2018-10-04 23:26:00 -04:00
awesome-container-security [![Awesome ](https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg )](https://github.com/sindresorhus/awesome)[![Travis](https://api.travis-ci.org/kai5263499/awesome-container-security.svg?branch=master)](https://travis-ci.org/kai5263499/awesome-container-security)
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
A collection of container related security resources
* [**Image** ](#image )
2017-10-30 18:35:09 -04:00
* [**Build Management** ](#build-management )
2018-05-04 08:57:51 -04:00
* [**Networking/Runtime** ](#networking/runtime )
2017-10-14 11:27:13 -04:00
* [**Security profiles** ](#security-profiles )
* [**Exploits** ](#exploits )
2017-11-04 18:49:40 -04:00
* [**Honeypots** ](#honeypots )
2024-11-27 18:51:34 -05:00
* [**Presentations/Posts/Articles** ](#presentations/posts/articles )
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
## Image
------------------------------------------------------------------------------------------
2020-04-28 21:11:09 -04:00
### [Deepfence Runtime Threat Mapper](https://github.com/deepfence/ThreatMapper)
* Identify vulnerabilities in running containers, images, hosts and repositories
2018-08-31 18:25:51 -04:00
### [Dagda](https://github.com/eliasgranderubio/dagda/)
* Static image analysis tool
2018-06-15 16:14:57 -04:00
### [Port Authority Open Source Security Scanner for Docker](https://www.linkedin.com/pulse/port-authority-open-source-security-scanner-docker-srinivasan/)
* [Getting started guide ](https://tech.target.com/open%20source/2018/06/07/port-authority-open-source-buzz.html )
* [Source ](https://github.com/target/portauthority )
2020-06-27 14:37:55 -04:00
### [Understanding and Hardening Linux Containers](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2016/april/understanding-and-hardening-linux-containers/)
2017-10-14 11:27:13 -04:00
* The "War and Peace" of container security
2018-06-23 14:15:56 -04:00
### [Security Assurance Requirements for Linux Application Container Deployments](https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8176.pdf)
2017-10-14 11:27:13 -04:00
* Department of commerce guidance on container security
2018-06-23 14:15:56 -04:00
### [Dramatically Reducing Software Vulnerabilities](https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf)
2017-10-30 11:46:03 -04:00
* NIST guidance on reducing software vulnerabilities
2018-08-31 18:25:51 -04:00
* [NIST security content automation protocol ](https://csrc.nist.gov/projects/security-content-automation-protocol )
2020-06-27 14:37:55 -04:00
* [Extensible Configuration Checklist Description Format (XCCDF) ](https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/xccdf ) - Goes along with the SCAP link above for specifying a security template that containers should conform to
2017-10-30 11:46:03 -04:00
2017-10-14 11:27:13 -04:00
### [CoreOS Clair](https://coreos.com/blog/vulnerability-analysis-for-containers.html)
* Utility from CoreOS for automated vulnerability analysis for containers
* [Clair: The Container Image Security Analyzer (by Joey Schorr & Quentin Machu) ](https://www.youtube.com/watch?v=Kri67PtPv6s ) - Presentation about the Clair platform
* [A more polished presentation of Clair at CoreOS Fest 2016 ](https://www.youtube.com/watch?v=YDCa51BK2q0 )
### [OpenSCAP Container Compliance](https://github.com/OpenSCAP/container-compliance)
* Utility for aiding in compliance checks against a container
### [Actuary](https://github.com/diogomonica/actuary)
* Automated security profiling for Docker image
* [drydock ](https://github.com/zuBux/drydock ) - Inspired by docker-bench-security with the ability to apply custom security profiles
* [Docker bench security ](https://github.com/diogomonica/docker-bench-security ) - One of the first security linting utility for Docker
2020-04-29 07:05:19 -04:00
### [Buildah](https://github.com/containers/buildah)
2017-10-17 10:27:30 -04:00
* [Introduction ](http://www.projectatomic.io/blog/2017/06/introducing-buildah/ )
2017-10-14 11:27:13 -04:00
* Docker image building framework
### [Packer](https://www.packer.io/docs/builders/docker.html)
* Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.
