# Docker Container Security Hardening Tools > Search results for `audit and harden Docker container runtime security` on awesome-repositories.com. 112 total matches; showing the first 50. Explore on the web: https://awesome-repositories.com/q/audit-and-harden-docker-container-runtime-security **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [this search on awesome-repositories.com](https://awesome-repositories.com/q/audit-and-harden-docker-container-runtime-security).** ## Results - [containers/libpod](https://awesome-repositories.com/repository/containers-libpod.md) (32,040 ⭐) — Libpod is a container management library for running and controlling the lifecycle of Open Container Initiative compliant containers and images across different storage backends. It provides a programmatic interface for the remote control and automation of container environments. The project enables the coordination of multiple containers into pods that share network namespaces and other shared resources. It supports rootless container execution by using user namespaces to launch containers without administrative privileges. The library covers a broad range of system operations, including im - [docker-archive-public/docker.labs](https://awesome-repositories.com/repository/docker-archive-public-docker-labs.md) (11,904 ⭐) — This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The co - [docker/docker-bench-security](https://awesome-repositories.com/repository/docker-docker-bench-security.md) (9,655 ⭐) — This project is a security compliance tool and configuration auditor designed to evaluate Docker deployments against industry security benchmarks. It functions as a script-based scanner that identifies misconfigurations and vulnerabilities within both the host operating system and container settings. The tool specifically implements the Center for Internet Security standards for Docker to verify host and container configurations. It enables a hardening workflow by comparing system states against these standards to identify security gaps and document compliance status. The audit engine suppor - [docker/compose](https://awesome-repositories.com/repository/docker-compose.md) (37,588 ⭐) — Docker Compose is a tool for defining and running multi-container applications through declarative configuration files. It functions as an application lifecycle manager, coordinating the startup, shutdown, and scaling of interconnected services within isolated environments. By using a standardized configuration format, it enables infrastructure as code, allowing developers to manage complex application stacks and their dependencies in a single, repeatable file. The project distinguishes itself by integrating directly with the broader Docker platform, leveraging a client-server architecture wh - [drduh/macos-security-and-privacy-guide](https://awesome-repositories.com/repository/drduh-macos-security-and-privacy-guide.md) (22,449 ⭐) — This project is a security hardening guide and privacy configuration manual for macOS. It provides a comprehensive set of instructions for configuring system settings to improve privacy, reduce the attack surface, and implement a malware defense framework. The guide covers technical methods for validating software notarization, verifying application sandboxing, and auditing system activity. It distinguishes itself by providing detailed workflows for restricting high-risk features and applying advanced security configurations to protect the operating system. The documentation covers several k - [docker-archive-public/docker.kitematic](https://awesome-repositories.com/repository/docker-archive-public-docker-kitematic.md) (12,142 ⭐) — Kitematic is a graphical user interface for managing and running Docker containers on desktop operating systems. It serves as a visual Docker management tool and API client that translates user interface interactions into REST API calls to control the Docker daemon without requiring the command line. The application is built as a cross-platform Electron desktop application, utilizing a Chromium-based shell to provide a consistent administrative interface across Mac and Windows. The software covers the full container lifecycle, including the creation, configuration, and monitoring of containe - [drduh/os-x-security-and-privacy-guide](https://awesome-repositories.com/repository/drduh-os-x-security-and-privacy-guide.md) (22,444 ⭐) — This project is a comprehensive security hardening and privacy management guide for macOS. It provides a set of instructions and checklists for reducing the system attack surface through manual configuration, policy enforcement, and a layered defense strategy. The guide emphasizes a system auditing framework, using binary analysis, system logs, and packet inspection to verify that security controls and application sandboxing are functioning as intended. It offers tool-agnostic recommendations, defining security goals while allowing users to select their own third-party software for implementa - [traefik/traefik](https://awesome-repositories.com/repository/traefik-traefik.md) (63,644 ⭐) — Traefik is a cloud-native edge router and API gateway designed to manage service communication and traffic flow across distributed infrastructure. It functions as a dynamic service proxy that automatically discovers backend services and configures routing rules in real time, eliminating the need for manual restarts or complex configuration updates. By integrating directly with container orchestrators and service registries, it maintains a