20 Docker Security
Tools Compared.
WHITE PAPER
�Is Docker insecure? Not at all. Actually features like
process isolation with user
namespaces, resource encapsulation
with cgroups, immutable images and
shipping the minimal software and
dependencies reduce the attack
vector providing a great deal of
protection. But, is there anything else
we can do? There is much more than
image vulnerability scanning and these
are 20 container and Docker specific
security tools that can help.
Sysdig 2
�Index of Docker Security tools
Anchore Navigator NeuVector
AppArmor Notary
AquaSec OpenSCAP
BlackDuck Docker security REMnux
Cavirin SELinux
Cilium Seccomp
CoreOS Clair StackRox
Docker capabilities & resource quotas Sysdig
Docker-bench security Sysdig Secure
Dockscan Tenable Flawcheck
Falco Twistlock
HashiCorp Vault
Sysdig 3
�Anchore Navigator
Anchore Navigator provides a free service for deep inspection of
public Docker images. You can also explore their rich repository
of dissected public images for full visibility of its content, build
process, and discovered CVE threats together with a link with the
issue complete description and known fixes.
Using this tool you can perform a deep analysis of your own
images and subscribe to the images you frequently use for your
deployments to receive security warnings when upgrading to the
commercial version.
Homepage: anchore.io
License: Commercial, some services are free to use
Use Cases: Pre-production analysis,
vulnerability newsfeed
Sysdig 4
�AppArmor
AppArmor lets the administrator assign a security profile to each
program in your system: filesystem access, network capabilities,
link and execute rules, etc.
It’s a Mandatory Access Control (or MAC) system, meaning that it
will prevent the forbidden action from taking place, although it
can also report profile violation attempts.
AppArmor it’s sometimes considered a more accessible and
simplified version of SELinux, both are closely related. You only
need to learn the profile language syntax and fire your favorite
editor to start writing your own AppArmor rules.
Docker context: Docker can automatically generate and load a
default AppArmor profile for containers named docker-default.
You can create specific security profiles for your containers or the
applications inside them.
Homepage: wiki.apparmor.net
License: Open Source
Use Cases: Runtime protection,
Mandatory Access Control (MAC)
Sysdig 5
�AquaSec
AquaSec is a commercial security suite designed with containers
in mind. Security audit, container image verification, runtime
protection, automated policy learning or intrusion prevention
capabilities are some of the most relevant features.
AquaSec supports orchestration tools like Docker Swarm, Mesos,
Kubernetes or OpenShift. The platform provides programmatic
access to its API and can be deployed both locally or in the public
cloud.
Homepage: aquasec.com
License: Commercial
Use Cases: Pre-production analysis,
runtime protection, compliance & audit, etc.
Sysdig 6
�BlackDuck Docker Security
Black Duck Hub specializes in container inventory and reporting
image inventory, mapping known security vulnerabilities to
images indexes and cross project risk reports. You can easily
pinpoint the specific libraries, software packages or binaries that
are causing the security risk and the assistant will automatically
offer you a list of known fixes.
As opposed to similar solutions, Black Duck Hub also analyzes the
“License Risk” considering the different software licences that you
are currently bundling together to build your containerized
distributed system.
Homepage: blackducksoftware.com
License: Commercial.
Use Cases: Pre-production analysis,
vulnerability newsfeed, license/legal risks.
Sysdig 7
�Cavirin
Cavirin works with organizations such as CIS to collaboratively
develop and maintain the security standards that any other tool
can benefit from. At present, it has authored CIS Docker Security
Benchmark as well as CIS Kubernetes Security Benchmark. They
have minted the term "DevSecOps" to stress their focus at
integrating the security and DevOps/container fields. Apart from
the features you can expect in a one-stop DevOps security
platform (maybe comparable to Twistlock or AquaSec in their
feature proposal and approach), we can highlight their
compliance&audit tooling for security standards like
PCI, HIPAA, NIST or GDPR.
Homepage: cavirin.com
License: Commercial
Use Cases: Runtime protection, pre-production analysis,
compliance & audit
Sysdig 8
�Cilium
Cilium provides transparent network security between container
applications. Based on a new Linux kernel technology called eBPF,
allows to define and enforce both network-layer and HTTP-layer
security policies based on container/pod identity.
