This is a list of open source tools which help with areas related to Container security. Some of the tools in this list don't fit neatly into a specific category or categories, so they're listed with the closest option.
Useful tools to run inside a container to assess the sandbox that's in use, and exploit some common breakout issues.
- deepce - Docker Enumeration, Escalation of Privileges and Container Escapes
- CDK - Container and Kubernetes auditing and breakout tool.
- Trivy - Vulnerability and IaC scanner
- Grype - Container vulnerability scanner
- clair - Container vulnerability scanner
- Docker Scout - Container Vulnerability scanner
- dep-scan - Vulnerability and mis-configuration scanner
- Neuvector Scanner - Container Vulnerability Scanning Tool.
- Trivy - Vulnerability and IaC scanner
- Checkov - IaC scanner
- KICS - IaC scanner
- dep-scan - Vulnerability and mis-configuration scanner
- docker bench - Docker CIS Benchmark assessment tool
- Dockle - Container Image Linter
- cnspec - Assessment tool for multiple platforms including Docker and Kubernetes
- Tracee. Container runtime security tooling
- Falco. Container runtime security tooling
- Kubearmor. Container runtime security enforcement tool
- Tetragon. Container runtime security tool
- regclient - Another tool for interacting with container registries
- crane - Tool for interacting with Container registries.
- skopeo - Tool for interaction with Container registries
- Dive - Tool for exploring Container image layers
- rbac-tool - RBAC Tool for Kubernetes
- kubiScan - Tool to scan Kubernetes clusters for risky permissions
- krane - Kubernetes RBAC static analysis & visualisation tool
- eathar - Kubernetes security assessment tool focusing on workload security and RBAC.
- kube-bench - Tool to assess compliance with the CIS benchmark for various Kubernetes distributions
- kubescape - Kubernetes security assessment tool
- kubesec - Kubernetes security assessment tool focusing on workload security
- kubescore - Kubernetes security and reliability assessment tool focusing on workload security.
- eathar - Kubernetes security assessment tool focusing on workload security and RBAC.
- popeye - Kubernetes cluster scanner, looking for possible mis-configurations.
- cnspec - Assessment tool for multiple platforms including Docker and Kubernetes
- peirates - Kubernetes container breakout tool
- teisteanas - Tool to create kubeconfig files based on the CertificateSigningRequest API.
- tòcan - Tool to create kubeconfig files based on the TokenRequest API.
- MKAT - Managed Kubernetes Auditing Tool. Focuses on exploring security issues in managed Kubernetes (e.g. EKS)
- Kubehound - KubeHound creates a graph of attack paths in a Kubernetes cluster
- IceKube - Kubernetes attack path evaluation tool.
- namespacehound - Tool to test a cluster for possible namespace breakouts where multi-tenancy is in use.
- kubeletctl - This is a good tool to automate the process of assessing a kubelet instance. If the instance is vulnerable it can also carry out some exploit tasks
- kubelet dumper - PoC tool to dump Kubelet configurations for review.
- ThreatMapper. Cloud + Container Security observability
If you're looking to practice with some of the tools here, in a safe environment, there are projects to help with that.
- Kube Security Lab - Basic set of Kubernetes security scenarios implemented in Ansible with KinD
- Kubernetes Simulator - AWS based Kubernetes cluster environment with different vulnerability scenarios
- Kubernetes Goat - Focuses on vulnerable deployments on top of an existing cluster. Also available on line with Katacoda
- K8s-iam-lab - Kubernetes IAM Lab
- Helix Honeypot - Kubernetes API server honeypot
- Kubernetes Honeytokens - A honey token Canary for use with honeypots.
- Security Profiles Operator - Kubernetes operator for security profiles
- hardeneks - Tool to harden EKS clusters
Inevitably over time, some tools will become unmaintained and deprecated. Whilst they may still work ok, caution is needed. If I've listed you here and you're not deprecated just open an issue to move it back :)
- kube-hunter - Tool to test and exploit standard Kubernetes Security Vulnerabilities
- kubectl-who-can - Tool that lets you ask "who can" do things in RBAC, e.g. who can get secrets
- rakkess - Shows the RBAC permissions available to a user as a list
- rback - tool for graphical representation of RBAC permissions in a kubernetes cluster
- amicontained - will show you information about the container runtime and rights you have
- ConMachi - Pentester focused container attack surface assessment tool
- botb - Container breakout assessment tool. Can automatically exploit common issues like the Docker socket mount
- keyctl-unmask - Tool that specifically focuses on grabbing kernel keyring entries from containers that allow the keyctl syscall
- go-pillage-registries - Tool to search the manifests and configuration for images in a registry for potentially sensitive information
- reg - Tool for interacting with Container registries
- Whaler - Tool to reverse Docker images into Dockerfiles.
- RBAC Police - RBAC policy evaluation.
- kubestrike - Security auditing tool for Kubernetes looks at Authenticated and unauthenticated scanning
- kubestroyer - Kubernetes pentesting tool.
- kubestalk - Black Box Kubernetes Pentesting Tool.
- kubedagger - Kubernetes offensive framework built in eBPF.
- kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments
- k8spot - Kubernetes honeypot.
- Terrascan - IAC Scanner for various formats including Docker and Kubernetes
- hadolint - Docker file linter
- kubeaudit - Kubernetes security assessment tool focusing on workload security
- kdigger - Kubernetes breakout/discovery tool
- auger - Tool for decoding information pulled directly from the etcd database