TL;DR, What is Docker Bench for Security?
Docker Bench for Security is an open-source auditing tool that checks Docker containers and hosts against industry-standard security benchmarks.
DevOps teams and security engineers often struggle to audit Docker deployments by hand against the Center for Internet Security (CIS) Docker Community Edition benchmark. Manual reviews leave gaps that invite misconfigurations and compliance violations. Docker Bench for Security closes those gaps by automatically spotting security vulnerabilities, configuration weaknesses, and compliance issues that could lead to container escapes or privilege-escalation attacks. Automated, repeatable assessments remove the manual burden and put strong container security within reach for any development team, no matter its security expertise.
Docker Inc. created Docker Bench for Security, and many DevOps pipelines now rely on the tool to keep containerized environments locked down.
The Kubernetes Security Best Practices Cheat Sheet
This guide shows you how to secure Kubernetes with advanced techniques, enforce admission policies to block risks, and protect data, identities, and networks using real-world configs.
At-a-Glance
GitHub: https://github.com/docker/docker-bench-security
License: Apache-2.0
Primary Language: Shell
Stars: 9.5k
Last Release: December 2023
Topics/Tags: docker, security, cis-benchmark, compliance, container-security
Common use cases
1. Continuous security compliance in CI/CD pipelines
Organizations plug Docker Bench for Security into build and deployment workflows to scan container settings before code reaches production. Scheduled scans catch configuration drift, and teams use the tool’s JSON output to block deployments that fail security checks while keeping delivery speed high.
2. Security baseline assessment for new environments
Infrastructure teams run Docker Bench for Security during the first Docker rollout to set a clear security baseline. Early scans highlight gaps while the environment is still fresh, so teams can fix problems long before production traffic arrives.
3. Audit and compliance reporting
Security teams lean on the tool’s direct mapping to CIS controls to produce evidence for internal audits and regulatory reviews. Detailed reports feed both technical assessments and executive dashboards, making it simpler to prove strong container security practices over time.
4. Production security monitoring
Scheduled health checks of live container fleets help security operations teams uncover gaps, investigate incidents, and confirm that controls still work as intended. Consistent methodology and trend data show where posture improves and where new risks appear.
5. Infrastructure-hardening validation
System administrators use Docker Bench for Security to confirm that hardening efforts stick across updates, patches, and other changes. Regular scans prevent security regression and keep baseline configurations intact as the environment evolves.
A Comprehensive Guide to Securing Container Registries
Actionable steps and best practices to ensure your registry is fully protected, whether you’re using a cloud-based service or managing a private registry.
How does Docker Bench for Security work?
Docker Bench for Security runs as a containerized app that launches several shell scripts to compare Docker settings with CIS Benchmarks. The container needs high-level host access, so you mount key directories such as /etc, /var/lib, and /var/run/docker.sock and share network, PID, and user namespaces.
Orchestrated test execution: The main docker-bench-security.sh script calls modular test scripts from the tests directory, each one linked to a CIS Benchmark section, including host configuration, daemon settings, and runtime parameters.
Multi-source data collection: Every module pulls data from the Docker API, configuration files, running processes, and system settings to build a full security picture.
Results processing: A central reporter labels each finding PASS, WARN, or INFO and supplies clear remediation steps.
Flexible output generation: Human-readable terminal output and structured JSON make integration with CI/CD pipelines and security platforms straightforward.
Core Capabilities
1. CIS Benchmark automation
Docker Bench for Security maps each test directly to CIS Docker Community Edition recommendations across seven security domains—host configuration, Docker daemon settings, configuration files, container images, runtime parameters, security operations, and Docker Swarm settings. Automated checks remove human error, deliver consistent baselines, and help teams prove compliance at scale.
2. Host and container security assessment
The scanner looks at both the host and running containers. Tests cover user namespaces, cgroup settings, SELinux and AppArmor profiles, audit logging, file-system permissions, and network security. Findings reveal weaknesses that span the full container stack, from host OS to application layer.
3. Multiple execution modes
You can run Docker Bench for Security as a container, execute the shell script directly on the host, or pick specific tests through command-line flags. Distribution-specific Dockerfiles and options for hosts without certain audit tools add more flexibility, so the tool fits diverse environments without extra software.
4. Detailed reporting and output
Reports group findings into PASS, WARN, and INFO with plain-language explanations and remediation advice. JSON output supports automated processing in SIEMs, vulnerability scanners, and CI systems, while terminal output helps during manual reviews.
5. Production-ready integration
Enterprise teams bake Docker Bench for Security into CI/CD stages, configuration-management jobs, and scheduled tasks. Continuous checks watch for configuration drift and flag issues without slowing down crucial workloads.
Limitations
1. CIS benchmark scope: Docker Bench for Security focuses on CIS Docker Community Edition guidance, so it may miss settings tied to other runtimes such as Podman, containerd, or CRI-O. The project targets CIS v1.6.0, while the latest CIS Docker Benchmark is v1.8.0. Evaluate fit for your environment and consider complementary/ alternative tools for up‑to‑date checks.
2. Host system dependencies: Accurate results depend on host features like audit logging and SELinux or AppArmor support. Limited permissions or missing tools can lead to partial assessments.
3. Static configuration assessment: The scanner looks at configuration, not runtime behavior, so it can’t spot live attacks or anomalies. Additional monitoring tools are needed for real-time threat detection.
4. Limited remediation automation: Reports list fixes but don’t apply them, meaning teams must handle remediation manually or through separate configuration-management workflows.
5. Docker-centric focus: All recommendations center on Docker. Mixed or non-Docker environments will need other tools for full coverage.
Getting Started
Step 1: Clone the repository
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-securityStep 2 (Optional): Install jq for enhanced JSON output
sudo apt-get install jqStep 3: Run the script directly on your system
sudo sh docker-bench-security.shStep 4: Review results
Check the output to identify and address any reported Docker security best practice issues.
Go Beyond Docker CIS Benchmarks with Wiz
Docker Bench validates your hosts; Wiz adds agentless, full-stack visibility across containers, Kubernetes, and cloud to catch vulnerabilities and misconfigurations that benchmarks alone miss.
Docker Bench for Security vs. Alternatives
| Feature/Tool | Docker Bench for Security | Trivy | Clair | Falco |
|---|---|---|---|---|
| Primary Focus | CIS Docker benchmark compliance | Comprehensive vulnerability scanning | Container image vulnerability analysis | Runtime threat detection |
| Language | Shell Script | Go | Go | C++/Go |
| Deployment | Container/Shell script | Binary/Container/CLI | Microservices architecture | Agent/DaemonSet |
| Scan Type | Configuration audit | SBOM + Vulnerability + Config | Static vulnerability analysis | Runtime behavioral analysis |
| CIS Compliance | ✅ Direct CIS mapping | ✅ Limited CIS support | ❌ No CIS focus | ✅ Compliance rules |
| Vulnerability Detection | ❌ Configuration only | ✅ Comprehensive CVE database | ✅ CVE analysis | ❌ Runtime threats only |
| Runtime Monitoring | ❌ Static assessment | ❌ Static scanning | ❌ Static analysis | ✅ Real-time monitoring |
| Integration | CI/CD, JSON output | 50+ integrations, SIEM | Registry integration | 50+ SIEM/alerting systems |
| CNCF Status | Docker project | Not CNCF | Not CNCF | ✅ CNCF Graduated |
| Maintenance | Moderate (yearly releases) | Very Active (monthly) | Active (regular updates) | Very Active (frequent) |
| Best Use Case | Docker CIS compliance auditing | All-in-one security scanning | Registry vulnerability scanning | Runtime security monitoring |