2017-10-17 09:29:03 -04:00
### [LinuxKit](https://github.com/linuxkit/linuxkit)
* A toolkit for building custom minimal, immutable Linux distributions
### [Grafeas](https://github.com/Grafeas/Grafeas)
* An open-source API to audit and govern your software supply chain
2020-04-29 07:05:19 -04:00
### [Atomic Reactor](https://github.com/containerbuildsystem/atomic-reactor)
2017-10-17 10:27:30 -04:00
* Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated
### [Containers Internals Lab](https://github.com/fatherlinux/container-internals-lab)
* A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component
2020-04-29 07:05:19 -04:00
### [Anchore](https://anchore.com/enterprise/)
2017-10-21 11:55:55 -04:00
* Free image scanning service with a commercial offering similar to Docker Cloud
2018-08-31 18:25:51 -04:00
* [anchore-cli ](https://github.com/anchore/anchore-cli )
2017-10-21 11:55:55 -04:00
2017-10-21 14:58:12 -04:00
### [Alpine CVE Check](https://github.com/tomwillfixit/alpine-cvecheck)
* Specialized CVE scanner
2017-10-30 11:44:55 -04:00
### [Banyan Collector: A framework to peek inside containers](https://github.com/banyanops/collector)
* Framework for peering inside docker images. Useful for rolling your own image scanning system
2017-10-17 10:27:30 -04:00
### Commercial solutions
2017-10-14 11:27:13 -04:00
* [Black Duck Software ](https://www.blackducksoftware.com/ )
2020-06-27 14:37:55 -04:00
* [Tenable ](https://www.tenable.com/products/tenable-io/container-security ) - Includes [FlawCheck ](https://www.theregister.com/2016/10/26/tenable_ate_flawcheck_for_devops_enhancement/ )
2020-04-29 07:05:19 -04:00
* [GrSecurity ](https://grsecurity.net/features ) - A collection of image hardening tools
2017-10-21 11:02:43 -04:00
* [Aqua ](https://www.aquasec.com/ ) - Full lifecycle container security management platform
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
2017-10-30 18:35:09 -04:00
## Build Management
------------------------------------------------------------------------------------------
### [Habitat.sh](https://www.habitat.sh/)
* Source to deployment framework. An alternative to Kubernetes and Spinnaker. I include it here because it implements a concept of trusted images and dependency management
2017-11-03 21:55:24 -04:00
### Commercial solutions
* [Project Atomic ](https://www.projectatomic.io/ ) - RedHat's complete container solution with strong built-in security
2020-04-29 07:05:19 -04:00
* [Docker Cloud ](https://hub.docker.com ) - Continuous scanning of images along with a trust mechanism
2017-11-03 21:55:24 -04:00
2017-10-30 18:35:09 -04:00
------------------------------------------------------------------------------------------
2017-10-14 11:27:13 -04:00
2018-05-04 08:57:51 -04:00
## Networking/Runtime
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
2019-04-05 15:47:41 -04:00
### [kubeadm](https://github.com/kubernetes/kubeadm)
2019-04-05 15:46:49 -04:00
* Associating Amazon IAM roles to pods
2019-04-05 15:47:41 -04:00
### [kiam](https://github.com/uswitch/kiam)
* Also for associating Amazon IAM roles to pods
2018-06-23 14:15:56 -04:00
### [Secure Container Isolation: Problem Statement & Solution Space](https://docs.google.com/document/d/1QQ5u1RBDLXWvC8K3pscTtTRThsOeBSts_imYEoRyw8A/edit#heading=h.ypyhxoaw8f95)
2018-05-19 13:10:08 -04:00
* Comprehensive guide from Google engineers on securing and isolating containers
2018-05-04 08:57:51 -04:00
### [gVisor](https://github.com/google/gvisor)
* User-space kernel designed to provide better isolation/sandboxing of containers
2017-10-14 11:27:13 -04:00
### [Cilium](https://github.com/cilium/cilium)
* Network policy enforcement based on eBPF
* [Cilium - Container Security and Networking Using BPF and XDP - Thomas Graf, Covalent ](https://www.youtube.com/watch?v=CcGtDMm1SJA ) - Presentation of Cilium by its creator
### [Linux Monitoring at Scale with eBPF (Brendan Gregg & Alex Maestretti)](https://www.youtube.com/watch?v=44nV6Mj11uw)
* bSides SF 2017 talk about container monitoring at Netflix using eBPF
### [Calico](https://www.projectcalico.org/)
* Security enforcement for [Flannel ](https://github.com/coreos/flannel ) SDN
### [Kube2IAM](https://github.com/jtblin/kube2iam)
* Apply Amazon Identity Management roles to Kubernetes Pods
2017-10-30 10:41:17 -04:00
### [Envoy](https://www.envoyproxy.io/)
2017-10-14 11:27:13 -04:00
* Sidecar and security enforcement system used at Lyft
2018-06-23 14:15:56 -04:00
### [Romana](https://romana.io/)
2018-01-29 15:44:23 -05:00
* Network policy enforcement