Cilium leverages BPF to perform core data path filtering,
mangling, monitoring and redirection. These BPF capabilities
are available in any Linux kernel version 4.8.0 or newer.
Homepage: cilium.io
License: Open Source
Use Cases: HTTP-layer network security,
network-layer security
Sysdig 9
�CoreOS Clair
Clair is an open source project for the static analysis of
vulnerabilities in containers (currently supporting AppC and
Docker). Clair periodically refreshes its vulnerability database
from a set of configured CVE sources, scrubs the available
container images and indexes the installed software packages.
If any insecure software is detected, it can alert or block
deployment to production.
Since Clair image analysis is static, containers never need to be
actually executed, so you can detect a security threat before is
already running in your systems. Clair is the security engine
used internally for the CoreOS Quay container registry.
Homepage: coreos.com/clair
License: Open Source
Use Cases: Pre-production analysis,
vulnerability newsfeed
Sysdig 10
�Docker capabilities and resource quotas
We shouldn’t forget the basic security measures that come
already bundled with our OS and the Docker engine.
Resource abuse and denial of service is an often overlooked but
very real security problem in a containerized environment with
vast amounts of software entities competing for the host
resources.
Control Groups (cgroups) is a feature of the Linux kernel that
allows you to limit the access processes and containers have to
system resources such as CPU, RAM, IOPS and network.
Capabilities allows you to break down the full root permissions
Homepage: docker.com into several split permissions, this way you can remove specific
capabilities from the root account or augment the capabilities of
License: Open Source
user accounts at a more granular level.
Use Cases: Runtime protection,
resource DoS protection
Sysdig 11
�Docker-bench security
The Docker Bench for Security is a meta-script that checks for
dozens of common best-practices around deploying Docker
containers in production.
This script is conveniently packaged as a Docker container, just
copying and pasting the docker run one-liner from its homepage
you can instantly see the results of ~250 checks for your running
Docker containers and the host running the Docker engine
(Docker CE or Docker Swarm). Docker Bench tests are inspired
by the CIS Docker Community Edition Benchmark v1.1.0
Homepage: github.com/docker/docker-bench-security
License: Open Source
Use Cases: Compliance & audit
Sysdig 12
�Dockscan
A simple ruby script that analyzes the Docker installation and
running containers, both for local and remote hosts.
It’s easy to install and run with just one command and can
generate HTML report files. Dockscan reports configured
resource limits, containers spawning too many processes or with
a high number of modified files, or if your Docker host is allowing
containers to directly forward traffic to the host gateway, to
name a few checks.
Homepage: github.com/kost/dockscan
License: Open Source
Use Cases: Compliance & audit
Sysdig 13
�Falco
Sysdig Falco is an open source, behavioral monitoring software
designed to detect anomalous activity based on the Sysdig
monitoring technology. Sysdig Falco works as a intrusion
detection system on any Linux host.
Falco is an auditing tool as opposed to enforcement tools
like Seccomp or AppArmor. It runs in user space, using a kernel
module to intercept system calls, while other similar tools
perform system call filtering/monitoring at the kernel level. One
of the benefits of a user space implementation is being able to
integrate with external systems like Docker, Docker Swarm,
Kubernetes, Mesos, etc and import its resources knowledge
and tags.
Homepage: sysdig.org/falco Docker context: Falco supports container-specific context for its
License: Open Source rules. Using this tool you can monitor the containers behaviour
without instrumenting or modifying them in any way. Custom
Use Cases: Runtime alerting, forensics
rule creation is very easy to grasp and the default rules file
comes prepopulated with sane defaults.
Sysdig 14
�HashiCorp Vault
Hashicorp’s Vault is an advanced suite for managing secrets:
Passwords, SSL/TLS certificates, API keys, access tokens, SSH
credentials, etc. It supports time-based secret leases, fine-grained
secret access, on-the-fly generation of new secrets, key rolling
(renewing keys without losing access to secrets generated using
the old one) and much more.
Vaults keeps a detailed audit log to keep track of all the secrets
and the access and manipulations performed by each user/entity,
so operators can easily trace any suspicious interaction.
