Kubernetes and Container Security Tools You Must be Aware Of

Panoptica Team
Monday, Apr 19th, 2021

Threat detection, container lifecycle management, container registries, and access control tools. Whether paid or free, the web is full of container security tools allowing developers and organizations to maintain a secure environment. 

This blog post will focus on Kubernetes and container open source security tools, as we believe some free tools deliver no less than their commercial equivalents. Start with these free, readily available cloud infrastructure tools and then when you’re ready to consider an ongoing solution for high severity vulnerabilities - give us a call!

What is a container security tool?

Securing containers is a really important part of running and managing a cloud environment. Your container workloads will be part of a broader ecosystem within your business, including public cloud like Google cloud platform, Amazon web services or Azure, any private cloud instances like VMware, as well as hybrid cloud or serverless computing. You will probably be using infrastructure-as-a-service and platform-as-a-service functions that include RDS or S3 buckets. You’re likely running container orchestration like Docker or Amazon ECS. As containers are dynamic, they can be tough to secure as part of this ever-changing reality. Some containers might only be connected for a matter of seconds, while others are more long-term. 

Another challenge is that DevOps are usually responsible for creating and maintaining containers. They use continuous integration and continuous delivery, often called CI/CD pipelines to keep the fast pace of business that you’re used to and to keep up with the competition and customer demand. But if security isn’t part of this process, you could quickly leave yourself open to risk. DevOps aren’t security trained, so the right container tools and security technologies are essential. 

Container security tools do more than just vulnerability detection. They ensure that everything in your container is running as you programmed it to. The process of securing containers must run continuously while securing the container host, its network traffic, and its management stack but also while monitoring the integrity of the build pipeline, your application security, and its foundational layers within the container.

Here are some of our favorite open-source container tools that do exactly that.



When considering static analysis tools, Clair is one of the best out there. Clair is a comprehensive auditing tool based on multiple CVE databases, performing static analysis of any vulnerabilities within your OCI and Docker containers.

The process of identifying security vulnerabilities is based on indexing a list of features within a particular container image and then querying the database for vulnerabilities connected to that image. 

The database includes a lot of sources, more than many similar tools of its kind, including data from Red Hat Security, Debian, Ubuntu, and more. Not only that, but your developers can add their own drivers to scan for additional behaviors within Docker images and the like, putting your developers in control. Rather than manually checking through report logs, the API calls for specific container images streamlines the process from end to end.


In a similar way to Clair, above - Anchore is another container security tool based on CVE data and that uses container images. Anchore enables Docker container image inspection and analysis with the use of custom policies.

There is a lot of flexibility in the Anchore platform, as you can create whitelists and blacklists for certain policies, basing this on specifics such as the configuration, the credentials used, and even the file contents itself. 

The tool can run as stand-alone or on platforms such as Kubernetes, including Jenkins and GitLab integration for CI/CD.

Scanning container images will provide developers or security staff with a list of vulnerabilities and risk levels, and there is a simple Command-line interface (CLI) that can be used to get the information you need.



If you’re looking for an open-source tool to define and source container metadata for virtual machines and containers, Grafeas is a great choice. Grafeas is a component metadata API based container security tool created by IBM & Google that allows for the creation of container security scanning projects.

Grafaes can enforce security policies on Kubernetes clusters that use Grafaes metadata. We like this tool because it helps get mitigation up and running quicker and with less manual work, which means as soon as an exploit has been uncovered, you’re a lot closer to remediation. On top of that, as Grafeas has the might of IBM and Google behind it, you’re getting more confidence than your average open-source tool.



Having visibility at the kernel is a really powerful security tool to have at your fingertips, and Cilium provides API-aware networking security at this level, so it’s a definite must-have for our list of top container tools. 

This open source tool is run by Berkeley Packet Filter, now known as BPF, which is a Linux kernel technology. Without any need to change your underlying application code or the configuration of your containers, Cilium allows you to create security policies and update them. This is a lightweight benefit that pays dividends.

There is also a strong community around Cilium, which means you can get a lot of support and advice where necessary. There’s even a Slack channel and a weekly meeting for developers, so it’s a great choice for those who need a bit more hand holding when it comes to open source or security of this environment.


Here’s another static analysis tool for finding known vulnerabilities. Dagda can be used to analyze your container environment, and find problems such as malware, viruses or trojans inside containers and Docker images. This is done using the ClamAV antivirus engine. 

There are a few steps to the Dagda process. First, CVEs are used from well known databases such as Red Hat Security Advisories and Bug Advisories, and BID. Then the images and containers will be analyzed against these CVEs.

You then run a static analysis of these vulnerabilities, and the Dagda tool will take information such as the OS packages and any dependencies, and then these will be verified against the information that has been pulled in and is being stored in the MongoDB, plus any malicious activity will be found using the AV engine. 

