Skip to content

An ongoing & curated collection of awesome software, libraries and frameworks, best guidelines and technical resources and cool stuff about Docker Security.

License

Notifications You must be signed in to change notification settings

paulveillard/cybersecurity-docker-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Docker Security

An ongoing & curated collection of awesome software, libraries and frameworks, best guidelines and technical resources and cool stuff about Docker Security.

Docker is a software platform that allows you to build, test, and deploy applications quickly. Docker packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime. Using Docker, you can quickly deploy and scale applications into any environment and know your code will run.

docker-architecture

Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.

Table of Contents

Books

Blogs

Videos

Tools

Container Runtime

  • gVisor - An application kernel, written in Go, that implements a substantial portion of the Linux system surface.
  • Kata Container - An open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
  • sysbox - An open-source container runtime that enables Docker containers to act as virtual servers capable of running software such as Systemd, Docker, and Kubernetes in them. Launch inner containers, knowing that the outer container is strongly isolated from the underlying host.
  • Firecracker - An open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services.

Container Scanning

  • trivy - A simple and comprehensive Vulnerability Scanner for Containers, suitable for CI.
  • Clair - Vulnerability Static Analysis to discovering Common Vulnerability Exposure (CVE) on containers and can integrate with CI like Gitlab CI which included on their template.
  • Harbor - An open source trusted cloud native registry project that equipped with several features such as RESTful API, Registry, Vulnerability Scanning, RBAC and etc.
  • Anchore Engine - An open source project that provides a centralized service for inspection, analysis and certification of container images. Access the engine through a RESTful API and Anchore CLI then integrated with your CI/CD pipeline.
  • grype - An open source project from Anchore to perform a vulnerability scanning for container images and filesystems.
  • Dagda - A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
  • Synk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies support container scanning, application security.

Compliance

  • Docker Bench for Security - A script that checks for dozens of common best-practices around deploying Docker containers in production.
  • lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
  • Open Policy Agent (OPA) - An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
  • opa-docker-authz - A policy-enabled authorization plugin for Docker.

Pentesting

  • Gorsair - A penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers.
  • dockerscan - Docker security analysis & hacking tools with some functionalities to detect vulnerabilities in Docker images and Docker registries, the objective is the attack.
  • Cloud Container Attack Tool - A tool for testing security of container environments.

Playground

Others

  • dive - A tool for exploring each layer in a docker image.
  • hadolint - A smarter Dockerfile linter that helps you build best practice Docker images.
  • dockle - Container image linter, help you to build the best practices Docker image.
  • docker_auth - Authentication server for Docker Registry 2.
  • bane - Custom & better AppArmor profile generator for Docker containers.

Use Cases

Your contributions are always welcome.

Licenses

License

CC0

To the extent possible under law, Veilair has waived all copyright and related or neighboring rights to this work.

Back to top

About

An ongoing & curated collection of awesome software, libraries and frameworks, best guidelines and technical resources and cool stuff about Docker Security.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published