Docker context: The secure distribution and traceability of
secrets is a core concern in the new microservices and
containerized environments, where software entities are
constantly spawned and deleted. Vault itself can be deployed
as a Docker container.
Homepage: vaultproject.io
License: Free with enterprise version
Use Cases: Secure container-aware
credentials storage, and trust management
Sysdig 15
�NeuVector
NeuVector focuses on real-time security protection at runtime.
Automatically discovers behavior of applications, containers, and
services, detects security escalations and other related threats in
a similar fashion to other Linux IDS. NeuVector privileged
‘enforcer’ containers are deployed on each physical host, with full
access to the local Docker daemon, apart from that, the internal
technology used by NeuVector is not thoroughly detailed in the
publicly accessible documentation.
NeuVector aims to be a non-intrusive, plug&play security suite,
performing automatic discovery of running containers and their
default behavior to assist and counsel the operators in the design
of their infrastructure security profiles.
Homepage: neuvector.com
License: Commercial
Use Cases: Runtime protection,
compliance & audit
Sysdig 16
�Notary
Image forgery and tampering is one major security concern for
Docker-based deployments. Notary is a tool for publishing and
managing trusted collections of content. You can approve trusted
published and create signed collections, in a similar way to the
software repository management tools present in modern Linux
systems, but for Docker images.
Some of Notary goals include guaranteeing image freshness
(most up to date content, to avoid known vulnerabilities), trust
delegation between users or trusted distribution over untrusted
mirrors or transport channels.
Homepage: github.com/docker/notary
License: Open Source
Use Cases: Trusted image repository,
trust management, and verifiability
Sysdig 17
�OpenSCAP
OpenSCAP provides a suite of automated audit tools to examine
the configuration and known vulnerabilities in your software,
following the NIST-certified Security Content Automation Protocol
(SCAP).
You can create your own custom assertions and rules and
routinely check that any software deployed in your organization
strictly abides.
These set of tools is not only focused on the security itself, but
also on providing the formal tests and reports that you may need
to meet an official security standard.
Docker context: The OpenSCAP suite provides a Docker-specific
tool oscap-docker to audit your images, assessing both running
containers and cold images.
Homepage: open-scap.org
License: Open Source
Use Cases: Compliance & audit, certification
Sysdig 18
�REMnux
A security oriented distribution based on Ubuntu. REMnux is a
free Linux toolkit for assisting malware analysts with reverse-
engineering malicious software, commonly known as forensics.
As you can guess, this system bundles a vast amount of pre
installed analysis and security tools: Wireshark, ClamAV,
tcpextract, Rhino debugger, Sysdig, vivisect… just to name a few.
REMnux aims to be swiss knife that you carry around in a
usb memory in case you suspect any of your systems have
been compromised.
Docker context: The REMnux project conveniently provides
several of its integrated security tools as Docker containers,
so you can instantly launch difficult-to-install security
applications when you most need them.
Homepage: remnux.org
License: Open Source
Use Cases: Forensics
Sysdig 19
�SELinux
Security-Enhanced Linux (SELinux) is a Linux kernel security
module. It is often compared with AppArmor, and it’s also a
Mandatory Access Control system. SELinux provides security
capabilities from mandatory access controls to mandatory
integrity controls, role-based access control (RBAC) and type
enforcement architecture.
SELinux has a reputation of being particularly complex but
powerful, fine-grained and flexible.
Docker context: Similarly to AppArmor, SELinux offers an extra
layer of access policies and isolation between the host and the
containerized apps.
Homepage: selinuxproject.org
License: Open Source
Use Cases: Runtime protection,
Mandatory Access Control (MAC)
Sysdig 20
�StackRox
StackRox feature proposal revolves around the concepts of
"Adaptive security" and auto discovery of components and
behaviours. Highly focused on machine learning, automatic even
correlation and dynamic pattern recognition, StackRox aims to
provide fast-response, minimum effort security that will evolve
hand on hand with your platform. Apart from the machine
learning component, StackRox provides the usual features of
commercial security platforms like cold image scanning or
default security profiles ala SELinux.
