Container security: A refresher
Container security entails securing containerized applications against potential vulnerabilities using various security tools and practices. With the growth in cloud-native applications, there has been a spike in the number of associated vulnerabilities, and since containers serve as the building blocks of these applications, container security has become a top priority.
In response, organizations are focusing on strengthening their security posture through a combination of tools and best practices.
What is a container threat model?
A threat model is the result of identifying potential threats and proposing actions to mitigate them. In the context of containers, no one model covers all potential threats. It depends on your environment and the software you host. However, it’s possible to create a threat model by identifying the most common vulnerabilities.
Figure 2 highlights some common attack vectors for containerized apps: vulnerable code, compromised container images, badly configured runtime/orchestrator, secret exposure, insecure networking, and container escape.
Also, it’s worth mentioning that container platforms generally require configuration to meet security best practices. This means that every time you set up a container environment, the first step is to activate necessary security measures.
Options available for container security
Default security measures in container platforms provide a foundational level of protection. Many organizations extend these capabilities with additional tools to address specialized needs such as compliance or runtime visibility. This eventually leads to a company having to integrate external tools to provide broader coverage and customization options.
Among the available security tools, open-source tools are widely adopted because they have several benefits including more transparency, cost-effectiveness, and the ability to customize.
As seen in the diagram above, open-source tools can be categorized into eight groups based on the container threat model discussed earlier. The following sections will dive into the most popular tools for each of these groups, with solutions categorized based on their primary specialization. However, keep in mind that the tools included below can often be multipurpose and offer features that span across multiple categories of container security.
Note: We’ll only be covering active open-source projects, as some popular tools are no longer maintained or are not under active development (i.e., Anchore Engine, kube-hunter).
Image scanning/vulnerability assessment tools
These container security solutions are dedicated to inspecting container images and identifying known vulnerabilities within them. The following open-source tools are listed in no particular order.
Clair
Clair scans container images for known vulnerabilities listed in databases like the Ubuntu CVE tracker and the Common Vulnerabilities and Exposures (CVE) database. When it comes to container image scanning, one common approach is to scan images directly within registries (e.g., Docker Hub). However, this comes with limitations, for example, currently for Docker Hub, scanning is only available in private repositories.
Clair comes in handy because it allows both local image scans as well as point-and-shoot scans for images stored in registries. Scanning images locally is helpful mostly in CI/CD pipelines, where you can either push the image to the registry or break the build. On the other hand, the point-and-shoot method directly scans images hosted in registries before pull. This requires Clair and Docker Hub integration, which can be easily performed using the tool Klar.
Trivy
What’s special about Trivy is that it provides broad container security scanning capabilities, covering container images, filesystems, Git repositories, virtual machines, and cloud services. Trivy also provides configuration auditing and compliance scans.
Trivy has become popular with devs, as it offers an array of functionalities and is easy to use—no need for extensive configuration. Also, it was developed by Aqua Security, a company focused on cloud-native security tools that boasts a whopping 202 open-source repositories on GitHub.
Grype and Syft
Both Grype and Syft were developed by Anchore for two distinct purposes. Grype primarily scans container images and filesystems. It also supports scanning software bills of materials (SBOMs). An SBOM provides a database of all the metadata, components, libraries, and packages that make up a container.
Although Syft focuses on generating SBOMs rather than direct scanning, it generates SBOMs, which help identify affected components present in the software, thereby assisting with vulnerability management.
Configuration & compliance
Configuration and compliance tools focus on ensuring that containers and container orchestration systems like Kubernetes are configured correctly and comply with security best practices and regulatory standards.
Kube-bench
Kube-bench, another open-source tool out of Aqua Security, checks the security of your Kubernetes clusters based on the well-established CIS Kubernetes Benchmark. Once the automated checks are completed, you will get a "pass" or "fail" (Figure 4).
Hadolint
Hadolint is a Dockerfile linter that helps teams follow community-driven best practices when defining container images. It applies rules derived from the Docker community and best practices from experienced Docker users.
Policy management & enforcement
Policy management and enforcement tools are centered around creating, managing, and enforcing security policies across containerized environments. They help in automating governance and making sure security rules are applied consistently.
