Skip to content

Container Security Resources

This page distills the highlights

For the full, continuously updated list, see jassics/awesome-container-security-learning-resources on GitHub - covering the full container lifecycle from image build through runtime and supply-chain integrity.

Use this page as the "go deeper" reference for the whole Container Security subsection - it covers both Docker and Kubernetes security resources together, since most tools and standards span the two.

Standards & Frameworks

Framework What It Covers
CIS Docker Benchmark Bedrock configuration controls for Docker hosts and containers
CIS Kubernetes Benchmark Configuration controls for Kubernetes clusters
NSA/CISA Kubernetes Hardening Guidance Government-published hardening guidance, widely cited
OWASP Kubernetes Top 10 The K01-K10 Kubernetes risk taxonomy - see OWASP Kubernetes Top 10 for a full deep dive
OWASP Docker Top 10 The Docker-specific equivalent risk taxonomy
MITRE ATT&CK for Containers Real-world adversary tactics/techniques specifically against containerized environments
Pod Security Standards The privileged/baseline/restricted levels that replaced the deprecated PodSecurityPolicy
The 4Cs of Cloud Native Security Cloud, Cluster, Container, Code - the layered model behind Kubernetes Architecture & Security

Books

Book Author
Container Security Liz Rice (O'Reilly) - the definitive introduction: namespaces, cgroups, capabilities, seccomp
Kubernetes Security and Observability Brendan Creane & Amit Gupta (O'Reilly)
Hacking Kubernetes Andrew Martin & Michael Hausenblas (O'Reilly) - the offensive perspective
Learn Kubernetes Security Kaizhe Huang & Pranjal Jumde (Packt)
Docker Security (free chapter) Adrian Mouat

Videos & Talks

Courses & Certifications

Course / Cert Provider
Kubernetes Security (CKS path) KodeKloud
Killer.sh CKS Simulator Practice exam environment for the CKS
Kubernetes Security Essentials (LFS260) Linux Foundation - official CKS prep
Certified Container Security Expert (CCSE) Practical DevSecOps
SANS SEC584: Cloud Native Security SANS
Container Security Fundamentals (free) Snyk
CKS CNCF/Linux Foundation - the must-have Kubernetes security certification
KCSA CNCF - entry-level companion to CKS
KCNA CNCF - foundational Kubernetes knowledge
CKA CNCF - prerequisite operational knowledge for CKS
Red Hat Certified Specialist in Containers and Kubernetes Red Hat

Tools

Image & Registry Scanning

Tool Purpose
Trivy (Aqua) De-facto open-source scanner for images, filesystems, repos, IaC, and Kubernetes manifests
Grype + Syft (Anchore) Vulnerability scanner plus SBOM generator
Clair (Quay/Red Hat) Image vulnerability scanning
Docker Scout Built-in scanning in Docker Desktop/Hub

Dockerfile & Config Linting

Tool Purpose
Hadolint Dockerfile linter
Dockle Container image linter aligned with the CIS Docker Benchmark
Checkov IaC + Dockerfile + Kubernetes YAML scanning
kube-linter (StackRox/Red Hat) Kubernetes manifest linting
Polaris (Fairwinds) Kubernetes configuration validation

Runtime & Detection

Tool Purpose
Falco (CNCF graduated) Runtime threat detection via eBPF/syscalls
Tetragon (Isovalent) eBPF-based runtime security
Tracee (Aqua) eBPF-based runtime security and forensics
Sysdig Secure Commercial runtime detection platform

Kubernetes Posture & Audit

See Kubernetes Red Teaming & Labs for how to actually use kube-bench, kube-hunter, kubescape, kubeaudit, and Peirates in a real assessment.

Admission Control & Policy

Tool Purpose
OPA / Gatekeeper General-purpose policy engine with Kubernetes admission control integration
Kyverno (CNCF) Kubernetes-native policy engine (no separate policy language required)
Kubewarden WASM-based admission policies

Network Policy & Service Mesh

Tool Purpose
Cilium (CNCF) eBPF networking with L7-aware network policies
Calico Network policy enforcement
Istio Service mesh with mTLS and fine-grained authorization
Linkerd Lightweight service mesh

Supply Chain, SBOM & Signing

Tool Purpose
Sigstore (cosign, rekor, fulcio) Artifact signing and transparency logs
SLSA framework Supply-chain integrity levels - see AI Supply Chain Security for a deep dive on the SLSA level structure, which applies to container images the same way it applies to ML model artifacts
in-toto Supply-chain attestations
Grafeas Software supply-chain metadata API
Chainguard Images Minimal, signed, distroless-style base images

Hardening Runtimes

Tool Purpose
gVisor (Google) User-space kernel sandbox - stronger isolation than a default container runtime
Kata Containers Lightweight VM-based container runtime
Bottlerocket OS (AWS) Minimal, container-focused host OS

Hands-On Labs & CTFs

Lab / CTF Focus
Kubernetes Goat Vulnerable-by-design Kubernetes cluster - see Kubernetes Red Teaming & Labs
Bust-a-Kube / ControlPlane Simulator Attack/defense Kubernetes simulator
KillerCoda Playgrounds Free, browser-based Kubernetes labs
CNCF Capture the Flag (KubeCon archives) Past KubeCon CTF challenges
TryHackMe Has dedicated container/Kubernetes rooms

Blogs & Research

Where to Go Next on This Site

Credits/References

  1. jassics/awesome-container-security-learning-resources - the full, continuously updated source this page distills
  2. CIS Benchmarks
  3. CNCF