consistent state for network traffic, load balancing, and security policy enforcement. The project distinguishes itself through its deep integration with di - [addyosmani/agent-skills](https://awesome-repositories.com/repository/addyosmani-agent-skills.md) (60,849 ⭐) — Agent-skills is a collection of structured instructions and behavioral personas designed to standardize how AI coding agents perform engineering tasks. It functions as a workflow orchestrator that maps natural language intent to repeatable technical sequences and verification checklists. The project distinguishes itself through the use of specialized markdown-defined roles, such as security auditors or test engineers, to apply targeted domain expertise. It employs an evidence-based verification model that requires runtime data or passing tests as mandatory exit criteria to ensure AI-generated - [nvidia/nvidia-container-runtime](https://awesome-repositories.com/repository/nvidia-nvidia-container-runtime.md) (1,125 ⭐) — NVIDIA container runtime - [yeasy/docker_practice](https://awesome-repositories.com/repository/yeasy-docker-practice.md) (26,111 ⭐) — This project is a Docker educational resource and a collection of practical examples designed for learning containerization technologies. It serves as a guide for understanding container fundamentals, including the creation and management of custom images and the use of registries. The repository provides specialized references for container security hardening, such as managing kernel privileges and implementing supply chain security. It also includes tutorials for multi-container orchestration and a DevOps guide focused on CI/CD automation and image optimization. The material covers a broad - [projectcalico/calico](https://awesome-repositories.com/repository/projectcalico-calico.md) (7,252 ⭐) — Calico is a cloud-native networking and security solution designed to connect containerized workloads across virtual machines, bare metal, and multi-cloud environments. It provides a routing solution based on the Border Gateway Protocol to manage cluster traffic and implement the Container Network Interface for pod connectivity and IP address management. The project distinguishes itself through a security layer that enforces network policies based on identities and labels rather than static addresses. It includes a policy engine for controlling traffic flow, a cluster network encryptor for se - [docker/awesome-compose](https://awesome-repositories.com/repository/docker-awesome-compose.md) (45,561 ⭐) — Awesome Compose is a collection of resources designed to demonstrate the orchestration of multi-container applications. It serves as a practical reference for using declarative configuration files to define, manage, and deploy complex software stacks, ensuring that services run consistently across development, testing, and production environments. The project highlights the capabilities of container lifecycle management by providing examples of how to bundle software with its dependencies into isolated, portable units. It emphasizes the use of multi-stage build pipelines to optimize image siz - [hotcakex/harden-windows-security](https://awesome-repositories.com/repository/hotcakex-harden-windows-security.md) (4,139 ⭐) — Harden-Windows-Security is a security hardening tool and framework designed to reduce the attack surface of the Windows operating system through policy enforcement. It provides a collection of security presets and templates to implement official hardening standards across multiple devices. The project distinguishes itself through a comprehensive execution control system, featuring a manager for Windows Application Control and a kernel protection suite. It implements strict trust models, including kernel-mode driver whitelisting, signed policy implementation on the EFI partition, and code inte - [swisskyrepo/payloadsallthethings](https://awesome-repositories.com/repository/swisskyrepo-payloadsallthethings.md) (78,434 ⭐) — This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data i - [denoland/deno](https://awesome-repositories.com/repository/denoland-deno.md) (107,110 ⭐) — Deno is a high-performance runtime for JavaScript and TypeScript that prioritizes security and developer productivity. Built on the V8 engine, it provides a secure execution environment that enforces a default-deny security model, requiring explicit user authorization for access to system resources like the file system, network, and environment variables. The runtime natively supports modern web-standard APIs, ensuring consistent behavior and portability across different environments. What distinguishes Deno is its integrated approach to the software development lifecycle. It bundles essentia - [step-security/harden-runner](https://awesome-repositories.com/repository/step-security-harden-runner.md) (1,206 ⭐) — Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time. - [qianniuspace/mcp-security-audit](https://awesome-repositories.com/repository/qianniuspace-mcp-security-audit.md) (53 ⭐) — A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks. - [google/gvisor](https://awesome-repositories.com/repository/google-gvisor.md) (17,748 ⭐) — This project is a secure container runtime that provides strong isolation for application workloads by implementing a userspace kernel. By intercepting system calls and executing them within a memory-safe, restricted environment, it minimizes the attack surface exposed to the host kernel. It functions as a drop-in engine for standard container