* [Project ](https://github.com/romana/romana )
2017-10-14 11:27:13 -04:00
### [Scope](https://github.com/weaveworks/scope)
* Realtime metrics gathering across the cluster
2017-10-21 15:51:32 -04:00
### [Whispers in the Hyper-space: High-speed Covert Channel Attacks in the Cloud](https://www.youtube.com/watch?v=d2TU_Q4U9DA)
2017-10-21 16:01:44 -04:00
* An exploration of covert channels
2017-10-21 15:51:32 -04:00
2017-11-04 15:36:52 -04:00
### [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/)
* Contains an interesting point about how contains that share network namespaces can snoop on eachother's traffic
2018-02-22 08:34:42 -05:00
### [Docker Layer 2 ICC Bug](https://github.com/brthor/docker-layer2-icc)
* Containers are able to send raw ethernet frames to other containers with inter-container communication disabled
2017-10-14 11:27:13 -04:00
### Commercial solutions
2018-08-10 08:54:45 -04:00
* [StakRox ](https://www.stackrox.com/ ) - Container security solution with adaptive threat protection
2017-10-21 15:21:46 -04:00
* [NeuVector ](https://neuvector.com/ ) - Continuous network security
2020-06-27 14:37:55 -04:00
* [TwistLock ]( https://www.paloaltonetworks.com/prisma/cloud ) - Network activity profiling
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
## Security profiles
------------------------------------------------------------------------------------------
2018-06-23 14:15:56 -04:00
### [bane](https://github.com/genuinetools/bane)
2017-11-03 21:55:24 -04:00
* AppArmor profile generator for Docker containers
2017-10-14 11:27:13 -04:00
2017-10-17 10:27:30 -04:00
### [Container security as explained by the three pigs](https://www.youtube.com/watch?v=giFKMsIH4b0)
2017-10-21 15:00:05 -04:00
* [Bringing new security features to Docker ](https://opensource.com/business/14/9/security-for-docker )
2017-10-17 10:27:30 -04:00
* [The Container Coloring Book ](https://github.com/fedoradesign/coloringbook-containers/blob/master/Print-Ready/Web.pdf )
2017-10-14 11:27:13 -04:00
### [SELinux for Mere Mortals](https://www.youtube.com/watch?v=cNoVgDqqJmM)
* A gentle introduction to Security Enhanced Linux
### [SELinux is no Longer an Option](https://www.youtube.com/watch?v=dtclmj3H7ZU)
### [Firejail](https://github.com/netblue30/firejail)
* Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps
2017-10-17 09:29:03 -04:00
### [Docker SELinux Capabilities reference](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities)
* A handy list of capabilities that are enabled by default in Docker
### [Detailed post about SELinux Capabilities](https://forums.grsecurity.net/viewtopic.php?f=7&t=2522)
* An SELinux deep dive
2017-10-17 10:35:18 -04:00
### [What capabilities do I really need in my container?](https://danwalsh.livejournal.com/76358.html)
* Blog post about figuring out what capabilities a container needs
2020-04-29 07:05:19 -04:00
### [Secure Your Containers with this One Weird Trick](https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick)
2017-10-17 10:35:18 -04:00
* Spoiler, its using SELinux
2018-06-23 14:15:56 -04:00
### [Falco](https://sysdig.com/opensource/falco/)
2017-10-21 11:53:41 -04:00
* Open source container security monitoring
2017-11-04 18:00:50 -04:00
* [Technical discussion ](https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/ )
* [WTF, My Container Just Spawned a Shell - Jorge Salamero Sanz, Sysdig ](https://www.youtube.com/watch?v=LPgjLzFcFVU )
2017-10-21 11:53:41 -04:00
2017-11-04 15:36:52 -04:00
### [Getting towards real sandbox containers](https://blog.jessfraz.com/post/getting-towards-real-sandbox-containers/)
2020-04-29 07:11:24 -04:00
### [Bubblewrap](https://github.com/containers/bubblewrap)
2017-11-04 15:36:52 -04:00
### [Subgraph](https://subgraph.com/)
* Bills itself as an adversary resistant computing platform. Under the hood the idea is to run containers in user space
2017-11-11 12:59:48 -05:00
### [Linux Containers in 500 Lines of Code](https://blog.lizzie.io/linux-containers-in-500-loc.html)
* An exercise that also takes you through the nitty gritty details of capabilities management
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
## Exploits
------------------------------------------------------------------------------------------
2020-06-27 13:25:20 -04:00
### [Threat Alert: Kinsing Malware Attacks Targeting Container Environments](https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability)
* From the intro: "We’ ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily basis."
