Docker Bench for Security alternatives

Looking for an alternative tool to replace Docker Bench for Security? During the review of Docker Bench for Security we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. Anchore (container analysis and inspection)
  2. bane (AppArmor profile generator)
  3. Dagda (vulnerability scanner for Docker containers)

These tools are ranked as the best alternatives to Docker Bench for Security.

Alternatives (by score)

100

Anchore

Introduction

Anchore is a tool to help with discovering, analyzing and certifying container images. These images can be stored both on-premises or in the cloud. The tooling is mainly focused on developer so that perform analysis on their container images. Typical actions include running queries, creating reports, or set up policies for a continuous integration and deployment pipeline.

Project details

Anchore is written in Python.

Strengths and weaknesses

  • + More than 10 contributors
  • + Commercial support available
  • + The source code of this software is available

    Typical usage

    • System hardening

    Anchore review

    68

    bane

    Introduction

    Bane is a tool to create AppArmor profiles. This helps to secure applications by setting restrictions on resources they access or modify. A strict policy may help to prevent privilege escalation attacks.

    Project details

    bane is written in Golang.

    Strengths and weaknesses

    • + More than 500 GitHub stars
    • + The source code of this software is available

      Typical usage

      • Application security
      • Security monitoring
      • System hardening

      bane review

      60

      Dagda

      Introduction

      The main reasons to use Dagda is the detection of vulnerable or malicious components within your containerized environment.

      Project details

      Dagda is written in Python.

      Strengths and weaknesses

      • + The source code of this software is available

        Typical usage

        • Malware detection
        • Malware scanning
        • Vulnerability management
        • Vulnerability scanning

        Dagda review

        64

        Docker Bench (by Aqua)

        Introduction

        Docker Bench is one of the tools that can be used to perform a security analysis on Docker and its configuration. It can find common configuration flaws that may impose risks to other containers or the host itself.

        Project details

        Docker Bench (by Aqua) is written in Golang.

        Strengths and weaknesses

        • + The source code of this software is available
        • - No releases on GitHub available

        Typical usage

        • Configuration audit

        Docker Bench (by Aqua) review

        100

        Lynis

        Introduction

        Lynis is an open source security auditing tool that is available since 2007 and created by Michael Boelen. Its primary goal is to evaluate the security defenses of systems running Linux or other flavors of Unix. It provides suggestions to install, configure, or correct any security measures.

        Project details

        Lynis is written in shell script.

        Strengths and weaknesses

        • + More than 50 contributors
        • + Commercial support available
        • + More than 4000 GitHub stars
        • + Used language is shell script
        • + Very low number of dependencies
        • + Project is mature (10+ years)
        • + The source code of this software is available

          Typical usage

          • IT audit
          • Penetration testing
          • Security assessment
          • System hardening
          • Vulnerability scanning

          Lynis review

          64

          LUNAR

          Introduction

          LUNAR is short for Lockdown UNix Auditing and Reporting and runs on the system itself.

          Project details

          LUNAR is written in shell script.

          Strengths and weaknesses

          • + The source code of this software is available

            Typical usage

            • Security assessment
            • Self-assessment
            • System hardening

            LUNAR review

            60

            orthrus

            Introduction

            Orthrus is a security framework and auditing tool. It allows monitoring and analyzing security configurations across multiple environments.

            Project details

            orthrus is written in Golang.

            Strengths and weaknesses

            • + The source code of this software is available
            • - Project is in early phase and may be unstable

            Typical usage

            • Security assessment
            • Self-assessment
            • System hardening
            • Vulnerability scanning

            orthrus review

            60

            otseca

            Introduction

            Tools like otseca help with data collection. This could be useful for system administrators to collect data on a regular interval. This data then can be compared with a future data capture. Another possibility is to use it during pentesting. In that case one should have already obtained root access, as the tool requires this as well.

            Project details

            otseca is written in shell script.

            Strengths and weaknesses

            • + The source code is easy to read and understand
            • + Tool is modular and extendable
            • + The source code of this software is available

              Typical usage

              • Configuration audit
              • Penetration testing
              • Security assessment

              otseca review

              68

              Prowler

              Introduction

              Prowler is a security tool to check systems on AWS against the related CIS benchmark. This benchmark provides a set of best practices for AWS. The primary usage for this tool is system hardening and compliance checking.

              Project details

              Prowler is written in shell script.

              Strengths and weaknesses

              • + More than 25 contributors
              • + More than 500 GitHub stars
              • + The source code of this software is available

                Typical usage

                • Compliance testing
                • Security assessment
                • System hardening

                Prowler review

                63

                360-FAAR

                Introduction

                360-FAAR is a tool written in Perl to parse policies and logs from firewalls. It can compare firewall policies and translate between a policy and log data. Supported firewalls include Checkpoint FW1, Cisco ASA, and Netscreen ScreenOS.

                Project details

                360-FAAR is written in Perl.

                Strengths and weaknesses

                • + Project is mature (5+ years)
                • + The source code of this software is available

                  Typical usage

                  • Firewall auditing
                  • Log analysis
                  • Security assessment
                  • Security reviews

                  360-FAAR review

                  68

                  Cloud Security Suite (CS Suite)

                  Introduction

                  Cloud Security Suite (CS Suite) is a security toolkit that allows scanning Amazon, Google, and Azure cloud platforms. It leverages tools like Lynis, Prowler, and Scout2 to collect all information. The promise of the tool is to simplify the installation of the tools, their configuration, and the data collection.

                  Project details

                  Cloud Security Suite is written in Python.

