Eliminate Critical Risks in the Cloud

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

Open-source Container Security Tools [By Use Case]

We cover the top container security tools across 7 common use cases, including image scanning, compliance, secrets management, and runtime security.

Wiz Experts Team
7 minutes read

Container security: A refresher

Container security entails securing containerized applications against potential vulnerabilities using various security tools and practices. With the growth in cloud-native applications, there has been a spike in the number of associated vulnerabilities, and since containers serve as the building blocks of these applications, container security has become a top priority. 

In response, organizations are focusing on tightening their security posture with advanced tools and practices, which serve as the focus of this post.

Figure 1: Container vulnerabilities trend (Source for data: cve.mitre.org)

What is a container threat model?

A threat model is the result of identifying potential threats and proposing actions to mitigate them. In the context of containers, no one model covers all potential threats. It depends on your environment and the software you host. However, it’s possible to create a threat model by identifying the most common vulnerabilities.

Figure 2: Container threat model

Figure 2 highlights some common attack vectors for containerized apps: vulnerable code, compromised container images, badly configured runtime/orchestrator, secret exposure, insecure networking, and container escape. 

Also, it’s worth mentioning that container platforms are never regarded as secure by default. This means that every time you set up a container environment, the first step is to activate necessary security measures. 

Options available for container security

Default security measures in container environments, like those provided by Docker and Kubernetes, offer a foundational level of security, but they often aren't enough. This eventually leads to a company having to integrate external tools to add additional layers of protection and flexibility. 

Among the available security tools, open-source tools are widely adopted because they have several benefits including more transparency, cost-effectiveness, and the ability to customize.

Figure 3: Open-source container security tools

As seen in the diagram above, open-source tools can be categorized into eight groups based on the container threat model discussed earlier. The following sections will dive into the most popular tools for each of these groups, with solutions categorized based on their primary specialization. However, keep in mind that the tools included below can often be multipurpose and offer features that span across multiple categories of container security. 

Note: We’ll only be covering active open-source projects, as some popular tools are no longer maintained or are not under active development (i.e., Anchore Engine, kube-hunter). 

Image scanning/vulnerability assessment tools

These container security solutions are dedicated to inspecting container images and identifying known vulnerabilities within them. 

Clair 

Clair scans container images for known vulnerabilities listed in databases like the Ubuntu CVE tracker and the Common Vulnerabilities and Exposures (CVE) database. When it comes to container image scanning, the easiest way is to scan the images within the registries (e.g., Docker Hub). However, this comes with limitations, for example, currently for Docker Hub, scanning is only available in private repositories. 

Clair comes in handy because it allows both local image scans as well as point-and-shoot scans for images stored in registries. Scanning images locally is helpful mostly in CI/CD pipelines, where you can either push the image to the registry or break the build. On the other hand, the point-and-shoot method directly scans images hosted in registries before pull. This requires Clair and Docker Hub integration, which can be easily performed using the tool Klar.

Trivy 

What’s special about Trivy is that it offers more comprehensive scanning capabilities, including images, filesystems, Git repositories, virtual machines, Kubernetes, and cloud services. Trivy also provides configuration auditing and compliance scans. 

Trivy has become popular with devs, as it offers an array of functionalities and is easy to use—no need for extensive configuration. Also, it was developed by Aqua Security, a company focused on cloud-native security tools that boasts a whopping 202 open-source repositories on GitHub. 

Grype and Syft

Both Grype and Syft were developed by Anchore for two distinct purposes. Grype primarily scans container images and filesystems. It also supports scanning software bills of materials (SBOMs). An SBOM provides a database of all the metadata, components, libraries, and packages that make up a container. 

While not a scanning tool, Syft generates SBOMs, which help identify affected components present in the software, thereby assisting with vulnerability management.

Configuration & compliance

Configuration and compliance tools focus on ensuring that containers and container orchestration systems like Kubernetes are configured correctly and comply with security best practices and regulatory standards. 

Kube-bench

Kube-bench, another open-source tool out of Aqua Security, checks the security of your Kubernetes clusters based on the well-established CIS Kubernetes Benchmark. Once the automated checks are completed, you will get a "pass" or "fail" (Figure 4).

Hadolint

You need a Docker file to make a Docker image, and Hedolint is a linter for writing Docker files. It applies rules derived from the Docker community and best practices from experienced Docker users. 

Policy management & enforcement

Policy management and enforcement tools are centered around creating, managing, and enforcing security policies across containerized environments. They help in automating governance and making sure security rules are applied consistently. 

Kyverno

Kyverno was designed for the popular container orchestrator Kubernetes. It primarily works as a policy engine, with policies written in YAML, to ensure that the deployed containers and Kubernetes resources meet an organization's security, compliance, and operational standards.

