Container Image Vulnerability Scanners

Docker Compose is a tool for defining and running multi-container applications through declarative configuration files. It functions as an application lifecycle manager, coordinating the startup, shutdown, and scaling of interconnected services within isolated environments. By using a standardized configuration format, it enables infrastructure as code, allowing developers to manage complex application stacks and their dependencies in a single, repeatable file. The project distinguishes itself by integrating directly with the broader Docker platform, leveraging a client-server architecture where a command-line interface communicates with a persistent daemon to manage container lifecycles. It supports advanced development workflows by providing specialized AI agent frameworks, microVM-based sandboxing for secure code execution, and cloud-based offloading for container builds. These capabilities allow for consistent development environments that mirror production configurations while providing integrated security analysis and supply chain guardrails. Beyond core orchestration, the platform encompasses a comprehensive suite of tools for image distribution, automated builds, and enterprise-grade administration. It provides extensive support for managing container runtimes, storage drivers, and registry interactions, ensuring compatibility with standardized container interfaces. The project is supported by a wide range of documentation, including guides, API references, and interactive workshops designed to assist with local development and scalable deployment.

Dyad is a local, artificial intelligence-powered development environment designed to manage, edit, and scaffold full-stack software projects. It functions as an automated codebase manager and code editor that leverages language models to execute programming tasks, maintain project context, and apply targeted modifications directly to source files on a user's machine. The platform distinguishes itself through a model-agnostic architecture that allows for flexible integration with various language model runtimes. It provides specialized operational modes to optimize development speed and efficiency, while maintaining granular control over the codebase through differential change tracking and automated project-level configuration directives. By utilizing context-aware file indexing and automated conversation management, the tool ensures that generated code remains aligned with specific architectural constraints and project requirements. Beyond core editing, the platform covers a broad surface of software engineering workflows, including automated security vulnerability analysis and remediation, database schema management with migration generation, and cloud deployment automation. It supports the full application lifecycle from initial project bootstrapping and live previewing to final publication and mobile conversion. The environment is designed to operate locally to maintain complete control over the codebase, while offering secure remote execution sandboxing for sensitive logic and restricted API interactions.

Trivy is a comprehensive security scanner designed to identify vulnerabilities and misconfigurations across container images, filesystems, and infrastructure as code files. It functions as a software composition analysis tool and an infrastructure security scanner, providing automated checks for CI/CD pipelines and cloud environments to ensure the integrity of the software supply chain. The tool distinguishes itself through a modular, plugin-based architecture that allows for the independent inspection of diverse targets. It utilizes a declarative policy engine to evaluate configurations against compliance standards and relies on a remote, periodically updated vulnerability database to maintain current detection logic without requiring binary updates. By employing static analysis pattern matching, it maps disparate scan results into a unified output schema for consistent reporting. Beyond its core scanning capabilities, the project supports cloud infrastructure auditing and deep inspection of local and remote environments. It is distributed as a single cross-platform executable, and comprehensive configuration and usage details are available in the project's official user guide.

Fleet is an open-source device management platform that provides centralized control over computing devices running macOS, Linux, Windows, Chromebooks, iOS, and Android. It enables organizations to enroll devices, collect real-time telemetry, enforce security compliance policies, and manage software remotely from a single system. The platform can be deployed as a single binary, run locally for testing, or scaled horizontally across cloud infrastructure on AWS, Kubernetes, GCP, or Render, with support for high availability through database replication and load balancing. The platform distinguishes itself through its infrastructure-as-code approach, allowing teams to manage device configurations, policies, and queries declaratively through GitOps workflows, a REST API, webhooks, or the fleetctl command-line tool. Every configuration change is tracked and auditable, with the ability to review and approve proposed modifications before deployment and instantly roll back if needed. Fleet integrates with common identity providers through SAML single sign-on, supports SCIM for automatic user provisioning and deprovisioning, and can export data to enterprise platforms like Snowflake, Splunk, GitHub Actions, and Jira for workflow automation. Fleet provides comprehensive device monitoring and security assessment capabilities, including live SQL queries across all managed devices, automated vulnerability scanning, CIS benchmark compliance checks, and YARA rule-based file scanning. The platform collects detailed device health data, software inventory, and security configurations, and can run scripts automatically based on schedules or policy triggers. It supports remote software deployment, including App Store applications on Apple devices, and enforces security controls such as disk encryption and custom compliance policies. The platform exposes Prometheus metrics and OpenTelemetry traces for observability, and provides a health endpoint for monitoring server status.

