Need help with awesome-container-security?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

kai5263499
157 Stars 30 Forks Apache License 2.0 86 Commits 0 Opened issues

Description

Awesome list of resources related to container security

Services available

!
?

Need anything else?

Contributors list

# 124,606
C
mac-osx
Shell
Docker
78 commits
# 9,878
Go
golang
maltego
React
2 commits

awesome-container-security AwesomeTravis


A collection of container related security resources


Image


Deepfence Runtime Threat Mapper

  • Identify vulnerabilities in running containers, images, hosts and repositories

Dagda

  • Static image analysis tool

Port Authority Open Source Security Scanner for Docker

Security Assurance Requirements for Linux Application Container Deployments

  • Department of commerce guidance on container security

Dramatically Reducing Software Vulnerabilities

CoreOS Clair

OpenSCAP Container Compliance

  • Utility for aiding in compliance checks against a container

Actuary

  • Automated security profiling for Docker image
  • drydock - Inspired by docker-bench-security with the ability to apply custom security profiles
  • Docker bench security - One of the first security linting utility for Docker

Buildah

Packer

  • Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.

LinuxKit

  • A toolkit for building custom minimal, immutable Linux distributions

Grafeas

  • An open-source API to audit and govern your software supply chain

Atomic Reactor

  • Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated

Containers Internals Lab

  • A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component

Anchore

  • Free image scanning service with a commercial offering similar to Docker Cloud
  • anchore-cli

Alpine CVE Check

  • Specialized CVE scanner

Banyan Collector: A framework to peek inside containers

  • Framework for peering inside docker images. Useful for rolling your own image scanning system

Commercial solutions


Build Management


Habitat.sh

  • Source to deployment framework. An alternative to Kubernetes and Spinnaker. I include it here because it implements a concept of trusted images and dependency management

Commercial solutions

  • Project Atomic - RedHat's complete container solution with strong built-in security
  • Docker Cloud - Continuous scanning of images along with a trust mechanism

Networking/Runtime


kubeadm

  • Associating Amazon IAM roles to pods

kiam

  • Also for associating Amazon IAM roles to pods

Secure Container Isolation: Problem Statement & Solution Space

  • Comprehensive guide from Google engineers on securing and isolating containers

gVisor

  • User-space kernel designed to provide better isolation/sandboxing of containers

Cilium

Linux Monitoring at Scale with eBPF (Brendan Gregg & Alex Maestretti)

  • bSides SF 2017 talk about container monitoring at Netflix using eBPF

Calico

  • Security enforcement for Flannel SDN

Kube2IAM

  • Apply Amazon Identity Management roles to Kubernetes Pods

Envoy

  • Sidecar and security enforcement system used at Lyft

Romana

  • Network policy enforcement
  • Project

Scope

  • Realtime metrics gathering across the cluster

Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud

  • An exploration of covert channels

Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs

  • Contains an interesting point about how contains that share network namespaces can snoop on eachother's traffic

Docker Layer 2 ICC Bug

  • Containers are able to send raw ethernet frames to other containers with inter-container communication disabled

Commercial solutions

  • StakRox - Container security solution with adaptive threat protection
  • NeuVector - Continuous network security
  • TwistLock - Network activity profiling

Security profiles


bane

  • AppArmor profile generator for Docker containers

Container security as explained by the three pigs

SELinux for Mere Mortals

  • A gentle introduction to Security Enhanced Linux

SELinux is no Longer an Option

Firejail

  • Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps

Docker SELinux Capabilities reference

  • A handy list of capabilities that are enabled by default in Docker

Detailed post about SELinux Capabilities

  • An SELinux deep dive

What capabilities do I really need in my container?

  • Blog post about figuring out what capabilities a container needs

Secure Your Containers with this One Weird Trick

  • Spoiler, its using SELinux

Falco

Getting towards real sandbox containers

Bubblewrap

Subgraph

  • Bills itself as an adversary resistant computing platform. Under the hood the idea is to run containers in user space

Linux Containers in 500 Lines of Code

  • An exercise that also takes you through the nitty gritty details of capabilities management

Exploits


Threat Alert: Kinsing Malware Attacks Targeting Container Environments

  • From the intro: "We’ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis."

harpoon

  • Post exploitation framework

waitid

nsenter

  • This isn't an exploit but it allows user to access the host VM if run in privileged mode

Dirty COW

Docker CVE List

  • List of known security vulnerabilities for Docker

Three Overlooked Lessons about Container Security

  • Outlines an interesting spear-phishing attack on image maintainers

Docker Scan

  • Image scanning system with a red-team focus of exploitation

Twitter Vine Source Code Dump

  • A case study of a vulnerable private registry

Honeypots


How I capture and monitor Wordpress attacks

  • Capturing exploit attempts by emulating a Wordpress box

DShield

  • Docker container running cowrie with DShield output enabled

Dockerpot

  • Fairly old but a great idea for platform to build honeypots

Presentations/Posts


Pets, cattle and insects

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.