For container security, you'll find plenty of open-source tools that can help prevent another debacle like the one at Tesla, which suffered a Kubernetes cluster breach. But container security is still tricky, so you need to know which utilities to add to your arsenal.
Sure, there are commercial container security products out there, but open-source projects can take you pretty far. Many focus on auditing, tracking Common Vulnerabilities and Exposures (CVE) databases and benchmarks established by CIS, the National Vulnerability Database, and other bodies. Tools then scan the container image, reveal its contents, and compare the contents against these manifests of known vulnerabilities.
Automating container auditing, as well as using other container security processes, can be a huge boon for enterprises by helping teams catch problems early in the build pipeline.
While there are plenty of open-source container security tools out there, here are the best, most mature ones with the largest user communities.
How to Get the Most From Your Application Security Testing Budget
1. Docker Bench for Security
A script to audit Docker containers against security benchmarks
Geared toward developers who manage containers with the Docker community edition, Docker Bench for Security is Docker's open-source script for auditing containers against common security best practices.
Docker Bench bases its tests on the industry-standard CIS benchmarks, helping automate the tedious process of manual vulnerability testing.
docker run -it --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security
The results spit out Info, Warning, and Pass logs for each security configuration benchmark. You can also run this utility from the Docker host, clone it through Docker Compose, or run it straight from your base host.
[ Free Report: The State of Application Security in the Enterprise ]
An API-driven static container security analysis with a huge CVE database
Clair ingests many vulnerability data sources, such as Debian Security Bug Tracker, Ubuntu CVE Tracker, and Red Hat Security Data. Since Clair consumes so many CVE databases, its auditing is comprehensive.
Clair first indexes a list of features within a container image. Then, using the Clair API, developers can query the database for vulnerabilities related to a particular image.
To get started with Clair, see the Running Clair guide. It's easy to deploy it to a Kubernetes cluster:
git clone https://github.com/coreos/clair cd clair/contrib/helm cp clair/values.yaml ~/my_custom_values.yaml vi ~/my_custom_values.yaml helm dependency update clair helm install clair -f ~/my_custom_values.yaml
Clair's feature set is flexible. It lets you add your own drivers for additional behaviors. Also, making separate API calls to audit specific container images is a sleek, machine-driven alternative to scouring through massive report logs.
API-aware networking and security at the kernel layer
Cilium is all about securing network connectivity. Compatible with Linux container platforms such as Docker and Kubernetes, Cilium adds security visibility and control logic.
It's powered by BPF (formerly known as Berkeley packet filter), a Linux kernel technology. The interesting aspect of its low-level implementation is that you can apply and update Cilium security policies without changing the application code or container configuration.
CoreOS developed Cilium in response to the volatile lifecycles of modern microservices development and quick container deployment. Integrating it with Kubernetes is straightforward; here's how to deploy Cilium with local changes:
$ kubectl create -f ./cilium.yaml clusterrole "cilium" created serviceaccount "cilium" created clusterrolebinding "cilium" created configmap "cilium-config" created secret "cilium-etcd-secrets" created daemonset "cilium" created $ kubectl get ds --namespace kube-system NAME DESIRED CURRENT READY NODE-SELECTOR AGE cilium 1 1 1 <none> 2m
A tool for inspecting container security using CVE data and user-defined policies
Policies result in a Pass or Fail outcome. Policies are based on whitelists or blacklists, credentials, file contents, configuration types, or other user-generated cues.
Packaged as a Docker container image, Anchore can run standalone or on an orchestration platform such as Kubernetes. It also has Jenkins and GitLab integrations for CI/CD.
The Anchore command-line interface (CLI) is an easy way to manipulate the Anchore Engine. For example, this CLI command returns detailed information about the content of an image:
anchore-cli image content INPUT_IMAGE CONTENT_TYPE
And this example command will perform a vulnerability scan on an image:
anchore-cli image vuln docker.io/library/debian:latest os
Anchore outputs a list of vulnerability details, threat levels, CVE identifiers, and other pertinent information. Because user-defined rules are created using the Anchore Cloud Service graphical user interface (GUI), it operates like SaaS.
5. OpenSCAP Workbench
An environment for creating and maintaining security policies for various platforms
OpenSCAP is an ecosystem for IT admins and security auditors that includes many open security benchmark guides, configuration baselines, and open-source tools.
