Container Security Resources
This page distills the highlights
For the full, continuously updated list, see jassics/awesome-container-security-learning-resources on GitHub - covering the full container lifecycle from image build through runtime and supply-chain integrity.
Use this page as the "go deeper" reference for the whole Container Security subsection - it covers both Docker and Kubernetes security resources together, since most tools and standards span the two.
Standards & Frameworks
| Framework | What It Covers |
|---|---|
| CIS Docker Benchmark | Bedrock configuration controls for Docker hosts and containers |
| CIS Kubernetes Benchmark | Configuration controls for Kubernetes clusters |
| NSA/CISA Kubernetes Hardening Guidance | Government-published hardening guidance, widely cited |
| OWASP Kubernetes Top 10 | The K01-K10 Kubernetes risk taxonomy - see OWASP Kubernetes Top 10 for a full deep dive |
| OWASP Docker Top 10 | The Docker-specific equivalent risk taxonomy |
| MITRE ATT&CK for Containers | Real-world adversary tactics/techniques specifically against containerized environments |
| Pod Security Standards | The privileged/baseline/restricted levels that replaced the deprecated PodSecurityPolicy |
| The 4Cs of Cloud Native Security | Cloud, Cluster, Container, Code - the layered model behind Kubernetes Architecture & Security |
Books
| Book | Author |
|---|---|
| Container Security | Liz Rice (O'Reilly) - the definitive introduction: namespaces, cgroups, capabilities, seccomp |
| Kubernetes Security and Observability | Brendan Creane & Amit Gupta (O'Reilly) |
| Hacking Kubernetes | Andrew Martin & Michael Hausenblas (O'Reilly) - the offensive perspective |
| Learn Kubernetes Security | Kaizhe Huang & Pranjal Jumde (Packt) |
| Docker Security (free chapter) | Adrian Mouat |
Videos & Talks
- A Hacker's Guide to Kubernetes - Andrew Martin (KubeCon)
- Container Security at Scale - KubeCon / CloudNativeSecurityCon talks
- Liz Rice - Demo: A Container-Only Userspace
- Jay Beale - Attacking and Defending Kubernetes
- eBPF for Security - Falco & Tetragon talks
Courses & Certifications
| Course / Cert | Provider |
|---|---|
| Kubernetes Security (CKS path) | KodeKloud |
| Killer.sh CKS Simulator | Practice exam environment for the CKS |
| Kubernetes Security Essentials (LFS260) | Linux Foundation - official CKS prep |
| Certified Container Security Expert (CCSE) | Practical DevSecOps |
| SANS SEC584: Cloud Native Security | SANS |
| Container Security Fundamentals (free) | Snyk |
| CKS | CNCF/Linux Foundation - the must-have Kubernetes security certification |
| KCSA | CNCF - entry-level companion to CKS |
| KCNA | CNCF - foundational Kubernetes knowledge |
| CKA | CNCF - prerequisite operational knowledge for CKS |
| Red Hat Certified Specialist in Containers and Kubernetes | Red Hat |
Tools
Image & Registry Scanning
| Tool | Purpose |
|---|---|
| Trivy (Aqua) | De-facto open-source scanner for images, filesystems, repos, IaC, and Kubernetes manifests |
| Grype + Syft (Anchore) | Vulnerability scanner plus SBOM generator |
| Clair (Quay/Red Hat) | Image vulnerability scanning |
| Docker Scout | Built-in scanning in Docker Desktop/Hub |
Dockerfile & Config Linting
| Tool | Purpose |
|---|---|
| Hadolint | Dockerfile linter |
| Dockle | Container image linter aligned with the CIS Docker Benchmark |
| Checkov | IaC + Dockerfile + Kubernetes YAML scanning |
| kube-linter (StackRox/Red Hat) | Kubernetes manifest linting |
| Polaris (Fairwinds) | Kubernetes configuration validation |
Runtime & Detection
| Tool | Purpose |
|---|---|
| Falco (CNCF graduated) | Runtime threat detection via eBPF/syscalls |
| Tetragon (Isovalent) | eBPF-based runtime security |
| Tracee (Aqua) | eBPF-based runtime security and forensics |
| Sysdig Secure | Commercial runtime detection platform |
Kubernetes Posture & Audit
See Kubernetes Red Teaming & Labs for how to actually use kube-bench, kube-hunter, kubescape, kubeaudit, and Peirates in a real assessment.
Admission Control & Policy
| Tool | Purpose |
|---|---|
| OPA / Gatekeeper | General-purpose policy engine with Kubernetes admission control integration |
| Kyverno (CNCF) | Kubernetes-native policy engine (no separate policy language required) |
| Kubewarden | WASM-based admission policies |
Network Policy & Service Mesh
| Tool | Purpose |
|---|---|
| Cilium (CNCF) | eBPF networking with L7-aware network policies |
| Calico | Network policy enforcement |
| Istio | Service mesh with mTLS and fine-grained authorization |
| Linkerd | Lightweight service mesh |
Supply Chain, SBOM & Signing
| Tool | Purpose |
|---|---|
| Sigstore (cosign, rekor, fulcio) | Artifact signing and transparency logs |
| SLSA framework | Supply-chain integrity levels - see AI Supply Chain Security for a deep dive on the SLSA level structure, which applies to container images the same way it applies to ML model artifacts |
| in-toto | Supply-chain attestations |
| Grafeas | Software supply-chain metadata API |
| Chainguard Images | Minimal, signed, distroless-style base images |
Hardening Runtimes
| Tool | Purpose |
|---|---|
| gVisor (Google) | User-space kernel sandbox - stronger isolation than a default container runtime |
| Kata Containers | Lightweight VM-based container runtime |
| Bottlerocket OS (AWS) | Minimal, container-focused host OS |
Hands-On Labs & CTFs
| Lab / CTF | Focus |
|---|---|
| Kubernetes Goat | Vulnerable-by-design Kubernetes cluster - see Kubernetes Red Teaming & Labs |
| Bust-a-Kube / ControlPlane Simulator | Attack/defense Kubernetes simulator |
| KillerCoda Playgrounds | Free, browser-based Kubernetes labs |
| CNCF Capture the Flag (KubeCon archives) | Past KubeCon CTF challenges |
| TryHackMe | Has dedicated container/Kubernetes rooms |
Blogs & Research
- Aqua Security research blog
- Sysdig research blog
- Liz Rice - blog and talks
- Raesene (Rory McCune) - container/Kubernetes security research
- ControlPlane research blog
- CNCF TAG-Security whitepapers
- Google - GKE hardening guide
Where to Go Next on This Site
- Start from zero: Container Overview, Introduction to Docker
- Harden Docker: Docker Security
- Learn Kubernetes: Kubernetes, then Kubernetes Security
- Architecture & standards: Kubernetes Architecture & Security, OWASP Kubernetes Top 10
- Attack & defend: Kubernetes Attack Techniques, Kubernetes Red Teaming & Labs
- Learn from the past: Kubernetes Real-World Incidents
Credits/References
- jassics/awesome-container-security-learning-resources - the full, continuously updated source this page distills
- CIS Benchmarks
- CNCF