tool by Sysdig that monitors containers, hosts, and network activities. It is used for continuous infrastructure checks and anomalies detection.
OpenSCAP is a cluster of multiple tools that affords organizations efficient development of security content.
OpenSCAP is proud of its ability to reduce the costs of performing security audits.
Kube-hunter is an open source tool for pen-testing both your cluster and its nodes, or as described on its own github page - the kube-hunter "hunts for security weaknesses in Kubernetes clusters". It allows you to attack your kubernetes environment in order to identify blind spots and gaps before someone else will do it.
Want to share your own favorite open source container security tools?
Contact us >>