33 Repos
Tools and frameworks for hardening container environments, runtime monitoring, and compliance auditing.
Distinguishing note: Focuses on the specific security requirements of containerized environments rather than general network or application security.
Explore 33 awesome GitHub repositories matching security & cryptography · Container Security. Refine with filters or upvote what's useful.
This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the container ecosystem. It functions as a structured knowledge base, aggregating a wide array of software tools, educational materials, and technical resources designed to assist developers and operators in mastering containerization technologies. The repository distinguishes itself through a meticulously organized taxonomy that maps the entire container lifecycle, from initial development and image building to orchestration, security, and infrastructure operations. By curating disparat
Provides solutions for container hardening, runtime security, and compliance.
The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral
Hardens container images and runtime environments to prevent unauthorized access.
Harbor is a self-hosted, enterprise-grade container registry platform designed to store, sign, and scan container images and cloud-native artifacts. It provides a centralized repository that integrates directly with Kubernetes environments to manage the full lifecycle of software artifacts, from initial storage to production deployment. The platform distinguishes itself through a focus on security, governance, and multi-site availability. It features a pluggable vulnerability scanning framework that allows for the integration of various security engines, alongside content trust mechanisms tha
Enforces container security through vulnerability scanning and digital signature verification for image authenticity.
This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad
Provides specialized references for hardening container runtimes, managing privileges, and implementing security monitoring.
Slim is a comprehensive suite for container lifecycle management, providing tools for image inspection, optimization, security hardening, and service troubleshooting. It functions as a platform for analyzing containerized applications through both static metadata review and dynamic behavioral probing, enabling users to understand image composition and runtime dependencies. The project distinguishes itself by automating the creation of minimal, production-ready container images. It achieves this by removing unnecessary files and components, flattening image layers, and synthesizing restrictive
Hardens containerized applications by generating restrictive security profiles and removing unused components to minimize attack surfaces.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Enforces security policies by selectively disabling specific container configuration adjustments and requiring mandatory plugins for container creation.
This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen
Runs containerized applications in a hardened environment that intercepts system calls to minimize the host kernel attack surface.
Wazuh is an integrated security platform that combines endpoint detection and response, security information and event management, and cloud workload protection. It functions as a centralized system for collecting telemetry, aggregating logs, and correlating events across distributed infrastructure to maintain security and integrity. The platform distinguishes itself through its active response orchestration, which allows for the automated execution of scripts on remote endpoints to neutralize threats in real time. It provides deep visibility into system activity through file integrity monito
Maintains visibility into cloud and container environments to detect threats and enforce consistent security policies.
The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It
Implements isolation, access controls, and security hardening for container instances and underlying infrastructure.
This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The co
Provides instructional material on hardening container environments and implementing security best practices.
Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The proj
Provides tools for auditing container environments to track potential threats and ensure compliance.
Boto3 is the AWS SDK for Python, providing a programmatic interface for managing and automating AWS cloud infrastructure and services. It serves as a cloud management API client and resource manager for provisioning, configuring, and scaling virtual servers, databases, and storage. The library enables the implementation of infrastructure-as-code through declarative templates and scripts, allowing for the deployment of identical resource stacks across multiple accounts and geographic regions. It also provides a framework for coordinating distributed workflows, serverless functions, and contain
Implements network isolation and task-level security to harden containerized environments.
This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor
Evaluates container environments and host configurations against benchmarks to ensure adherence to security best practices.
rkt ist eine sichere Linux-Container-Engine und ein Pod-nativer Container-Manager. Er bietet eine komponierbare Ausführungsumgebung zum Starten und Verwalten isolierter Anwendungscontainer unter Linux und dient als Runtime, die auf offenen Industriestandards für Image-Formate und Netzwerkschnittstellen basiert. Das System zeichnet sich durch ein Pod-natives Ausführungsmodell aus, das mehrere Container und geteilte Ressourcen in einzelnen, in sich geschlossenen Einheiten gruppiert. Es nutzt einsteckbare Ausführungs-Engines, um eine sichere Isolierung zu gewährleisten, einschließlich der Verwendung hardwarebasierter Virtualisierung, um Sicherheitsgrenzen zwischen dem Host-System und laufenden Anwendungen zu schaffen. Das Projekt deckt ein breites Spektrum an Funktionen im Container-Management ab, einschließlich OCI-konformer Image-Ausführung und CNI-basierter Vernetzung. Es bietet zudem die Integration mit Cluster-Orchestratoren und System-Initialisierungswerkzeugen zur Verwaltung von Workloads in verteilten Umgebungen.
Maintains a protected execution environment by isolating containers using hardware virtualization.
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Provides container security observability by enriching raw kernel events with Kubernetes metadata.
Sysdig is a Linux system observability tool and kernel event analyzer designed for capturing and analyzing kernel-level system calls and operating system events. It functions as a system call tracer and container security monitor, providing deep visibility into the activity of machines, virtual machines, and containers. The project specializes in non-invasive container inspection, allowing for the monitoring of container activity and resource usage without modifying the container environment or adding instrumentation. It enables the recording of detailed system traces into binary files for re
Monitors container activity and system state for security purposes without requiring environment instrumentation.
This project is a public key infrastructure management system designed to automate the issuance, renewal, and revocation of X.509, TLS, and SSH certificates. It functions as a machine identity provider and certificate authority, enabling the establishment of private PKI to secure inter-service communication and remote access. The system distinguishes itself through hardware-bound identity attestation, which ties cryptographic keys to physical device silicon or TPMs to prevent credential exfiltration. It supports a wide array of identity verification mechanisms, including OIDC, cloud-provider
Delivers TLS certificates into containers to secure inter-service communication without requiring manual configuration.
The Operator SDK is a framework for building, packaging, and managing custom controllers that extend the Kubernetes API. It serves as a toolset for defining new API types and implementing reconcile loops to automate the lifecycles of complex applications. The project provides specialized support for creating operators based on Helm charts or Ansible playbooks, allowing users to maintain a desired cluster state using existing automation tools. It includes a dedicated system for packaging controllers into standardized container image bundles for distribution via the Operator Lifecycle Manager.
Automates the delivery of CA certificates into container runtimes using conversion webhooks to establish trust.
This is an educational resource that provides a comprehensive guide to blockchain and distributed ledger technologies, covering everything from fundamental concepts to practical deployment. The guide systematically explains the core architecture of blockchain systems, including consensus-based distributed ledgers, cryptographic hash chains, Merkle trees, and smart contract execution engines, while also detailing permissioned channel architectures and modular service platforms for enterprise use. The resource distinguishes itself by offering a dual-track learning path that serves both non-tech
Covers container security mechanisms for isolating containers and protecting the host system.
The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int
Teaches securing container runtimes, images, and registries within cloud native workflows.