20 Docker Security Tools Compared, Part 1

DZone 's Guide to

20 Docker Security Tools Compared, Part 1

In this two-part series, we take a look at the best tools out there to help you secure your Docker environments and make sure no bad actors get into your container.

· Security Zone ·
Free Resource


We strive to provide the most complete and up-to-date list of Docker security tools. We are keeping the number "20" in the title, but the list has 22 items at this moment... and growing.

There are quite a few Docker security tools in the ecosystem, how do they compare? This is a comprehensive list of Docker security tools that can help you implement some of the container security best practices.

Is Docker insecure? Not at all. Actually features like process isolation with user namespaces, resource encapsulation with cgroups, immutable images and shipping the minimal software and dependencies reduce the attack vector providing a great deal of protection. But, is there anything else we can do? There is much more than image vulnerability scanning and these are 20 container and Docker specific security tools that can help.

Alphabetical Index of Docker Security Tools

Anchore Navigator

Homepage: https://anchore.io/

License: Commercial, some services are free to use.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Anchore Navigator provides a free service for deep inspection of public Docker images. You can also explore their rich repository of already-dissected images for full visibility of its content, build process, and discovered CVE threats together with a link to the complete issue description and known fixes.

Using this tool you can perform a thorough analysis of your own images and subscribe to the images you frequently use for your deployments to receive timely security warnings.


Homepage: http://wiki.apparmor.net

License: Open Source.

Use Cases: Runtime protection, Mandatory Access Control (MAC).

AppArmor lets the administrator assign a security profile to each program in your system: filesystem access, network capabilities, link and execute rules, etc.

It's a Mandatory Access Control (or MAC) system, meaning that it will prevent the forbidden action from taking place, although it can also report profile violation attempts.

AppArmor it's sometimes considered a more accessible and simplified version of SELinux, both are closely related. You only need to learn the profile language syntax and fire your favorite editor to start writing your own AppArmor rules.

Docker context: Docker can automatically generate and load a default AppArmor profile for containers named docker-default. You can create specific security profiles for your containers or the applications inside them.


Homepage: https://www.aquasec.com/

License: Commercial.

Use Cases: Pre-production analysis, runtime protection, compliance and audit, etc.

Black Duck Docker Security

Homepage: https://www.blackducksoftware.com

License: Commercial.

Use Cases: Pre-production analysis, vulnerability newsfeed, license/legal assessment.

Black Duck Hub specializes in container inventory and reporting image inventory, mapping known security vulnerabilities to images indexes, and cross-project risk reports. You can easily pinpoint the specific libraries, software packages or binaries that are causing the security risk and the assistant will automatically offer you a list of known fixes.

As opposed to similar solutions, Black Duck Hub also analyzes the "License Risk" considering the different software licenses that you are currently bundling together to deploy your containerized distributed system.


Homepage: https://www.cilium.io/

License: Open Source.

Use Cases: HTTP-layer security, network-layer security.

Cilium provides transparent network security between container applications. Based on a new Linux kernel technology called eBPF, it allows you to define and enforce both network-layer and HTTP-layer security policies based on container/pod identity.

Cilium leverages BPF to perform core data path filtering, mangling, monitoring, and redirection. These BPF capabilities are available in any Linux kernel version 4.8.0 or newer.


Homepage: https://cavirin.com

License: Commercial.

Use Cases: Runtime protection, pre-production analysis, compliance and audit

Cavirin works with organizations such as CIS to collaboratively develop and maintain the security standards that any other tool can benefit from. At present, it has authored CIS Docker Security Benchmark as well as CIS Kubernetes Security Benchmark. They have minted the term "DevSecOps" to stress their focus on integrating the security and DevOps/container fields. Apart from the features, you can expect in a one-stop DevOps security platform (maybe comparable to Twistlock or AquaSec in their feature proposal and approach), we can highlight their compliance and audit tooling for security standards like PCI, HIPAA, NIST or GDPR.

CoreOS Clair

Image title

Homepage: https://coreos.com/clair/docs/latest/

License: Open Source.

Use Cases: Pre-production analysis, vulnerability newsfeed.

Clair is an open source project for the static analysis of vulnerabilities in containers (currently supporting AppC and Docker). Clair periodically refreshes its vulnerability database from a set of configured CVE sources, scrubs the available container images, and indexes the installed software packages. If any insecure software is detected, it can alert or block deployment to production.

