AppSoft recommends: tools for Kubernetes image scanning and static analysis
There are so many Kubernetes security software products and each has its own goals, scope and licenses.
That’s why we decided to create this list and included in it both: open projects and commercial platforms from different suppliers. We hope that it will help you to choose the most interesting ones and show the right direction for your work, depending on the specific security needs of Kubernetes.
License: free (Apache) and commercial offer
Anchore package analyzes container images and allows you to make security checks based on user-defined policies.
In addition to the usual scanning of container images for known vulnerabilities from the CVE database, Anchore conducts many additional checks as a part of the scanning policy: it checks Dockerfile, credential leakage, packages of used programming languages (npm, maven, etc.), software licenses and much more.
Website: coreos.com/clair (now under Red Hat custody)
License: free (Apache)
Clair was one of the first Open Source projects to scan images. It is widely known as the security scanner underlying the Quay image registry (also from CoreOS). Clair can collect CVE information from a wide range of sources, including lists of Linux-specific vulnerabilities that are maintained by Debian, Red Hat, or Ubuntu security teams.
Unlike Anchore, Clair primarily conducts vulnerability searching and mapping data to CVE. However, the product offers users some options for expanding of functions using plug-in drivers.
License: free (Apache)
Dagda provides a static analysis of container images for known vulnerabilities, trojans, viruses, malware, and other threats.
From other similar tools, the Dagda package is distinguished by two noteworthy features:
- It integrates perfectly with ClamAV, acting not only as a tool for scanning container images, but also as an antivirus.
- It also provides runtime protection by receiving real-time events from the Docker’s daemon and integrating with Falco to collect security events while the container is running.
License: free (Apache), but requires data from JFrog Xray (commercial product)
KubeXray “listens” for Kubernetes API server events and uses metadata from JFrog Xray to ensure the launching of only matching the current policy pods.
KubeXray not only audits new or updated containers in deployment (similar to the admission controller in Kubernetes), but also dynamically checks working containers for compliance with new security policies, removing resources that reference vulnerable images.
License: free (Apache) and commercial versions
Snyk is an unusual vulnerability scanner in the sense that it specifically targets the development process and is promoted as an “indispensable solution” for developers.
Snyk directly connects to the code repositories, parses the project manifest and analyses the imported code along with direct and indirect dependencies. Snyk supports many popular programming languages and can detect hidden licensing risks.
License: Free (AGPL)
Trivy is a simple but powerful container vulnerability scanner that can be easily integrated into a CI / CD pipeline. Its remarkable feature is ease of installation and operation: the application consists of a single binary and doesn’t require the installation of a database or additional libraries.
The downside of Trivy’s simplicity is that you have to figure out how to parse and send the results in JSON format so that other Kubernetes security tools can use them.