Awesome list of resources related to container security
Go to file
2017-10-21 11:55:55 -04:00
.travis.yml moving in.. 2017-10-14 11:27:13 -04:00
contributing.md moving in.. 2017-10-14 11:27:13 -04:00
LICENSE moving in.. 2017-10-14 11:27:13 -04:00
README.md Add Anchore 2017-10-21 11:55:55 -04:00

container-security-awesome AwesomeTravis


A collection of container related security resources


Image


Understanding and Hardening Linux Containers

  • The "War and Peace" of container security

Security Assurance Requirements for Linux Application Container Deployments

  • Department of commerce guidance on container security

CoreOS Clair

OpenSCAP Container Compliance

  • Utility for aiding in compliance checks against a container

Actuary

  • Automated security profiling for Docker image
  • drydock - Inspired by docker-bench-security with the ability to apply custom security profiles
  • Docker bench security - One of the first security linting utility for Docker

Buildah

Packer

  • Packer builds Docker containers without the use of Dockerfiles. By not using Dockerfiles, Packer is able to provision containers with portable scripts or configuration management systems that are not tied to Docker in any way. It also has a simple mental model: you provision containers much the same way you provision a normal virtualized or dedicated server.

LinuxKit

  • A toolkit for building custom minimal, immutable Linux distributions

Grafeas

  • An open-source API to audit and govern your software supply chain

Atomic Reactor

  • Python library that extends docker build. It's part of the RedHat Atomic project so its rather opinionated

Containers Internals Lab

  • A series of exercises that provide a deep dive into the internals of containers. Also has a good SELinux training component

Anchore

  • Free image scanning service with a commercial offering similar to Docker Cloud

Commercial solutions


Networking


Cilium

Linux Monitoring at Scale with eBPF (Brendan Gregg & Alex Maestretti)

  • bSides SF 2017 talk about container monitoring at Netflix using eBPF

Calico

  • Security enforcement for Flannel SDN

Kube2IAM

  • Apply Amazon Identity Management roles to Kubernetes Pods

Trieme

  • SDN application segmentation

Envoy

  • Sidecar and security enforcement system used at Lyft

Scope

  • Realtime metrics gathering across the cluster

Segment Routing in Container Networks

  • Research paper on a practical implementation of segment routing in a container cluster

Commercial solutions

  • StakRox - Container security solution with adaptive threat protection
  • Netsil - Operations dashboard for Kubernetes

Security profiles


bane

  • AppAromor profile generator for Docker containers

Container security as explained by the three pigs

SELinux for Mere Mortals

  • A gentle introduction to Security Enhanced Linux

SELinux is no Longer an Option

Firejail

  • Linux namespaces and seccomp-bpf sandbox. Also works with GUI apps

Docker SELinux Capabilities reference

  • A handy list of capabilities that are enabled by default in Docker

Detailed post about SELinux Capabilities

  • An SELinux deep dive

What capabilities do I really need in my container?

  • Blog post about figuring out what capabilities a container needs

Secure Your Containers with this One Weird Trick

  • Spoiler, its using SELinux

Falco

  • Open source container security monitoring

Exploits


nsenter

  • This isn't an exploit but it allows user to access the host VM if run in privileged mode

Dirty COW

Docker CVE List

  • List of known security vulnerabilities for Docker

Three Overlooked Lessons about Container Security

  • Outlines an interesting spear-phishing attack on image maintainers

Presentations


Introduction to Container Security

GoDaddy's Production Kubernetes Story & Moving Target Defense in Container Envs

Container Security Round Table

Secure Substrate: Least Privilege Container Deployment

A Docker Image Walks Into a Notary

How Secure Are Your Docker Images?

Docker Security Deep Dive - Docker Track

  • Securing the image pipeline from creation to delivery

Scaling Application Defense with Intent Based Security - Michael Withrow (Twistlock)

  • A security model to match the deployment model of many orchestration utilities

Container Performance Analysis

  • Container performance analysis at Netflix. This contains similar material as the bSides talk listed above with
  • Evolution of Container Usage at Netflix - Also provides insight into container monitoring, logging, and security at Netflix.

Docker Networking in Production at Visa

  • Chief Systems Architect Sasi Kannappan describes how Docker is used at Visa

The Golden Ticket- Docker and High Security Microservices - Black Belt Track