An asterisk means personal preference/pick for that type of data.
Product name | Types of input | Integrations | Comment |
---|---|---|---|
Checkov originally by Bridgecrew, now under Palo Alto Networks | Dockerfile* , Terraform, CloudFormation(cannot scan some files), ARM, Serverless framework | Now Prisma Cloud, originally with Bridge Crew web console. GH actions | Best practice focused. Slower |
KICS by Checkmarx | Mainly IaC, Dockerfile* and Kubernetes (YAML). Not supporting Docker images | Major CI/CD | |
Trivy cli by Aqua Security | Dockerfile, Docker images* (support different arch), Kubernetes, Terraform (now includes tfsec functionality), static application binaries/libraries | GitHub actions | Vulnerability DB focused |
grype cli by Anchore | Docker images* (support different arch) | Vulnerability DB focused | |
Clair by Quay | Docker images (support different arch) | Multi-layer images may not be fully scanned | |
Neuvector scanner | Docker images | GitHub action | |
Dockle | Docker images* | Linter for best practices. It is especially good at finding un-necessary files and SGID/SUID files | |
Terrascan by Tenable, originall by Accurics | Static code analysis on Terraform, Kubernetes, Helm, Dockerfile and cloud resources | Mainstream products | Best practice focused. Problem scanning AWS CF template. Seems unable to detect seccomp profile is enabled. |
Snyk | IaC (Not supporting Ansible), some CF is not scanned. Kubernetes YAML, Docker images. Static code analysis* | Major CI/CD*, web console | Seems do not have seccomp checking |
Polaris by FairWindsOps | Kubernetes resources file (YAML/JSON), existing namespaces/resources from cluster | GitHub actions and other CI/CD | Best practice focused. Seems do not have seccomp checking |
StackRox open sourced | Container images | ||
ThreatMapper by Deepfence | Docker images, Kubernetes resources, Fargate serverless | Need more resources to use this tool | |
Dagda | Docker containers | A system (not single cli) focused on static binary analysis | |
docker-bench-security by Docker Inc. | Docker host OS settings | Docker focused | |
OSV by Google | OS, applications and Docker (preview and support Debian only at the moment) | ||
Hadolint, Dockerfile linter* | Dockerfile* | ||
Colin | Dockerfile | Linter | |
Dokter by GitLab | They call it the doctor for your Dockerfiles. A tool with AI for fixing problems. Not directly a complete security scanning tool | Last code commit 2022, For Dockerfiles | |
Anchore engine (open source project archived in 2023) | Docker images* | Major CI/CD like GH actions | Vulnerability DB. Optionally make use of ClamAV for malwares checking*. Output format is not great but ok on using Harbor |