Since Clair image analysis is static, containers never need to be actually executed, so you can detect a security threat before it's running in your systems. Clair is the security engine that CoreOS Quay registry uses internally.

Docker Capabilities and Resource Quotas

Homepage: https://www.docker.com

License: Open Source.

Use Cases: Runtime protection, resource DoS protection.

We shouldn't forget the basic security measures that come already bundled with our OS and the Docker engine.

Resource abuse and denial of service is an often overlooked but very real security problem in a containerized environment with vast amounts of software entities competing for the host resources.

Control Groups (cgroups) is a feature of the Linux kernel that allows you to limit the access processes and containers have to system resources such as CPU, RAM, IOPS, and network.

Capabilities allow you to break down the full root permissions into several split permissions, this way you can remove specific capabilities from the root account or augment the capabilities of user accounts at a more granular level.

Docker-Bench Security

Homepage: https://github.com/docker/docker-bench-security

License: Open Source.

Use Cases: Compliance and security audit.

The Docker Bench for Security is a meta-script that checks for dozens of common best-practices around deploying Docker containers in production.

This script is conveniently packaged as a Docker container, just copying and pasting the docker run one-liner from its homepage you can instantly see the results of approximately 250 checks for your running Docker containers and the host running the Docker engine (Docker CE or Docker Swarm). Docker Bench tests are inspired by the CIS Docker Community Edition Benchmark v1.1.0.


Homepage: https://github.com/kost/dockscan

License: Open Source.

Use Cases: Compliance and audit.

A simple Ruby script that analyzes the Docker installation and running containers, both for local and remote hosts.

It's easy to install and run with just one command and can generate HTML report files. Dockscan reports configured resource limits, containers spawning too many processes or with a high number of modified files, also if your Docker host is allowing containers to directly forward traffic to the host gateway, to name a few examples.


Homepage: https://www.sysdig.org/falco/

License: Open Source.

Use Cases: Runtime alerting, forensics.

Sysdig Falco is an open source, behavioral monitoring software designed to detect anomalous activity based on the Sysdig monitoring technology. Sysdig Falco also works as an intrusion detection system on any Linux host.

Falco is an auditing tool as opposed to enforcement tools like Seccomp or AppArmor. It runs in userspace, using a kernel module to retrieve system calls, while other similar tools perform system call filtering/monitoring at the kernel level. One of the benefits of a user space implementation is being able to integrate with external systems like Docker, Docker Swarm, Kubernetes, Mesos, etc. and incorporate their metadata and tags.

Docker context: Falco supports container-specific context for its rules. Using this tool you can monitor the containers' behavior without instrumenting or modifying them in any way. Custom rule creation is very easy to grasp and the default rules file comes prepopulated with sane defaults.

HashiCorp Vault

Homepage: https://www.vaultproject.io/

License: Free with enterprise version.

Use Cases: Secure container-aware credentials storage, trust management.

Hashicorp's Vault is an advanced suite for managing secrets: Passwords, SSL/TLS certificates, API keys, access tokens, SSH credentials, etc. It supports time-based secret leases, fine-grained secret access, on-the-fly generation of new secrets, key rolling (renewing keys without losing access to secrets generated using the old one), and much more.

Vaults keeps a detailed audit log to keep track of all the secrets and the access and manipulations performed by each user/entity, so operators can easily trace any suspicious interaction.

Docker context: The secure distribution and traceability of secrets is a core concern in the new microservices and containerized environments, where software entities are constantly spawned and deleted. Vault itself can be deployed as a Docker container.


Homepage: http://neuvector.com/

License: Commercial.

Use Cases: Runtime protection, compliance and audit.

NeuVector focuses on real-time security protection at runtime. Automatically discovers the behavior of applications, containers, and services, detects security escalations and other related threats in a similar fashion to other Linux IDS. NeuVector privileged ‘enforcer’ containers are deployed on each physical host, with full access to the local Docker daemon, apart from that, the internal technology used by NeuVector is not thoroughly detailed in the publicly accessible documentation.

NeuVector aims to be a non-intrusive, plug-and-play security suite, performing automatic discovery of running containers and their default behavior to assist and counsel the operators in the design of their infrastructure security profiles. NueVector focuses on container network security rather than the underlying system like many of the other run-time players.

That's it for Part 1, tune in tomorrow to learn about 10 more great Docker security tools!

cloud security, container security, docker security, security

Published at DZone with permission of Mateo Burillo , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}