An asterisk means personal preference/pick for that type of data.
Product name | Types of input | Integrations | Comment |
---|---|---|---|
Checkov by Bridgecrew | Dockerfile* , Terraform, CloudFormation(cannot scan some files), ARM, Serverless framework | Bridge Crew web console. GH actions | Best practice focused. Slower |
KICS by Checkmarx | Mainly IaC, Dockerfile* and Kubernetes (YAML). Not supporting Docker images | Major CI/CD | |
Trivy cli by Aqua Security | Dockerfile, Docker images* (support different arch), Kubernetes, Terraform, static application binaries/libraries | GitHub actions | Vulnerability DB focused |
grype cli by Anchore | Docker images* (support different arch) | Vulnerability DB focused | |
Anchore engine (open source) | Docker images* | Major CI/CD like GH actions | Vulnerability DB. Optionally make use of ClamAV for malwares checking*. Output format is not great but ok on using Harbor |
Clair by Quay | Docker images (support different arch) | Multi-layer images may not be fully scanned | |
Neuvector scanner | Docker images | GitHub action | |
Dockle | Docker images* | Linter for best practices. It is especially good at finding un-necessary files and SGID/SUID files | |
Hadolint, Dockerfile linter* | Dockerfile* | ||
Colin | Dockerfile | Linter | |
Terrascan by Accurics | Static code analysis on Terraform, Kubernetes (YAML, JSON?), Helm, Dockerfile and cloud resources | Mainstream products | Best practice focused. Problem scanning AWS CF template. Seems unable to detect seccomp profile is enabled. |
Snyk | IaC (Not supporting Ansible), some CF is not scanned. Kubernetes YAML, Docker images. Static code analysis* | Major CI/CD*, web console | Seems do not have seccomp checking |
Polaris by FairWindsOps | Kubernetes resources file (YAML/JSON), existing namespaces/resources from cluster | GitHub actions and other CI/CD | Best practice focused. Seems do not have seccomp checking |
StackRox open sourced | Container images | ||
ThreatMapper by Deepfence | Docker images, Kubernetes resources, Fargate serverless | Need more resources to use this tool | |
Dagda | Docker containers | A system focused on static binary analysis | |
docker-bench-security by Docker Inc. | Docker host OS settings | Docker focused | |
OSV by Google | OS, applications and Docker (preview and support Debian only at the moment) | ||
Dokter by GitLab | They call it the doctor for your Dockerfiles. A tool with AI for fixing problems. Not directly a complete security scanning tool | For Dockerfiles |