An asterisk means personal preference/pick for that type of data.
See also Security tools for Kubernetes in this wiki site
| Product name | Types of input | Integrations | Comment |
|---|---|---|---|
| Checkov originally by Bridgecrew, now under Palo Alto Networks | Dockerfile* , Terraform, CloudFormation(cannot scan some files), ARM, Serverless framework | Now Prisma Cloud, originally with Bridge Crew web console. GH actions | Best practice focused. Slower |
| KICS by Checkmarx | Mainly IaC, Dockerfile* and Kubernetes (YAML). Not supporting Docker images | Major CI/CD | |
| Trivy cli by Aqua Security | Dockerfile, Docker images* (support different arch), Kubernetes, Terraform (now includes tfsec functionality), static application binaries/libraries | GitHub actions | Vulnerability DB focused |
| grype cli by Anchore | Docker images* (support different arch) | Vulnerability DB focused | |
| Hadolint, Dockerfile linter* | Dockerfile* | ||
| Dockle | Docker images* | Linter for best practices. It is especially good at finding un-necessary files and SGID/SUID files | |
| Megalinter by OX security | Support lots of languages | ||
| Clair by Quay | Docker images (support different arch) | Multi-layer images may not be fully scanned | |
| Neuvector scanner | Docker images | GitHub action | |
| Terrascan by Tenable, originally by Accurics | Static code analysis on Terraform, Kubernetes, Helm, Dockerfile and cloud resources | Mainstream products | Best practice focused. Problem scanning AWS CF template. Seems unable to detect seccomp profile is enabled. Last release 2024-Sep, going into archive state |
| Snyk | IaC (Not supporting Ansible), some CF is not scanned. Kubernetes YAML, Docker images. Static code analysis* | Major CI/CD*, web console | Seems do not have seccomp checking |
| Polaris by FairWindsOps | Kubernetes resources file (YAML/JSON), existing namespaces/resources from cluster | GitHub actions and other CI/CD | Best practice focused. Seems do not have seccomp checking |
| StackRox open sourced | Container images | ||
| ThreatMapper by Deepfence | Docker images, Kubernetes resources, Fargate serverless | Need more resources to use this tool | |
| docker-bench-security by Docker Inc. | Docker host OS settings | Docker focused | |
| OSV by Google | OS, applications and Docker (preview and support Debian only at the moment) | ||
| InSpec by Chef | Compliant as code | ||
| Linter for AWS Cloudformation | |||
| Dokter by GitLab | They call it the doctor for your Dockerfiles. A tool with AI for fixing problems. Not directly a complete security scanning tool | Last code commit 2022-Oct, For Dockerfiles | |
| Colin | Dockerfile | Linter. Last release 2022-Mar | |
| Anchore engine (open source project archived in 2023) | Docker images* | Major CI/CD like GH actions | Vulnerability DB. Optionally make use of ClamAV for malwares checking*. Output format is not great but ok on using Harbor |
| Dagda | Docker containers | A system (not single cli) focused on static binary analysis. Last release 2021 |