                  Strengths and weaknesses

                  • + The source code of this software is available
                  • - No releases on GitHub available

                  Typical usage

                  • Configuration audit
                  • IT audit
                  • Penetration testing
                  • System hardening

                  Cloud Security Suite review

                  85

                  ssh_scan

                  Introduction

                  This tool is light on its dependencies, as it only uses Ruby and BinData. The scanner is simple to use, as it is limited in the number of parameters and options. There is also the ability to show the results on the screen or export the data to a JSON file. The latter is great if you want to do further processing of the details, or simply store them for later comparison.

                  Project details

                  ssh_scan is written in Ruby.

                  Strengths and weaknesses

                  • + More than 10 contributors
                  • + Many releases available
                  • + The source code of this software is available
                  • + Supported by a large company

                    Typical usage

                    • Penetration testing
                    • Security assessment
                    • System hardening
                    • Vulnerability scanning

                    ssh_scan review

                    60

                    VHostScan

                    Introduction

                    Tools like VHostScan are powerful to perform reconnaissance and discover configuration defaults. This can be useful during penetration tests or security testing, to see if a system has been stripped from default pages. If not, this tool might discover them and provide valuable information about the system.

                    Project details

                    VHostScan is written in Python.

                    Strengths and weaknesses

                    • + The source code of this software is available

                      Typical usage

                      • Penetration testing
                      • Reconnaissance

                      VHostScan review

                      64

                      DFWFW (Docker Firewall Framework)

                      Introduction

                      DFWFW, short of Docker Firewall Framework, offers easy administration of the iptables rules of Docker containers. It updates using event streams.

                      Project details

                      DFWFW is written in Perl.

                      Strengths and weaknesses

                      • + The source code of this software is available
                      • - Full name of author is unknown

                      Typical usage

                      • Firewall management

                      DFWFW review

                      64

                      Dockerscan

                      Introduction

                      Dockerscan is a Docker toolkit for security analysis which includes attacking tools. It is more focused on side of the offensive than defensive.

                      Project details

                      Dockerscan is written in Python.

                      Strengths and weaknesses

                      • + More than 500 GitHub stars
                      • + The source code of this software is available

                        Typical usage

                        • Information gathering
                        • Security assessment
                        • Vulnerability scanning

                        Dockerscan review

                        70

                        subuser

                        Introduction

                        A tool like subuser can useful to test software from untrusted sources.

                        Project details

                        subuser is written in Python.

                        Strengths and weaknesses

                        • + More than 10 contributors
                        • + More than 500 GitHub stars
                        • + The source code of this software is available

                          Typical usage

                          • Software testing

                          subuser review

                          78

                          Clair

                          Introduction

                          The tool has been created by CoreOS and can scan containers of different formats. It analyzes them and determines available security weaknesses in the container.

                          Project details

                          Clair is written in Golang.

                          Strengths and weaknesses

                          • + The source code of this software is available

                            Typical usage

                            • Security assessment
                            • Vulnerability scanning

                            Clair review

                            64

                            JShielder

                            Introduction

                            JShielder is a security tool for Linux systems to make them more secure by adding system hardening measures.

                            Project details

                            JShielder is written in Python, shell script.

                            Strengths and weaknesses

                            • + Used language is shell script
                            • + The source code of this software is available

                              Typical usage

                              • System hardening

                              JShielder review

                              52

                              Nix Auditor

                              Introduction

                              This fairly new tool is written in shell script to scan Linux systems with the focus on security auditing.

                              Project details

                              Nix Auditor is written in shell script.

                              Strengths and weaknesses

                              • + Used language is shell script
                              • - Full name of author is unknown
                              • - Unknown project license

                              Nix Auditor review

                              60

                              Scout2

                              Introduction

                              Scout2 is a security tool to assess the security of an AWS environment. It can be used for system hardening and IT audits.

                              Project details

                              Scout2 is written in Python.

                              Strengths and weaknesses

                              • + More than 10 contributors
                              • + More than 500 GitHub stars

                                Typical usage

                                • IT audit
                                • Security assessment
                                • Self-assessment
                                • System hardening

                                Scout2 review

                                64

                                seccheck

                                Introduction

                                Seccheck is a security scanner for Linux systems. It is originally written for SuSE Linux by Marc Heuse.

                                Project details

                                seccheck is written in shell script.

                                Strengths and weaknesses

                                • + The source code of this software is available
                                • - Project looks outdated (old code or documentation)

                                Typical usage

                                • Security assessment
                                • System hardening

                                seccheck review

                                70

                                YASAT

                                Introduction

                                The YASAT tool performs a system scan to detect configuration issues and possible improvements for hardening the system. Typically you would use this on new and existing systems.

                                Project details

                                YASAT is written in shell script.

                                Strengths and weaknesses

                                • + Used language is shell script
                                • - No updates for a while

                                Typical usage

                                • Configuration audit
                                • IT audit
                                • Security assessment

                                YASAT review

                                64

                                Zeus

                                Introduction

                                Zeus is a tool to perform a quick security scan of an AWS environment. It helps to find missing security controls, so additional system hardening measures can be applied to systems.

                                Project details

                                Zeus is written in shell script.

                                Strengths and weaknesses

                                • + Used language is shell script
                                • + The source code of this software is available
                                • - No releases on GitHub available

                                Typical usage

                                • Configuration audit
                                • Security assessment
                                • Self-assessment
                                • System hardening

                                Zeus review

                                Some relevant tool missing as an alternative to Docker Bench for Security? Please contact us with your suggestion.