Homepage: stackrox.com
License: Commercial
Use Cases: Runtime protection, machine learning,
pre-production analysis
Sysdig 21
�Seccomp
Seccomp is not so much a tool but rather a sandboxing facility in
the Linux kernel. You can think of it as an iptables rules-based
firewall but for system calls. It uses Berkeley Packet Filter (BPF)
rules to filter syscalls and control how they are handled.
With Seccomp you can selectively choose which syscalls are
forbidden/allowed to each container. For example, you can forbid
file-permissions manipulations inside your container.
You may have noticed the similarities with Falco, both are closely
related to the Linux Syscall API. This article compares these two
(with AppArmor and SELinux) solutions. TL;DR: Unlike the others,
Falco integrates rich high level container specific context to
build rules.
Docker context: Docker has used Seccomp since version 1.10
of the Docker Engine, Docker has its own JSON-based DSL that
Homepage: kernel.org allows you to define profiles that will be compiled to
seccomp filters.
License: Open Source
Use Cases: Runtime protection,
Mandatory Access Control (MAC)
Sysdig 22
�StackRox
StackRox feature proposal revolves around the concepts of
"Adaptive security" and auto discovery of components and
behaviours. Highly focused on machine learning, automatic even
correlation and dynamic pattern recognition, StackRox aims to
provide fast-response, minimum effort security that will evolve
hand on hand with your platform. Apart from the machine
learning component, StackRox provides the usual features of
commercial security platforms like cold image scanning or
default security profiles ala SELinux.
Homepage: stackrox.com
License: Commercial
Use Cases: Runtime protection, machine learning,
pre-production analysis
Sysdig 23
�Sysdig
Sysdig is a full-system exploration, troubleshooting and
debugging tool for Linux systems. It records all system calls made
by any process, allowing system administrators to find bugs in the
operating system or any processes running on it.
Sysdig has a command line interface with a syntax similar to
tcpdump and a ncurses interface to visually navigate and filter
through the events, in a similar fashion to htop or wireshark. The
system call capture files allows you to perform forensics on your
containers even if they are long gone.
Homepage: sysdig.org
License: Open source, commercial products built
on top of the free technology
Use Cases: Anomalous behaviour debugging,
forensics
Sysdig 24
�Sysdig Secure
Sysdig Secure is a powerful run-time security and forensics
solution for your containers and microservices. Secure is part of
the Sysdig Container Intelligence Platform, and as the rest of the
family comes out-of-the-box with deep container visibility and
container orchestrator tools integration, including Kubernetes,
Docker, AWS ECS, and Mesos.
Sysdig Secure protects your entire infrastructure: containers &
hosts as well as the logical services that run on top of them.
Sysdig Secure also provides full stack forensics capabilities for pre
and post attack investigation.
Sysdig provides full performance monitoring and troubleshooting
for your environment. A single instrumentation both for
monitoring and security with no added overhead.
Website: sysdig.com/product/secure
License: commercial
Use cases: runtime security, forensics and audit, hybrid
environments (containers and traditional deployment),
performance monitoring & troubleshooting, available both as
SaaS and on-prem.
Sysdig 25
�Tenable Flawcheck
Tenable, the company perhaps best know for Nessus, the
security scanner, acquired Flawcheck, a specific container-
focused security solution.
FlawCheck, like other commercial tools in this list, stores
container images and scans them as they’re built, before they
can reach production. FlawCheck leverages Tenable/Nessus
know-how and database of vulnerabilities, malware and
intrusion vectors and adapts it to containerized and
agile CI/CD environments.
Homepage: tenable.com/flawcheck
License: Commercial
Use Cases: Pre-production analysis,
vulnerability newsfeed
Sysdig 26
�Twistlock
A commercial security suite built to support containerized
environments: vulnerability management, access control,
analytics and forensics to security standards compliance.
Twistlock integrates with your continuous integration /
continuous delivery pipeline, providing native plugins for popular
tools like Jenkins or TeamCity and callable webhooks, so you can
trigger the indexing and scanning process for every build and
testing environment.
Homepage: twistlock.com
License: Commercial
Use Cases: Pre-production analysis,
runtime protection, compliance & audit, etc.
Sysdig 27
�Conclusion
We hope you find this Docker security tools list useful. If you
have suggestions or additional tools we should add, feel free
to ping us at @sysdig or reach us on the Sysdig community
Slack group.
Sysdig 28