Unique elements of Dagda are that you have support for multiple Linux images such as Alpine, Ubuntu, and OpenSUSE, and you can analyze dependencies from many programming languages - including java, python node js, PHP, ruby etc. Keep reading to learn about Falco below - because you can integrate Dagda with Falco too, to monitor running containers.

Sysdig Falco

Sysdig Falco

Created by Sysdig, Falco is a Kubernetes security auditing tool by Sysdig that monitors containers, hosts, and network activities. It is used for continuous infrastructure checks and to detect anomalous activity.  

Behavioral activity monitoring has become more common in recent years, especially for complex environments like containers, where visibility is essential. Falco works behind the scenes to continuously check infrastructure for any kind of Linux system. You can use Falco to find out more about your container environment, for example suspicious behavior or calls, outbound network attempts, or access to sensitive data.

OpenSCAP Workbench

OpenSCAP Workbench

OpenSCAP isn’t one container security tool, it’s actually a cluster of multiple tools that affords organizations efficient development of security content. You can use OpenSCAP to create policies and then maintain them on platforms that include CentOS, Red Hat Enterprise Linux, Fedora, or Scientific Linux, simply by using a GUI. Automatically, scans will be run on your containers, VMs and Docker images. 

Not sure what SCAP is? It stands for Security Content Automation Protocol, and it’s certified by NIST. The security policies are machine-readable, and OpenSCAP is proud of its ability to reduce the costs of performing security audits.

JFrog Xray

JFrog Xray

One scanning tool which has received a lot of attention lately is JFrog Xray. This is an artifact analysis tool, and will provide a continuous picture of all artifacts as well as dependencies. Interestingly this can be used for wider security vulnerabilities as well as issues such as license compliance and other errors. 

With a native integration with JFrog Artifactory, you can get visibility into the metadata, and all the necessary security information in one view. JFrog uses a continuously growing database of vulnerabilities to alert users of any issues, and will support all package types, including those in zip files, or those that are packaged in Docker images. Touching on graph-based analysis, you will receive a graph of your artifacts and the structure of any dependencies, providing a visual understanding of the gaps or issues in your environment.



Looking for an open-source Kubernetes scanner? Kube-hunter is an open source tool for pen-testing both your cluster and its nodes, or as described on its own github page - the kube-hunter "hunts for security weaknesses in Kubernetes clusters". 

Kube-hunter allows you to attack your own kubernetes environment in order to identify blind spots and gaps before an attacker finds them for you. The way it works is that the kube-hunter will test for container configuration issues by probing any domain or address range for open ports. You can run kube-hunter as a container on any machine, or as a pod within the cluster, and you’ll get the same view the attackers have of your environment - with clear reporting and understanding over how exposed this cluster or container would be. 

One of the things we like the most about kube-hunter is the sheer breadth of tests that the open source tool offers. These tests are categorized into active and passive tests. Passive tests include API Service Discovery, Dashboard Discovery, Etcd Service, Host Discovery, Kubectl Client Discovery, Kubelet Discovery, and Port Scanning and Proxy Hunting and Discovery, plus Access Secrets.

Active tests include a foothold test which is done via a secure Kubelet Port, malicious intent test to see if an attacker could leverage privileged containers, and hunters for issues found in container logs, system logs, Azure subscription files, API servers, and potential spoof attacks like DNS or ARP.


The kube-bench security tool is another open-source vulnerability scanner that checks the Kubernetes cluster's deployment, making sure it was done while following security best practices as the Center for Internet Security defines them (click here for CIS Kubernetes Benchmark). There are a number of ways to run kube-bench.

One can run the kube-bench within a pod, however be aware that you’ll need to provide access to the host’s PID namespace, which will allow the tool to check the running processes and get access to the right files. 

The result of this series of tests will be the highlighting of areas of the Kubernetes environment that do not comply with CIS benchmarks as well as some optional solutions to resolve them. Here’s some support with how to run kube-bench against an EKS cluster in AWS.


Another recommendation is Kubeaudit by Shopify, run by aqua security. This open-source tool audits Kubernetes clusters while comparing them to security tests known as "auditors". The tests check all kinds of parameters, including the pods' security context and any misconfigurations inside the clusters. 

As in kube-bench mentioned above, this kubernetes security tool not only identifies vulnerabilities in Kubernetes clusters but also offers recommended solutions to solve each and every one of them, which can help developers who need to keep up the pace of an agile development environment.

Understanding the Limit of Open-Source Security Tools for Container and K8S Security  

These are a roundup of some of our favorite tools that can help with container runtime security, network security, and other security threats. However, there is always going to be a limit to the effectiveness of security procedures that are based on CVEs and known signatures. Getting into the mind of the attacker means taking two steps back and being able to get a full view of your environment and its open attack paths, in the context of what matters in your business environment. Hey, that’s exactly what we do at Panoptica! 

Get in touch if you want to discuss your own contextual cloud security environment, and how to shore up any gaps before the attackers find them for you. 

Have we missed any of your favorite open source container security tools which you think should be on this list?

Popup Image