Containerised Workloads

Vulnerabilities in applications and in open-source software running in containers like Docker, Rocket and containerd are often overlooked by developers and IT staff. There are a variety of layers applied to containerised workloads:

• The container image

• Software in the container

• The host OS

• Interaction between the container and the host OS

• Security in runtime environment and orchestration platforms like Kubernetes

A number of tools allow Docker images to be scanned for vulnerabilities:

• Anchore's Grype: Open-source container vulnerability scanner

• Clair: Open-source container vulnerability scanner

• Dagda: Open-source static analysis tools which can be used to help detect vulnerabilities. Uses ClamAV to detect malware.

• kube-bench: Open-source tool to perform security assessment of Kubernetes clusters based on the CIS Kubernetes Benchmark.

• kube-hunter: Open-source tool to check security posture of Kubernetes clusters.

• Falco: Threat detection engine for Kubernetes.