Open Policy Agent (OPA)

OPA is a more general-purpose policy engine, not specifically designed for Kubernetes, that can be used across a wide range of software systems. 

Note: Policies need to be written in the high-level declarative language Rego. This means OPA has a steeper learning curve compared to Kyverno, but it also comes with more power and flexibility for writing nuanced policies.

Secrets management

Tools for managing secrets are designed to ensure that any sensitive information (e.g., passwords, tokens, SSH keys, certificates) is stored securely, including proper access control. 

Hashicorp Vault

Hashicorp Vault is one of the most trusted open-source tools, with over 500 million downloads and around 30,000 stars on GitHub. It’s widely adopted across the world’s largest organizations. Why? Because Vault addresses the pain point of storing and managing secrets by providing a secure centralized platform. Also, it helps with compliance by managing detailed audit logs for any access to and operations on secrets. Vault’s enterprise version for commercial use provides additional security and extended features like easy deployments, disaster recovery, namespace support, etc.

Network security

Network security tools focus on securing the communication channels between containers and services. They enforce networking policies and provide capabilities like network segmentation, firewalling, and traffic control to prevent unauthorized access and to ensure that data in transit is secure. 

Project Calico

Like some of the other tools, Calico also has both open-source and enterprise versions. The open-source version offers core networking and network security capabilities for containerized environments, especially Kubernetes. Its feature set includes network policy enforcement, IP address management (IPAM), egress control, and namespace segregation. 

Cilium

Cilium is not just a network security tool; it’s a comprehensive networking solution for containerized environments that provides advanced security, observability, networking, and, most recently, service mesh features. Cilium is fully open source, but for large-scale commercial projects requiring commercial support, they provide Cilium Enterprise.

Cilium is built on top of the extended Berkeley Packet Filter (eBPF), a Linux kernel technology that allows programmability for operating systems. 

Figure 5: Cilium features (Source: CIlium)

Runtime security and intrusion detection

Runtime security and intrusion detection tools focus on monitoring and protecting containerized apps during execution/in real time. 

Falco

Falco monitors and uncovers threats in cloud ecosystems. It’s primarily used for intrusion detection, compliance assurance, and behavior monitoring for containerized apps.

Security orchestration

Security orchestration tools are designed to automate the integration of various security tools and processes. They coordinate and streamline the execution of security tasks, improve response times to incidents, and enable more sophisticated security analytics and reporting. 

Harbor

Harbor is a popular container image registry initially developed by VMware and later donated to the Cloud Native Computing Foundation (CNCF). It extends the standard features of a container registry to security, compliance, and management. 

Compared to container registries like Docker Hub, Harbor offers more comprehensive security controls, including role-based access control (RBAC), policy-driven vulnerability scanning, and image signing and verification.

Other security tools

Not all tools fit neatly into the above seven categories. Kubesec, Notary, Greenbone OpenVAS, Grafeas, and Wazuh all offer their own unique capabilities or serve specific niches within the wider arena of container security.

Wiz's approach to container security

While the open-source tools outlined above offer a range of capabilities to secure containerized environments, organizations looking for a more comprehensive, integrated solution may consider exploring Wiz's container security offering. Wiz's container security solution stands out by providing a unified platform that seamlessly integrates with existing container ecosystems, offering deep visibility, and proactive security across the entire container lifecycle.

Key Advantages of Wiz's Container Security Solution:

  • Comprehensive Coverage: Wiz goes beyond the typical functionalities offered by open-source tools by providing extensive coverage across all stages of the container lifecycle from development through deployment to runtime. This ensures that vulnerabilities are identified and mitigated before they can be exploited, regardless of where they occur in the container environment.

  • Deep Visibility and Contextual Analysis: Wiz offers deep visibility into the container environment, including detailed insights into container images, configurations, and runtime activities. This visibility is enhanced by contextual analysis, allowing security teams to quickly understand the scope and impact of potential vulnerabilities or misconfigurations, prioritizing issues based on actual risk.

  • Container Runtime Security: One of Wiz's standout features is its robust protection of container runtime environments. Wiz monitors container activities in real-time, utilizing advanced detection algorithms to identify and mitigate threats as they occur. This proactive stance on runtime security ensures that any malicious activity or anomaly is quickly detected and addressed, minimizing potential damage and ensuring continuous security.

In summary, while open-source container security tools provide valuable capabilities for addressing specific security concerns, Wiz offers a holistic, integrated solution that addresses the complexities and challenges of securing containerized applications in today's dynamic and evolving threat landscape. By choosing Wiz, organizations can benefit from advanced security features, streamlined operations, and a more robust defense against the full spectrum of container-related security threats.

What's running in your containers?

Learn why CISOs at the fastest growing companies use Wiz to uncover blind spots in their containerized environments.

Get a demo 

Continue reading

Secure Coding Explained

Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.

Secure SDLC

Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.