Container security best practices: Comprehensive guide

1. SonarQube

   1 71 9,592 9.9 Java

   Continuous Inspection

   

   For application code, there are different SAST (Static Application Security Testing) tools like sonarqube, which provide vulnerability scanners for different languages, gosec for analyzing go code and detecting issues based on rules, linters, etc.

2. InfluxDB

   www.influxdata.com featured

   InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

   

3. checkov

   2 61 7,562 9.9 Python

   Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

   

   If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.

4. gosec

   3 22 8,212 9.0 Go

   Go security checker

   

   For application code, there are different SAST (Static Application Security Testing) tools like sonarqube, which provide vulnerability scanners for different languages, gosec for analyzing go code and detecting issues based on rules, linters, etc.

5. kubestriker

   4 8 996 0.0 Python

   A Blazing fast Security Auditing tool for Kubernetes

   

   Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

6. connaisseur

   5 4 454 8.7 Go

   An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster

   

   We already mentioned Connaisseur Admission Controller as a way to enforce content trust and reject images that are not signed by trusted sources.

7. falco

   6 47 7,914 9.5 C++

   Cloud Native Runtime Security

   

   Falco is capable of monitoring the executed system calls and generating alerts for suspicious activity. It includes a community-contributed library of rules, and you can create your own by using a simple syntax. Kubernetes audit log is also supported.

8. linux-bench

   7 2 172 0.0 Go

   Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark

   

   Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

9. SaaSHub

   www.saashub.com featured

   SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

   

10. cloud-custodian

    8 32 5,662 9.4 Python

    Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

    

    Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

11. docker-bench-security

    9 15 9,378 4.8 Shell

    The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

    

    Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

12. kube-bench

    10 27 7,452 9.1 Go

    Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark

    

    Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

13. kube-hunter

    11 10 4,827 4.5 Python

    Hunt for security weaknesses in Kubernetes clusters

    

    Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

14. OSQuery

    12 46 22,480 9.1 C++

    SQL powered operating system instrumentation, monitoring, and analytics.

    

    Other tools you can use are linux-bench, docker-bench, kube-bench, kube-hunter, kube-striker, Cloud Custodian, OVAL, and OS Query.

15. tfsec

    13 37 6,821 5.9 Go

    Tfsec is now part of Trivy

    

    If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.

16. cfn_nag

    14 14 1,279 0.0 Ruby

    Linting tool for CloudFormation templates

    

    If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.

17. gatekeeper

    15 27 3,878 9.5 Go

    🐊 Gatekeeper - Policy Controller for Kubernetes

    

    Gatekeeper provides a powerful language that can be used to define flexible rules to accept or reject containers based on the pod specification (e.g., enforce annotations, detect privileged pods, or using host paths) and the status of the cluster (e.g.m, require all ingress hosts to be unique within the cluster).

18. gatekeeper-library

    16 8 675 8.4 Open Policy Agent

    📚 The OPA Gatekeeper policy library

    

    Many more examples are available in the OPA Gatekeeper library project!

19. enhancements

    17 68 3,621 9.8 Go

    Enhancements tracking repo for Kubernetes

    

    Effective user: Don’t run the container as root. Even better, use randomized UIDs (like Openshift) that don’t map to real users in the host, or use the user namespace feature in Docker and in Kubernetes when ready (not available at time of publish).

20. SaaSHub

    www.saashub.com featured

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    

Suggest a related project