Containerised Workloads

Vulnerabilities in applications and in open-source software running in containers like Docker, Rocket and containerd are often overlooked by developers and IT staff. There are a variety of layers applied to containerised workloads:

The container image
Software in the container
The host OS
Interaction between the container and the host OS
Security in runtime environment and orchestration platforms like Kubernetes

A number of tools allow Docker images to be scanned for vulnerabilities:

Anchore's Grype: Open-source container vulnerability scanner
Clair: Open-source container vulnerability scanner
Dagda: Open-source static analysis tools which can be used to help detect vulnerabilities. Uses ClamAV to detect malware.
kube-bench: Open-source tool to perform security assessment of Kubernetes clusters based on the CIS Kubernetes Benchmark.
kube-hunter: Open-source tool to check security posture of Kubernetes clusters.
Falco: Threat detection engine for Kubernetes.

Last updated 2 days ago

Containerised Workloads

The container image
Software in the container
The host OS
Interaction between the container and the host OS
Security in runtime environment and orchestration platforms like Kubernetes

A number of tools allow Docker images to be scanned for vulnerabilities:

Anchore's Grype: Open-source container vulnerability scanner
Clair: Open-source container vulnerability scanner
Dagda: Open-source static analysis tools which can be used to help detect vulnerabilities. Uses ClamAV to detect malware.
kube-bench: Open-source tool to perform security assessment of Kubernetes clusters based on the CIS Kubernetes Benchmark.
kube-hunter: Open-source tool to check security posture of Kubernetes clusters.
Falco: Threat detection engine for Kubernetes.

Last updated 2 days ago