this post was submitted on 17 Jul 2023
4 points (83.3% liked)

Service Clouds: AWS, Azure, GCP, etc.

165 readers
2 users here now

A community for discussions related to all cloud service providers and the tools of the trade.

Related Communities:

General

Tools

Platforms

Infrastructure Orchestration

Programming

founded 1 year ago
MODERATORS
 

The following are some tools you can use to perform security scans on your container images and running containers. These are useful for performing manual audits on existing container images, scanning images as part of a build pipeline, or actively monitoring containers running in production. These can all be implemented for free.

Docker Bench for Security

https://github.com/docker/docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the CIS Docker Benchmark v1.5.0.

Aquasecurity Trivy

https://github.com/aquasecurity/trivy

Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues. You can use https://github.com/aquasecurity/trivy-action to perform scans within your Github Actions workflows.

Anchore Grype

https://github.com/anchore/grype

A vulnerability scanner for container images and filesystems. You can use https://github.com/anchore/scan-action to perform scans within your Github Actions workflows.

Clair

https://github.com/quay/clair

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker). AWS ECR basic scanning uses this project as its backend. You can use https://github.com/quay/clair-action to perform scans within your Github Actions workflows.

Sysdig Falco

https://github.com/falcosecurity/falco

Falco is a cloud native runtime security tool for Linux operating systems. It is designed to detect and alert on abnormal behaviour and potential security threats in real-time. Generally used for active monitoring with Kubernetes clusters, but you can also use it with ECS Fargate.

There are others out there, but these are ones I remember at the moment. If you know of any others, please add them.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here