For container security, you'll find plenty of open-source tools that can help prevent another debacle like the one at Tesla, which suffered a Kubernetes cluster breach. But container security is still tricky, so you need to know which utilities to add to your arsenal.

If you've spent the time to choose the best application security testing tool and to ensure that your application is as secure a possible, you don't want to have it run on an insecure container. Fortunately, there are commercial container security products out there, but open-source projects can also take you pretty far. Many focus on auditing, tracking Common Vulnerabilities and Exposures (CVE) databases and benchmarks established by CIS, the National Vulnerability Database, and other bodies. Tools then scan the container image, reveal its contents, and compare the contents against these manifests of known vulnerabilities.

Automating container auditing, as well as using other container security processes, can be a huge boon for enterprises by helping teams catch problems early in the build pipeline.

While there are plenty of open-source container security tools out there, here are the best, most mature ones with the largest user communities.

1. Docker Bench for Security

A script to audit Docker containers against security benchmarks

Geared toward developers who manage containers with the Docker community edition, Docker Bench for Security is Docker's open-source script for auditing containers against common security best practices.

Docker Bench bases its tests on the industry-standard CIS benchmarks, helping automate the tedious process of manual vulnerability testing.

Docker's security lead, Diogo Mónica, describes it as a "container that tests containers." You can initiate the container as follows:

docker run -it --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security

The results spit out Info, Warning, and Pass logs for each security configuration benchmark. You can also run this utility from the Docker host, clone it through Docker Compose, or run it straight from your base host.

One drawback is a lack of machine readability in output results. Many community packages, such as Docker Bench Test, drydock, and Actuary, improve upon Docker Bench.

2. Clair

An API-driven static container security analysis with a huge CVE database

Clair, built by CoreOS, performs static analysis of container vulnerabilities. It's also used in Quay.io, a public container registry alternative to Docker Hub.

Clair ingests many vulnerability data sources, such as Debian Security Bug Tracker, Ubuntu CVE Tracker, and Red Hat Security Data. Since Clair consumes so many CVE databases, its auditing is comprehensive.

Clair first indexes a list of features within a container image. Then, using the Clair API, developers can query the database for vulnerabilities related to a particular image.

To get started with Clair, see the Running Clair guide. It's easy to deploy it to a Kubernetes cluster:

git clone https://github.com/coreos/clair cd clair/contrib/helm cp clair/values.yaml ~/my_custom_values.yaml vi ~/my_custom_values.yaml helm dependency update clair helm install clair -f ~/my_custom_values.yaml

Clair's feature set is flexible. It lets you add your own drivers for additional behaviors. Also, making separate API calls to audit specific container images is a sleek, machine-driven alternative to scouring through massive report logs.

3. Cilium

API-aware networking and security at the kernel layer

Cilium is all about securing network connectivity. Compatible with Linux container platforms such as Docker and Kubernetes, Cilium adds security visibility and control logic.

It's powered by BPF (formerly known as Berkeley packet filter), a Linux kernel technology. The interesting aspect of its low-level implementation is that you can apply and update Cilium security policies without changing the application code or container configuration.

CoreOS developed Cilium in response to the volatile lifecycles of modern microservices development and quick container deployment. Integrating it with Kubernetes is straightforward; here's how to deploy Cilium with local changes:

$ kubectl create -f ./cilium.yaml clusterrole "cilium" created serviceaccount "cilium" created clusterrolebinding "cilium" created configmap "cilium-config" created secret "cilium-etcd-secrets" created daemonset "cilium" created $ kubectl get ds --namespace kube-system NAME DESIRED CURRENT READY NODE-SELECTOR AGE cilium 1 1 1 <none> 2m

The support and community around Cilium is fantastic. You'll find extensive guides and documentation, a dedicated Slack channel, and even a weekly Hangout with the project maintainer.

4. Anchore

A tool for inspecting container security using CVE data and user-defined policies

Anchore Engine is a tool for analyzing container images. In addition to CVE-based security vulnerability reporting, Anchore Engine can evaluate Docker images using custom policies.

Policies result in a Pass or Fail outcome. Policies are based on whitelists or blacklists, credentials, file contents, configuration types, or other user-generated cues.

Packaged as a Docker container image, Anchore can run standalone or on an orchestration platform such as Kubernetes. It also has Jenkins and GitLab integrations for CI/CD.

The Anchore command-line interface (CLI) is an easy way to manipulate the Anchore Engine. For example, this CLI command returns detailed information about the content of an image:

anchore-cli image content INPUT_IMAGE CONTENT_TYPE

And this example command will perform a vulnerability scan on an image:

anchore-cli image vuln docker.io/library/debian:latest os

Anchore outputs a list of vulnerability details, threat levels, CVE identifiers, and other pertinent information. Because user-defined rules are created using the Anchore Cloud Service graphical user interface (GUI), it operates like SaaS.

5. OpenSCAP Workbench

An environment for creating and maintaining security policies for various platforms

OpenSCAP is an ecosystem for IT admins and security auditors that includes many open security benchmark guides, configuration baselines, and open-source tools.