2018-11-12 15:42:32 -05:00
### [harpoon](https://github.com/ProfessionallyEvil/harpoon)
* Post exploitation framework
2020-06-27 15:06:08 -04:00
### [waitid](https://www.youtube.com/watch?v=IdRDFS4u2rQ)
2017-12-30 15:01:22 -05:00
* CVE-2017-5123
* Privledge escalation using the waitid syscall
2020-06-27 14:57:50 -04:00
* [Detailed write-up ](https://salls.github.io/Linux-Kernel-CVE-2017-5123/ )
2017-12-30 15:01:22 -05:00
2017-10-14 11:27:13 -04:00
### [nsenter](https://coderwall.com/p/xwbraq/attach-to-your-docker-containers-with-ease-using-nsenter)
* This isn't an exploit but it allows user to access the host VM if run in privileged mode
### [Dirty COW](https://dirtycow.ninja/)
* CVE-2016-5195
* Privilege escalation vulnerability in Linux kernel
2018-11-12 15:41:58 -05:00
* [Proof of concept ](https://github.com/scotty-c/dirty-cow-poc )
* [Proof of concept collection ](https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs )
2017-10-14 11:27:13 -04:00
* [Dirty COW and why lying is bad even if you are the Linux kernel ](https://chao-tic.github.io/blog/2017/05/24/dirty-cow )
### [Docker CVE List](https://www.cvedetails.com/vulnerability-list/vendor_id-13534/product_id-28125/Docker-Docker.html)
* List of known security vulnerabilities for Docker
2017-10-21 11:04:54 -04:00
### [Three Overlooked Lessons about Container Security](https://thenewstack.io/three-overlooked-lessons-container-security/)
* Outlines an interesting spear-phishing attack on image maintainers
2017-10-30 11:48:02 -04:00
### [Docker Scan](https://github.com/cr0hn/dockerscan)
* Image scanning system with a red-team focus of exploitation
2017-11-07 16:42:55 -05:00
### [Twitter Vine Source Code Dump](https://avicoder.me/2016/07/22/Twitter-Vine-Source-code-dump/)
* A case study of a vulnerable private registry
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
2017-11-04 18:49:40 -04:00
## Honeypots
------------------------------------------------------------------------------------------
2020-06-27 14:57:50 -04:00
### [How I capture and monitor Wordpress attacks](https://medium.com/@misc_heading/how-i-capture-and-monitor-wordpress-attacks-ceda512b07)
2017-11-04 18:49:40 -04:00
* Capturing exploit attempts by emulating a Wordpress box
### [DShield](https://github.com/xme/dshield-docker)
* Docker container running cowrie with DShield output enabled
### [Dockerpot](https://www.itinsight.hu/blog/posts/2015-05-04-creating-honeypots-using-docker.html)
* Fairly old but a great idea for platform to build honeypots
------------------------------------------------------------------------------------------
2024-11-27 18:51:34 -05:00
## Presentations/Posts/Articles
2017-10-14 11:27:13 -04:00
------------------------------------------------------------------------------------------
2020-04-29 07:11:24 -04:00
### [Pets, cattle and insects](https://hub.packtpub.com/pets-cattle-analogy-demonstrates-how-serverless-fits-software-infrastructure-landscape/)
2018-08-09 09:39:06 -04:00
* An extension of the helpful cattle and pets analogy
2024-11-27 18:51:34 -05:00
### [OWASP Kubernetes Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html)
* One of the many cheat sheets in the OWASP series, providing insight into the security of various components and capabilities of Kubernetes