orchestration platforms, ensuring compatibility with industry-standard runtime specifications while maintaining a hardened execution boundary. The runtime distinguishes itself through its ability to virtualize core system resources, including an indepen - [inspektor-gadget/inspektor-gadget](https://awesome-repositories.com/repository/inspektor-gadget-inspektor-gadget.md) (2,720 ⭐) — Inspektor Gadget is an eBPF observability toolset and program framework designed for tracing Linux systems and debugging Kubernetes nodes. It provides a suite of tools to collect kernel-level telemetry and export system metrics via the OpenTelemetry standard. The project distinguishes itself by packaging inspection tools as OCI-compliant container images, allowing for standardized distribution and deployment across clusters and hosts. It employs a modular data processing pipeline that utilizes WebAssembly modules to transform and filter telemetry, and leverages Compile Once Run Everywhere for - [abiosoft/colima](https://awesome-repositories.com/repository/abiosoft-colima.md) (29,324 ⭐) — Colima is a command-line utility that provides lightweight container runtimes and local Kubernetes orchestration by managing isolated virtual machine environments. It functions as a virtualization manager that abstracts the underlying container engine, allowing users to run containerized applications and system workloads on non-native operating systems without the overhead of heavy desktop software. The project distinguishes itself through its support for hardware-accelerated workloads, enabling direct GPU passthrough to virtual machines for high-performance machine learning tasks. It offers - [0xnazgul/blockchain-security-audit-list](https://awesome-repositories.com/repository/0xnazgul-blockchain-security-audit-list.md) (793 ⭐) — A list of Blockchain Security audit companies, solo auditors and where to find all their public audits. - [wazuh/wazuh](https://awesome-repositories.com/repository/wazuh-wazuh.md) (14,779 ⭐) — Wazuh is an integrated security platform that combines endpoint detection and response, security information and event management, and cloud workload protection. It functions as a centralized system for collecting telemetry, aggregating logs, and correlating events across distributed infrastructure to maintain security and integrity. The platform distinguishes itself through its active response orchestration, which allows for the automated execution of scripts on remote endpoints to neutralize threats in real time. It provides deep visibility into system activity through file integrity monito - [nedlir/dasel-hardened-container](https://awesome-repositories.com/repository/nedlir-dasel-hardened-container.md) (0 ⭐) - [owasp/cheatsheetseries](https://awesome-repositories.com/repository/owasp-cheatsheetseries.md) (32,298 ⭐) — The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems. What distinguishes this project is its decentral - [m0bilesecurity/rms-runtime-mobile-security](https://awesome-repositories.com/repository/m0bilesecurity-rms-runtime-mobile-security.md) (2,971 ⭐) — This project is an Android security analysis toolkit and mobile app runtime manipulator designed for reverse engineering and auditing mobile applications. It provides a system for modifying Java classes and method behavior in active mobile processes to bypass security controls. The toolkit includes a web-based interface for controlling the instrumentation engine and a specialized utility for disabling certificate validation to intercept and inspect encrypted network traffic via SSL pinning bypass. It also features an Android file explorer for browsing and managing files within private data di - [containerd/containerd](https://awesome-repositories.com/repository/containerd-containerd.md) (20,369 ⭐) — Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola - [tech-audit/smart-contract-audits](https://awesome-repositories.com/repository/tech-audit-smart-contract-audits.md) (95 ⭐) — Smart Contract security audit reports - [docker-mailserver/docker-mailserver](https://awesome-repositories.com/repository/docker-mailserver-docker-mailserver.md) (18,420 ⭐) — This project provides a full-stack, containerized mail server platform designed for self-hosting. It functions as a complete mail transfer agent that bundles essential services—including SMTP, IMAP, and POP3—into a unified environment. By leveraging container orchestration, it enables the deployment of private email infrastructure that handles message transport, delivery, and user management within a single, manageable service. The platform distinguishes itself through deep integration with container runtimes and robust configuration flexibility. It supports granular customization via configu - [konstruktoid/hardening](https://awesome-repositories.com/repository/konstruktoid-hardening.md) (1,712 ⭐) — Hardening Ubuntu. Systemd edition. - [gdssecurity/docker-secure-deployment-guidelines](https://awesome-repositories.com/repository/gdssecurity-docker-secure-deployment-guidelines.md) (607 ⭐) — Deployment checklist for securely deploying Docker - [collabnix/dockerlabs](https://awesome-repositories.com/repository/collabnix-dockerlabs.md) (8,008 ⭐) — dockerlabs is a collection of educational labs and technical tutorials designed to teach the fundamentals of containerization and microservice architecture. It provides instructional material and hands-on exercises covering image optimization, security training, infrastructure setup, and cluster orchestration. The project features specific