Those operating on Fedora, Red Hat Enterprise Linux, CentOS, or Scientific Linux can install the OpenSCAP Workbench as a GUI to run scans on virtual machines, containers, and images. You install OpenSCAP Workbench with this command:

# yum install scap-workbench

To verify containers against SCAP policy guides and CVEs, use the oscap-docker utility that ships with OpenSCAP.

OpenSCAP is centered on the NIST-certified Security Content Automation Protocol (SCAP), and provides many machine-readable security policies. The OpenSCAP Security Guide states that the project's goal is to "allow multiple organizations to efficiently develop security content by avoiding redundancy."

Because OpenSCAP is more broad-based than others on this list, it's a good choice for teams looking to create security policies for an entire platform.

6. Dagda

A tool for scanning for vulnerabilities, Trojans, viruses, and malware in Docker containers

Dagda is another tool for static analysis of container security. Its CVE sources include the OWASP dependency check, Red Hat Oval, and the Offensive Security exploit database.

To use Dagda to scan a Docker container, you first populate a Mongo database with vulnerability data. Perform this command to analyze a single Docker image:

python3 dagda.py check --docker_image jboss/wildfly

You can run it remotely, or continually call it to monitor active Docker containers. The output displays the number of vulnerabilities, severity level, and other details to aid remediation.

One of Dagda's benefits is wide coverage of vulnerability data. That means direct access to a wealth of updated, comprehensive exploit collections. It is also flexible in that you can control it by way of both a CLI and REST API.

7. Notary

A framework for boosting container security with a server for cryptographically delegating responsibility

Notary is the de facto Docker image signing framework, now open-sourced for other implementations. Docker developed it, then donated it to the Cloud Native Computing Foundation in 2017.

Notary is all about responsibility separation; using Notary, developers can delegate roles and define responsibilities among containers. The package provides a server and client to provide a cryptographically secure method of publishing and verifying content.

To deploy Notary locally, get started by cloning the repo. Next, use Docker Compose to deploy a local configuration:

$ docker-compose build $ docker-compose up -d $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary

Relying on The Update Framework and the Go language as dependencies, Notary can verify the cryptographic integrity of a container application image.

8. Grafaes

A metadata API to to help govern internal security policies

Grafaes can greatly help you create your own container security scanning projects. Announced in late 2017, this container security tool was developed by IBM and Google.

Developers can use use Grafaes, described as a "component metadata API," to define metadata for virtual machines and containers. IBM’s Vulnerability Advisor is also integrated into the project.

For a solid case study, see how Shopify uses Grafaes to manage metadata for 500,000 container images. In tandem with Kritis, the team enforces security policies on Kubernetes clusters that use Grafeas metadata.

Being able to quickly source container metadata helps speed remediation attempts, thus decreasing the window from exploit to resolution. Though Grafaes is open-source, it's maintained by large software providers—a benefit for long-term support.

9. Sysdig Falco

Offers behavioral activity monitoring with deep container visibility

Falco is a Kubernetes-aware security auditing tool, developed by Sysdig, that emphasizes behavioral monitoring for containers, hosts, and network activities. Using Falco, developers can set up continuous checks on their infrastructure, detect anomalies, and set up alerts for any type of Linux system calls.

Falco documentation recommends that users run Falco as a Docker container. It can be installed using these commands. When implemented, a standard output Falco alert looks like this:

stdout_output: enabled: true 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program

Use Falco to monitor when a shell runs in a container, where a container has been mounted, unexpected reads of sensitive files, outbound network attempts, or other suspicious calls. Sysdig provides further container troubleshooting materials here.

10. Banyanops Collector

Framework for static analysis of Docker container images

Supported by Banyanops, Collector is an open-source utility that can be used to "peek" inside Docker container image files. Using Collector, developers can collect container data, enforce security policies, and more.

To get started, Banyanops can be run on a private registry or as a container on Docker Hub. Banyanops also provides SaaS products that offer deeper data analysis, so beware an up-sell if you encounter limited functionality.

Honorable open-source mentions

Dockscan: A security vulnerability scanner with a low number of commits

Batten: An auditing toolkit similar to Docker Bench, but with inactive support

BlackDuck Docker security: A container image security scanning tool built as a web service. Unfortunately, production use is not advised in its current form

Inspec: An auditing and testing framework with Docker container testing capabilities

Your mileage may vary

Because containerization has evolved into a popular deployment style, the need to augment these containers with proper security controls is paramount. Thankfully, you'll find a strong ecosystem of open-source security solutions that have been custom-built for many different environments.

The overall strength of these tools relies on the depth of the inspection performed. Effectiveness also depends on the CVE databases and benchmarks themselves continuing to update data with new exploits and to issue new best practices. Thankfully, efforts are being made to decrease the time between a zero-day exploit and the container vulnerability detection.

Developers will also gravitate to those tools with a better experience, which will reduce noise and duplication in log results. That kind of granular preference can only be determined through trial and error, depending on your build routines and personal preferences.

Image source: Anthony Easton/Flickr

Keep learning