2018-08-09 09:39:06 -04:00
### [Capability based sandboxing](https://archive.fosdem.org/2016/schedule/event/capsicum/)
* The author presents the intreaging notion of applying the microservices approach to containers where you divide an application apart by capabilities
* [Awesome Object Capabilities ](https://github.com/dckc/awesome-ocap ) - A language-level implementation of the capability based sandboxing methodology
2020-04-29 07:05:19 -04:00
* [Linux port of Capsicum ](https://github.com/google/capsicum-linux ) related to this [LWN post ](https://lwn.net/Articles/604287/ )
2017-10-14 11:27:13 -04:00
### [Introduction to Container Security](https://www.youtube.com/watch?v=ABFmXCGJlo8)
### [GoDaddy's Production Kubernetes Story & Moving Target Defense in Container Envs](https://www.youtube.com/watch?v=2nisq0stz-s)
### [Container Security Round Table](https://www.youtube.com/watch?v=eY0wIj7lsEw)
### [Secure Substrate: Least Privilege Container Deployment](https://www.youtube.com/watch?v=iHQCVFMBdCA)
### [A Docker Image Walks Into a Notary](https://www.youtube.com/watch?v=JvjdfQC8jxM)
### [How Secure Are Your Docker Images?](https://www.youtube.com/watch?v=dzm-8hp8MQo)
### [Docker Security Deep Dive - Docker Track](https://www.youtube.com/watch?v=tL4IYSKu7ZU)
* Securing the image pipeline from creation to delivery
### [Scaling Application Defense with Intent Based Security - Michael Withrow (Twistlock)](https://www.youtube.com/watch?v=970keZ7VfCg)
* A security model to match the deployment model of many orchestration utilities
### [Container Performance Analysis](https://www.youtube.com/watch?v=bK9A5ODIgac)
* Container performance analysis at Netflix. This contains similar material as the bSides talk listed above with
2020-04-29 07:11:24 -04:00
* [Evolution of Container Usage at Netflix ](https://netflixtechblog.com/the-evolution-of-container-usage-at-netflix-3abfc096781b ) - Also provides insight into container monitoring, logging, and security at Netflix.
2017-10-14 11:27:13 -04:00
### [Docker Networking in Production at Visa](https://www.youtube.com/watch?v=k3SeQPt0f0o)
* Chief Systems Architect Sasi Kannappan describes how Docker is used at Visa
2017-10-17 10:27:30 -04:00
### [The Golden Ticket- Docker and High Security Microservices - Black Belt Track](https://www.youtube.com/watch?v=346WmxQ5xtk)
2017-10-21 15:27:26 -04:00
### [Docker Engine Security Cheatsheet](https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.adoc)
* Collection of resources on hardening your Docker daemon
2017-10-30 14:49:11 -04:00
### [Dance Madly on the Lip of a Volcano](https://www.youtube.com/watch?v=sNjylW8FV9A)
* Balancing moving fast and breaking things with securing against vulnerabilities
2017-11-04 17:42:57 -04:00
### [Making Security Invisible - Jessica Frazelle - JOTB17](https://www.youtube.com/watch?v=BuFTHOgsgAY)
* Great presentation on sandboxing containers
2017-11-04 18:00:50 -04:00
### [Vulnerability Exploitation In Docker Container Environments](https://www.youtube.com/watch?v=77-jaeUKH7c)
2018-10-02 00:39:18 -04:00
### [Docker Security Best Practices](https://dev.to/petermbenjamin/docker-security-best-practices-45ih)
2018-10-05 14:47:04 -04:00
### [Kubernetes Security Best Practices](https://dev.to/petermbenjamin/kubernetes-security-best-practices-hlk)