courses and guides focused on reducing image size through multi-stage builds, securing workloads via vulnerability scanning and encrypted networks, and deploying multi-node clusters with high availability using Swarm orchestration. The materials cover a br - [boto/boto3](https://awesome-repositories.com/repository/boto-boto3.md) (9,834 ⭐) — Boto3 is the AWS SDK for Python, providing a programmatic interface for managing and automating AWS cloud infrastructure and services. It serves as a cloud management API client and resource manager for provisioning, configuring, and scaling virtual servers, databases, and storage. The library enables the implementation of infrastructure-as-code through declarative templates and scripts, allowing for the deployment of identical resource stacks across multiple accounts and geographic regions. It also provides a framework for coordinating distributed workflows, serverless functions, and contain - [aoncyberlabs/docker-secure-deployment-guidelines](https://awesome-repositories.com/repository/aoncyberlabs-docker-secure-deployment-guidelines.md) (607 ⭐) — Deployment checklist for securely deploying Docker - [cisofy/lynis](https://awesome-repositories.com/repository/cisofy-lynis.md) (15,284 ⭐) — Lynis is an automated security auditing and system hardening framework designed for UNIX-based operating systems. It functions as a command-line utility that inspects local system configurations to identify security vulnerabilities, configuration weaknesses, and compliance gaps. By executing a series of modular tests, the tool generates actionable reports and remediation suggestions to assist in strengthening system defenses. The project distinguishes itself through a highly modular architecture that relies on shell-script-based execution and native system inspection. Users can define custom - [goharbor/harbor](https://awesome-repositories.com/repository/goharbor-harbor.md) (28,761 ⭐) — Harbor is a self-hosted, enterprise-grade container registry platform designed to store, sign, and scan container images and cloud-native artifacts. It provides a centralized repository that integrates directly with Kubernetes environments to manage the full lifecycle of software artifacts, from initial storage to production deployment. The platform distinguishes itself through a focus on security, governance, and multi-site availability. It features a pluggable vulnerability scanning framework that allows for the integration of various security engines, alongside content trust mechanisms tha - [docker-library/official-images](https://awesome-repositories.com/repository/docker-library-official-images.md) (6,972 ⭐) — This project is a collection of curated and standardized Docker base images that serve as reliable starting points for building containerized applications. It functions as an OCI container image repository and a build template library, providing a central source of truth for images that adhere to Open Container Initiative standards for portability. The project utilizes an automated image lifecycle pipeline to build, tag, and push images, ensuring that dependencies remain current and security patches are applied. It specifically supports cross-platform distribution by providing a multi-archite - [chainsulting/smart-contract-security-audits](https://awesome-repositories.com/repository/chainsulting-smart-contract-security-audits.md) (3 ⭐) — Smart Contract Audits (Ethereum, Hyperledger, EOS, Tezos) by a reputable company are an essential part of any smart contract development. While the rise of blockchain presents a unique opportunity to create smart contracts for digital assets, such as Utility or Security token. Smart Contract… - [yeasy/blockchain_guide](https://awesome-repositories.com/repository/yeasy-blockchain-guide.md) (7,069 ⭐) — This is an educational resource that provides a comprehensive guide to blockchain and distributed ledger technologies, covering everything from fundamental concepts to practical deployment. The guide systematically explains the core architecture of blockchain systems, including consensus-based distributed ledgers, cryptographic hash chains, Merkle trees, and smart contract execution engines, while also detailing permissioned channel architectures and modular service platforms for enterprise use. The resource distinguishes itself by offering a dual-track learning path that serves both non-tech - [docker/docker](https://awesome-repositories.com/repository/docker-docker.md) (71,736 ⭐) — Docker is an OCI container engine and runtime orchestrator used to build, run, and manage isolated applications. It functions as a container image builder for creating portable snapshots of applications and a registry manager for storing, versioning, and distributing those images across environments. The platform provides a centralized daemon to control the creation, execution, and termination of containerized workloads. It allows for the assembly of modular container systems by combining build tools, registries, and runtimes. Its core capabilities cover container image creation, registry ad - [aws/aws-cdk](https://awesome-repositories.com/repository/aws-aws-cdk.md) (12,817 ⭐) — The AWS Cloud Development Kit is an infrastructure-as-code framework that enables developers to define and provision cloud resources using familiar programming languages. By utilizing construct-based synthesis, it translates high-level, object-oriented code into declarative templates, allowing for the automated management of complex cloud environments through a