Chapter 2
1 min read
Exploring Container Security Tools
TL;DR
This chapter introduces container security tools for static and runtime analysis of container images.
This chapter introduces container security tools for static and runtime analysis of container images.
- Trivy: Open-source container security tool that can analyze container images for known vulnerabilities.
- Snyk: Container security tool that can analyze container images for known vulnerabilities. It's not open-source, but is free for public repositories.
- Docker Scout: Container security tool that can analyze container images for known vulnerabilities. It's integrated into Docker Desktop, and can be used to analyze images on the host operating system.
- Falco: Open-source container security tool that can analyze running containers for suspicious activity.
- SARIF: Static Analysis Results Interchange Format, a standard format for the output of static analysis tools.
- GitHub Security Tab: A part of the GitHub UI that shows the results of security scans. It can be fed with SARIF files extracted on CI/CD pipelines.
- GitHub Actions: A CI/CD pipeline that can be used to build, test, and deploy software on GitHub. It can be used to analyze container images for known vulnerabilities, and upload the results to the GitHub Security tab.