Container security software helps protect containerized files or applications, together with their connected networks and infrastructure. Containers are a common method of packaging units of software throughout the development process, most readily employed by DevOps teams. Security is a critical concern throughout all phases of container usage.
Organizations use container security solutions to test security, manage access, and safeguard cloud computing infrastructure operating containerized applications. Administrators can use management features to help them decide who can access container information or integrate with containerized applications. Testing helps inform security policies, identify zero-day vulnerabilities, and replicate attacks from known threat areas.
Some general-purpose security solutions can be used for containerized applications. However, container-specific tools offer better networking, monitoring, and security capabilities for containerized applications and microservices.
In this article:
Containers are popular primarily due to their modular and lightweight approach. They feature everything needed to run applications—including tools, code, libraries, settings, and runtime—and can operate on top of an operating system irrespective of the environment. Thus, they require fewer resources and are more portable than virtual machines (VMs).
Container platforms (including Kubernetes and Docker) feature native security controls, but these are often insufficient. Container-based development tends to involve third-party software elements, which could introduce vulnerabilities to the applications. Integration with external tools can also expose containers to fraudulent processes that can bypass the isolation and facilitate unauthorized access to different container images.
If a container image possesses a vulnerability, it could be unknowingly deployed in applications. Misconfigured permissions may increase the risk of such issues, so container security must be treated seriously.
Related content: Read our guide to container security best practices
Here are some of the most popular open-source tools for maintaining container security.
Project Calico is an open-source project with an active development and user community. Calico Open Source was born out of this project and has grown to be the most widely adopted solution for container networking and security, powering 2M+ nodes daily across 166 countries.
Calico Open Source is a networking and security solution for containers, virtual machines, and native host-based workloads. It supports a broad range of platforms including Kubernetes, OpenShift, Docker EE, OpenStack, and bare metal services.
Whether you opt to use Calico’s eBPF data plane, Linux’s standard networking pipeline, or the Windows data plane, Calico delivers blazing-fast performance with true cloud-native scalability. Calico provides developers and cluster operators with a consistent experience and set of capabilities whether running in public cloud or on-premises, or on a single node or across a multi-thousand node cluster.
Learn more about Project Calico
License: Apache License 2.0
Github Repo: http://github.com/projectcalico/calico
Clair carries out static examination of container vulnerabilities. Today, it works with Docker containers and OCI. Clair consumes numerous vulnerability information sources, including Red Hat Security Data, Debian Security Bug Tracker, and Ubuntu CVE Tracker. Clair ingests a large amount of CVE databases for in-depth auditing.
Clair initially indexes a set of items within a container image. Subsequently, developers can use the Clair API to query the database for any vulnerabilities connected to a specific image.
Clair’s feature set is adjustable—you can create your own drivers for added behaviors. You can also make unrelated API calls to audit particular container images, which provides a streamlined, machine-driven alternative to looking over huge report logs.
License: Apache License 2.0
Github Repo: http://github.com/quay/clair
The open-source Anchore Engine is used to analyze container images and provide reporting on CVE-based security vulnerabilities. The Anchore Engine also assesses Docker images via custom rules to permit automated certification and validation.
Rules result in a fail or pass outcome, and can be in the form of denylists or allowlists, depending on file contents, credentials, configuration types, or other user-generated prompts. Presented as a Docker container image, Anchore can run on an orchestration platform (i.e. Kubernetes) or by itself. There are also GitLab and Jenkins integrations available for CI/CD.
The command-line interface (CLI) is a simple means of manipulating the Anchore Engine. For instance, you can enter a command to gain in-depth details on the make-up of an image. Carrying out a scan on an image should create a list of threat levels, vulnerability and CVE details, and other relevant data.
Because user-defined regulations are developed with Anchore Enterprise GUI, it functions similar to SaaS.
License: Apache License 2.0
Github Repo: http://github.com/anchore/anchore-engine
OpenSCAP is a command-line tool used for auditing. It lets users load, scan, edit, export, and validate SCAP documents. SCAP (Security Content Automation Protocol) is a solution that checks for compliance for enterprise-level Linux infrastructure. It is overseen by NIST. It utilizes the Extensible Configuration Checklist Description Format (XCCDF), a common way of displaying checklist content, and clarifies security checklists.
OpenSCAP (abbreviated as oscap) offers a series of tools for compliance scanning and management of container images. Examples include:
License: GNU Lesser General Public License v2.1
Github Repo: http://github.com/OpenSCAP/openscap-daemon
Google and IBM have joined forces with a container security tool known as Grafeas that was made public in late 2017. This could help you develop your personal container security scanning plans.
Grafeas is often known as a component metadata API. Developers can use this tool to specify metadata for VMs and containers. IBM’s Vulnerability Advisor is also a part of the project.
You can use Grafaes alongside Kritis, another open-source package, to implement security policies on Kubernetes clusters that utilize Grafaes metadata.
By quickly sourcing container metadata, you can accelerate remediation attempts, and thus minimize the time between zero-day exploit and resolution. Although Grafeas is open source, it is managed by big software providers.
License: Apache License 2.0
Github Repo: http://github.com/grafeas/grafeas
Falco is a threat detection engine for Kubernetes. It is also an open-source project and a runtime security tool used to identify anomalous behavior in containers and hosts running on Kubernetes. It isolates any unusual activity in your application and tells you of the threats at runtime.
It utilizes tcpdump-like syntax to establish the rules and makes use of libraries including libinsp and libscap, which can enter and pull data from your container runtime environment or Kubernetes API server.
Subsequently, you may use that metadata about pods and namespaces to develop rules specific to a certain namespace or a specific container image. The rules determine which system calls are permitted and banned on the system.
License: Apache License 2.0
Github Repo: http://github.com/falcosecurity/falco
Dagda is used to carry out static analysis of known malware, vulnerabilities, Trojans, viruses, and other potential threats in Docker containers or images. It is an open-source tool that can help you monitor the Docker daemon. Dagda is also used to run Docker containers to discover irregular behavior. It supports various Linux base images, including CentOS, Red Hat, Debian, Fedora, OpenSUSE, Ubuntu, and Alpine.
Dagda also has a Docker Compose file, which means that it is simple to evaluate. Although Daga supports container monitoring, it has to be integrated with Sysdig Falco—a cloud-native open-source runtime security project.
Dagda doesn’t support scanning of registries or repositories, so it is more fitting for on-demand scans than for arranged registry scans. Following installation, known exploits and vulnerabilities databases are imported and retained in MongoDB. Then, Dagda amasses information about the software installed into a Docker image to check that every product (and its version) is free from vulnerabilities. It verifies this against the stored information in MongoDB.
This tool also employs ClamAV as an antivirus for Docker images and containers. The main users of this tool are developers, security professionals, and system administrators.
License: Apache License 2.0
Github Repo: http://github.com/eliasgranderubio/dagda
Calico Cloud offers active build, deploy and runtime security for containers and Kubernetes.
Visit our container security solutions page to learn more about Calico Cloud’s container security features.
Next Steps
Get updates on blog posts, workshops, certification programs, new releases, and more!