Those operating on Fedora, Red Hat Enterprise Linux, CentOS, or Scientific Linux can install the OpenSCAP Workbench as a GUI to run scans on virtual machines, containers, and images. You install OpenSCAP Workbench with this command:
# yum install scap-workbench
To verify containers against SCAP policy guides and CVEs, use the oscap-docker utility that ships with OpenSCAP.
OpenSCAP is centered on the NIST-certified Security Content Automation Protocol (SCAP), and provides many machine-readable security policies. The OpenSCAP Security Guide states that the project's goal is to "allow multiple organizations to efficiently develop security content by avoiding redundancy."
Because OpenSCAP is more broad-based than others on this list, it's a good choice for teams looking to create security policies for an entire platform.
A tool for scanning for vulnerabilities, Trojans, viruses, and malware in Docker containers
To use Dagda to scan a Docker container, you first populate a Mongo database with vulnerability data. Perform this command to analyze a single Docker image:
python3 dagda.py check --docker_image jboss/wildfly
You can run it remotely, or continually call it to monitor active Docker containers. The output displays the number of vulnerabilities, severity level, and other details to aid remediation.
One of Dagda's benefits is wide coverage of vulnerability data. That means direct access to a wealth of updated, comprehensive exploit collections. It is also flexible in that you can control it by way of both a CLI and REST API.
A framework for boosting container security with a server for cryptographically delegating responsibility
Notary is all about responsibility separation; using Notary, developers can delegate roles and define responsibilities among containers. The package provides a server and client to provide a cryptographically secure method of publishing and verifying content.
$ docker-compose build $ docker-compose up -d $ mkdir -p ~/.notary && cp cmd/notary/config.json cmd/notary/root-ca.crt ~/.notary
Relying on The Update Framework and the Go language as dependencies, Notary can verify the cryptographic integrity of a container application image.
A metadata API to to help govern internal security policies
For a solid case study, see how Shopify uses Grafaes to manage metadata for 500,000 container images. In tandem with Kritis, the team enforces security policies on Kubernetes clusters that use Grafeas metadata.
Being able to quickly source container metadata helps speed remediation attempts, thus decreasing the window from exploit to resolution. Though Grafaes is open-source, it's maintained by large software providers—a benefit for long-term support.
9. Sysdig Falco
Offers behavioral activity monitoring with deep container visibility
Falco is a Kubernetes-aware security auditing tool, developed by Sysdig, that emphasizes behavioral monitoring for containers, hosts, and network activities. Using Falco, developers can set up continuous checks on their infrastructure, detect anomalies, and set up alerts for any type of Linux system calls.
stdout_output: enabled: true 10:20:05.408091526: Warning Sensitive file opened for reading by non-trusted program
Use Falco to monitor when a shell runs in a container, where a container has been mounted, unexpected reads of sensitive files, outbound network attempts, or other suspicious calls. Sysdig provides further container troubleshooting materials here.
10. Banyanops Collector
Framework for static analysis of Docker container images
Supported by Banyanops, Collector is an open-source utility that can be used to "peek" inside Docker container image files. Using Collector, developers can collect container data, enforce security policies, and more.
To get started, Banyanops can be run on a private registry or as a container on Docker Hub. Banyanops also provides SaaS products that offer deeper data analysis, so beware an up-sell if you encounter limited functionality.
Honorable open-source mentions
- Dockscan: A security vulnerability scanner with a low number of commits
- Batten: An auditing toolkit similar to Docker Bench, but with inactive support
- BlackDuck Docker security: A container image security scanning tool built as a web service. Unfortunately, production use is not advised in its current form
- Inspec: An auditing and testing framework with Docker container testing capabilities
Your mileage may vary
Because containerization has evolved into a popular deployment style, the need to augment these containers with proper security controls is paramount. Thankfully, you'll find a strong ecosystem of open-source security solutions that have been custom-built for many different environments.
The overall strength of these tools relies on the depth of the inspection performed. Effectiveness also depends on the CVE databases and benchmarks themselves continuing to update data with new exploits and to issue new best practices. Thankfully, efforts are being made to decrease the time between a zero-day exploit and the container vulnerability detection.
Developers will also gravitate to those tools with a better experience, which will reduce noise and duplication in log results. That kind of granular preference can only be determined through trial and error, depending on your build routines and personal preferences.
Image source: Anthony Easton/Flickr
[ Partner resource: Take Security Journey's first two white belt modules for free ]