centralized, code-driven control plane. The framework distinguishes itself through its ability to model infrastructure as a dependency-aware resource graph, ensuring that components are provisioned and updated in the correct order. It - [chatwoot/chatwoot](https://awesome-repositories.com/repository/chatwoot-chatwoot.md) (31,959 ⭐) — Chatwoot is a self-hosted, omnichannel customer support platform designed to aggregate messages from diverse social and digital channels into a single, collaborative team inbox. It provides organizations with full data ownership and control over their support infrastructure, ensuring strict logical separation of customer data through multi-tenant architecture. By centralizing communication, the platform enables teams to manage, route, and resolve inquiries within a unified workspace that maintains complete interaction history for every contact. The platform distinguishes itself through an eve - [formbricks/formbricks](https://awesome-repositories.com/repository/formbricks-formbricks.md) (12,391 ⭐) — Formbricks is an open-source survey and feedback platform designed to help teams capture and analyze user insights through targeted, in-app, and website-based interactions. It functions as a comprehensive customer experience analytics system that allows organizations to maintain full control over their data, user attributes, and survey workflows. The platform distinguishes itself through its event-driven architecture, which enables precise behavioral targeting by triggering surveys based on specific user actions or application events. It supports deep integration with external ecosystems by a - [cncf/curriculum](https://awesome-repositories.com/repository/cncf-curriculum.md) (6,578 ⭐) — The CNCF Curriculum is an open-source repository that organizes exam domains and learning paths for CNCF certification courses covering Kubernetes and cloud-native technologies. It structures certification content into weighted domains that reflect exam question distribution, providing a structured study guide for candidates preparing for CNCF certifications. The curriculum is organized around multiple cloud-native domains including networking, security, GitOps, platform engineering, and certification preparation. It teaches cloud-native concepts through the lens of building and operating int - [google/container-explorer](https://awesome-repositories.com/repository/google-container-explorer.md) (97 ⭐) — Container Explorer (built as ce) is a standalone Go utility for exploring, analyzing, and performing forensics on container runtimes (such as containerd, Docker, and Podman). - [appwrite/appwrite](https://awesome-repositories.com/repository/appwrite-appwrite.md) (56,318 ⭐) — Appwrite is a backend-as-a-service platform that provides a unified development environment for building full-stack applications. It integrates essential infrastructure components—including authentication, databases, storage, and serverless functions—into a single, centralized interface to simplify application development and resource management. The platform distinguishes itself through a container-based microservices architecture that ensures consistent execution across diverse infrastructure. It features a versatile connectivity layer that links frontend applications with third-party servi - [floedesigntechnologies/phpcs-security-audit](https://awesome-repositories.com/repository/floedesigntechnologies-phpcs-security-audit.md) (0 ⭐) - [slimtoolkit/slim](https://awesome-repositories.com/repository/slimtoolkit-slim.md) (22,977 ⭐) — Slim is a comprehensive suite for container lifecycle management, providing tools for image inspection, optimization, security hardening, and service troubleshooting. It functions as a platform for analyzing containerized applications through both static metadata review and dynamic behavioral probing, enabling users to understand image composition and runtime dependencies. The project distinguishes itself by automating the creation of minimal, production-ready container images. It achieves this by removing unnecessary files and components, flattening image layers, and synthesizing restrictive - [ever-co/ever-gauzy](https://awesome-repositories.com/repository/ever-co-ever-gauzy.md) (3,476 ⭐) — Ever Gauzy is an integrated business management suite providing an ERP and CRM framework for professional services automation. It functions as a multi-tenant SaaS platform that combines time tracking, billing, and human resource management into a unified system. The project is distinguished by its headless architecture, utilizing a REST and GraphQL API gateway to expose business operations. It features a Model Context Protocol server that allows AI assistants to interact with system data and execute functional tools for automated business workflows. The platform covers a broad operational su - [daytonaio/daytona](https://awesome-repositories.com/repository/daytonaio-daytona.md) (72,416 ⭐) — Daytona is a cloud-native development environment platform designed to orchestrate ephemeral, containerized workspaces. It provides a centralized system for managing reproducible coding environments as code, ensuring consistency across distributed teams by abstracting the underlying infrastructure. By utilizing declarative configuration, the platform automates the entire lifecycle of development sandboxes, from initial provisioning to resource governance. The platform distinguishes itself through its infrastructure-agnostic runner layer, which allows development environments to be deployed ac