awesome-docker-security
Docker security resources
A curated collection of resources and tools for securing Docker containers
π A curated list of awesome Docker security resources
641 stars
11 watching
96 forks
last commit: 20 days ago Awesome Docker Security / Books | |||
| Container Security by Liz Rice | |||
| Docker Security by Adrian Mouat | |||
| Advanced Infrastructure Penetration Testing by Chiheb Chebbi | |||
Awesome Docker Security / Blogs | |||
| Docker Security | |||
| OWASP Docker Security | 632 | 12 months ago | |
| Introduction to Container Security Understanding the isolation properties of Docker | |||
| Anatomy of a hack: Docker Registry | |||
| Hunting for Insecure Docker Registries | |||
| How Abusing Docker API Lead to Remote Code Execution | |||
| Using Docker-in-Docker for your CI or testing environment? Think twice | |||
| Vulnerability Exploitation in Docker Container Environments | |||
| Mitigating High Severity RunC Vulnerability (CVE-2019-5736) | |||
| Building Secure Docker Images - 101 | |||
| Dockerfile Security Checks using OPA Rego Policies with Conftest | |||
| An Attacker Looks at Docker: Approaching Multi-Container Applications | |||
| Lesson 4: Hacking Containers Like A Boss | |||
| How To Secure Docker Images With Encryption Through Containerd | |||
Awesome Docker Security / Videos | |||
| Best practices for building secure Docker images | |||
| OWASP Bay Area - Attacking & Auditing Docker Containers Using Open Source tools | |||
| DockerCon 2018 - Docker Container Security | |||
| DokcerCon 2019 - Container Security: Theory & Practice at Netflix | |||
| DockerCon 2019 - Hardening Docker daemon with Rootless mode | |||
| RSAConference 2019 - How I Learned Docker Security the Hard Way (So You Donβt Have To) | |||
| BSidesSF 2020 - Checking Your --privileged Container | |||
| Live Container Hacking: Capture The Flag - Andrew Martin (Control Plane) vs Ben Hall (Katacoda) | |||
Awesome Docker Security / Tools / Container Runtime | |||
| gVisor | 15,851 | 5 days ago | An application kernel, written in Go, that implements a substantial portion of the Linux system surface |
| Kata Container | 5,565 | 6 days ago | An open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs |
| sysbox | 2,812 | 10 days ago | An open-source container runtime that enables Docker containers to act as virtual servers capable of running software such as Systemd, Docker, and Kubernetes in them. Launch inner containers, knowing that the outer container is strongly isolated from the underlying host |
| Firecracker | 2,222 | 3 months ago | An open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services |
Awesome Docker Security / Tools / Container Scanning | |||
| trivy | 23,679 | 7 days ago | A simple and comprehensive Vulnerability Scanner for Containers, suitable for CI |
| Clair | 10,359 | 8 days ago | Vulnerability Static Analysis to discovering Common Vulnerability Exposure (CVE) on containers and can integrate with CI like Gitlab CI which included on their |
| Harbor | 24,175 | 6 days ago | An open source trusted cloud native registry project that equipped with several features such as RESTful API, Registry, Vulnerability Scanning, RBAC and etc |
| Anchore Engine | An open source project that provides a centralized service for inspection, analysis and certification of container images. Access the engine through a RESTful API and Anchore CLI then integrated with your CI/CD pipeline | ||
| grype | 8,812 | 6 days ago | An open source project from Anchore to perform a vulnerability scanning for container images and filesystems |
| Dagda | 1,159 | over 1 year ago | A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities |
| Synk | CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies support container scanning, application security | ||
Awesome Docker Security / Tools / Compliance | |||
| Docker Bench for Security | 9,146 | about 1 month ago | A script that checks for dozens of common best-practices around deploying Docker containers in production |
| CIS Docker Benchmark - InSpec profile | 488 | over 1 year ago | Compliance profile implement the CIS Docker 1.13.0 Benchmark in an automated way to provide security best-practice tests around Docker daemon and containers in a production environment |
| lynis | 13,455 | 17 days ago | Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional |
| Open Policy Agent (OPA) | An open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack | ||
| opa-docker-authz | 86 | 4 months ago | A policy-enabled authorization plugin for Docker |
Awesome Docker Security / Tools / Pentesting | |||
| BOtB | 638 | about 1 year ago | Container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies |
| Gorsair | 850 | 11 months ago | A penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers |
| Cloud Container Attack Tool | 589 | about 5 years ago | A tool for testing security of container environments |
| DEEPCE | 1,205 | 6 months ago | A tool for docker enumeration, escalation of privileges and container escapes |
Awesome Docker Security / Tools / Playground | |||
| DockerSecurityPlayground (DSP) | 575 | about 2 months ago | A Microservices-based framework for the study of network security and penetration test techniques |
| Katacoda Courses: Docker Security | Learn Docker Security using Interactive Browser-Based Scenarios | ||
| Docker Security by Contol Plane | Learn Docker Security from Control Plane | ||
| Play with Docker | A simple, interactive, fun playground to learn Docker and its | ||
| OWASP WrongSecrets | 1,233 | 6 days ago | A vulnerable app covering bad practices in secrets management, including Docker |
Awesome Docker Security / Tools / Monitoring | |||
| Falco | 7,394 | 11 days ago | Cloud Native Runtime Security |
| Wazuh | Free, open source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance | ||
| Weave Scope | Detects processes, containers, hosts. No kernel modules, no agents, no special libraries, no coding. Seamless integration with Docker, Kubernetes, DCOS and AWS ECS | ||
Awesome Docker Security / Tools / Others | |||
| anchor | 12 | 30 days ago | A tool to ensure reproducible builds by pinning dependencies inside your Dockerfiles |
| dive | 46,318 | 4 months ago | A tool for exploring each layer in a docker image |
| hadolint | 10,453 | 25 days ago | A smarter Dockerfile linter that helps you build best practice Docker images |
| dockle | 2,784 | 3 months ago | Container image linter, help you to build the best practices Docker image |
| docker_auth | 1,282 | 4 months ago | Authentication server for Docker Registry 2 |
| bane | 1,183 | about 4 years ago | Custom & better AppArmor profile generator for Docker containers |
| secret-diver | Analyzes secrets in containers | ||
| confine | 62 | over 2 years ago | Generate SECCOMP profiles for Docker images |
| imgcrypt | 368 | 24 days ago | OCI Image Encryption Package |
| lazydocker | 37,345 | 3 months ago | A tool to manage docker images and containers easily |
Awesome Docker Security / Use Cases | |||
| How I Hacked Play-with-Docker and Remotely Ran Code on the Host | |||
| A hacking group is hijacking Docker systems with exposed API endpoints | |||
| Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners | |||
| Cryptojacking worm compromised over 2,000 Docker hosts | |||
| Docker API vulnerability allows hackers to mine Monero | |||
| Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning | |||
| How dangerous is Request Splitting, a vulnerability in Golang or how we found the RCE in Portainer and hacked Uber | |||
| Docker Registries Expose Hundreds of Orgs to Malware, Data Theft | |||
| Doki Backdoor Infiltrates Docker Servers in the Cloud | |||
| Threat Actors Now Target Docker via Container Escape Features | |||
| CVE-2020-15157: Vulnerability in Containerd Can Leak Cloud Credentials | |||