Kyverno
Kyverno was designed for Kubernetes, one of the most widely adopted container orchestrators. It primarily works as a policy engine, with policies written in YAML, to ensure that the deployed containers and Kubernetes resources meet an organization's security, compliance, and operational standards.
Open Policy Agent (OPA)
OPA is a general-purpose policy engine that uses the declarative Rego language, offering flexibility for defining complex policies across diverse systems. Note that policies need to be written in the high-level declarative language Rego.
Secrets management
Tools for managing secrets are designed to ensure that any sensitive information (e.g., passwords, tokens, SSH keys, certificates) is stored securely, including proper access control.
Hashicorp Vault
Hashicorp Vault is one of the most trusted open-source tools, with over 500 million downloads and around 30,000 stars on GitHub. It’s widely adopted across the world’s largest organizations. Why? Vault provides a centralized platform for securely storing and managing sensitive credentials. Also, it helps with compliance by managing detailed audit logs for any access to and operations on secrets. Vault’s enterprise version for commercial use provides additional security and extended features like easy deployments, disaster recovery, namespace support, etc.
Network security
Network security tools focus on securing the communication channels between containers and services. They enforce networking policies and provide capabilities like network segmentation, firewalling, and traffic control to prevent unauthorized access and to ensure that data in transit is secure.
Project Calico
Like some of the other tools, Calico also has both open-source and enterprise versions. The open-source version offers core networking and network security capabilities for containerized environments, especially Kubernetes. Its feature set includes network policy enforcement, IP address management (IPAM), egress control, and namespace segregation.
Cilium
Cilium is not just a network security tool; it’s a comprehensive networking solution for containerized environments that provides advanced security, observability, networking, and, most recently, service mesh features. Cilium is fully open source, but for large-scale commercial projects requiring commercial support, they provide Cilium Enterprise.
Cilium is built on top of the extended Berkeley Packet Filter (eBPF), a Linux kernel technology that allows programmability for operating systems.
Runtime security and intrusion detection
Runtime security and intrusion detection tools focus on monitoring and protecting containerized apps during execution/in real time.
Falco
Falco monitors and uncovers threats in cloud ecosystems. It’s primarily used for intrusion detection, compliance assurance, and behavior monitoring for containerized apps.
Security orchestration
Security orchestration tools are designed to automate the integration of various security tools and processes. They coordinate and streamline the execution of security tasks, improve response times to incidents, and enable more sophisticated security analytics and reporting.
Harbor
Harbor is an open-source container image registry initially developed by VMware and now part of the Cloud Native Computing Foundation (CNCF). It extends the standard features of a container registry to security, compliance, and management.
Harbor extends standard container registry features with additional security and compliance capabilities such as RBAC, vulnerability scanning, and image signing.
Other security tools
Not all tools fit neatly into the above seven categories. Kubesec, Notary, Greenbone OpenVAS, Grafeas, and Wazuh all offer their own unique capabilities or serve specific niches within the wider arena of container security.
Wiz's approach to container security
Open-source container security tools give developers and security teams powerful ways to identify vulnerabilities, enforce policies, and strengthen defenses throughout the software development lifecycle. They excel at solving focused challenges – such as image scanning, policy enforcement, or runtime detection – and are a cornerstone of many cloud-native environments.
Wiz believes that organizations can achieve the most effective protection by combining the transparency and flexibility of open-source tools with the visibility and automation of a unified security platform. Open-source and commercial solutions each play a vital role: OSS tools provide depth and community-driven innovation, while platforms like Wiz connect those signals across the entire container ecosystem – from code and build pipelines to cloud and runtime environments.
The Wiz platform integrates with open-source scanners, policy engines, and registries to centralize findings and map them to actual risk in cloud workloads. This context allows teams to understand where a vulnerability or misconfiguration sits in their environment, assess its real-world impact, and prioritize remediation based on exposure and exploitability. Wiz continuously analyzes container configurations, images, and runtime activity to help teams detect threats early and maintain compliance at scale.
In this way, open-source tools and Wiz work better together: OSS projects provide targeted functionality and community-driven innovation, while Wiz unifies all of this into one risk-based view of container and cloud security.
Schedule a demo to learn how Wiz approaches container and cloud security to complement open-source tools and provide continuous visibility from build to runtime.
Related Tool Roundups