Dive is a command-line tool designed for the analysis and optimization of container images. It functions as a layered storage inspector, allowing users to decompose image manifests to examine individual filesystem layers and identify opportunities to reduce total image size. The tool features a filesystem diffing engine that calculates net changes between sequential layers to highlight redundant data and storage inefficiencies. Users interact with this data through a terminal-based dashboard that provides keyboard-driven navigation of complex file structures and layer metadata. By abstracting the underlying container runtime, the tool maintains compatibility across various storage formats and engine environments. Beyond manual inspection, the software supports automated quality gates for continuous integration pipelines. It evaluates image metadata against user-defined performance thresholds to validate efficiency and prevent the deployment of suboptimal builds. Configuration files allow for the adjustment of logging levels, interface layouts, and engine preferences to suit specific development workflows.

Gitleaks is a security scanning engine designed to identify hardcoded credentials, API keys, and other sensitive information within version control systems and local file structures. It functions as a static analysis tool that automates the detection of secrets, helping to prevent the accidental exposure of sensitive data during the development lifecycle. The tool distinguishes itself through its ability to perform deep forensic analysis of git history, allowing users to audit entire project timelines or enforce security gates within continuous integration pipelines. It supports complex detection logic through composite rules and provides mechanisms for baseline management, which enables teams to ignore existing findings and focus exclusively on new security risks. By offering pre-commit hook integration and exit-code-based orchestration, it allows for the enforcement of security policies directly within developer workflows and automated build environments. Beyond core scanning, the project provides a broad set of utilities for managing security findings, including support for decoding obfuscated strings, inspecting compressed archives, and filtering results through allowlisting or path exclusions. It facilitates compliance and reporting by exporting structured data, which can be integrated into external dashboards or tracking systems. The tool is built to handle various input sources, including direct file system traversal and standard input streams, ensuring compatibility with diverse development and deployment environments.

This project is a Helm chart repository and Kubernetes application catalog providing standardized deployment templates for popular open-source software. It serves as a library of pre-configured packages designed to automate the installation and configuration of server-side applications on container clusters. The collection includes a suite of hardened container images built on minimal base layers to reduce the attack surface. These images undergo automated vulnerability scanning and triage within the release pipeline to identify and remediate security flaws before deployment. The project manages cloud-native infrastructure through template-based package definitions and value-driven configuration. This approach ensures consistent manifest generation across different environments while maintaining compatibility through semantic versioning.

This project is a comprehensive, community-driven directory that serves as a centralized discovery hub for the container ecosystem. It functions as a structured knowledge base, aggregating a wide array of software tools, educational materials, and technical resources designed to assist developers and operators in mastering containerization technologies. The repository distinguishes itself through a meticulously organized taxonomy that maps the entire container lifecycle, from initial development and image building to orchestration, security, and infrastructure operations. By curating disparate external links and documentation into a single, version-controlled collection, it provides a clear navigation path for users seeking specialized utilities, ranging from runtime engines and registry tools to advanced supply chain security and observability solutions. Beyond its role as a tool index, the directory supports professional growth by offering a broad surface of learning resources, including tutorials, best practices, and community-vetted guides. It covers essential operational domains such as multi-container workload management, image hardening, and workflow optimization, ensuring that both newcomers and experienced practitioners have access to a reliable reference for modern containerized systems.

Clair is a container vulnerability scanner that performs static analysis of container images to identify known security vulnerabilities. It functions as an analyzer for OCI and Docker images, indexing their contents to detect security risks and outdated packages without requiring the containers to be running. The tool identifies vulnerabilities by matching indexed container components against security databases to find common vulnerabilities and exposures. This process involves analyzing filesystem layers to track the provenance and versioning of packages across the image hierarchy. The project provides capabilities for container security auditing and image security analysis, enabling the automation of vulnerability detection within development and deployment pipelines. This includes the extraction of package metadata from image layers to create searchable inventories for security audits.

Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments.

This project is a comprehensive collection of tutorials and guided laboratories designed to teach containerization, networking, and security using Docker. It serves as a learning path for building portable images and executing isolated processes. The materials provide specific guides for managing container clusters and scaling services through Docker Swarm and overlay networks. It includes a security handbook for implementing image scanning and secret management, as well as laboratories dedicated to modernizing legacy applications by wrapping older software installers into containers. The content covers a broad range of capabilities including the configuration of continuous integration pipelines, the deployment of cloud-native applications, and the setup of private image registries. It also provides instructional workflows for performing live debugging of applications within containerized environments.

w3af is a web penetration testing suite and security audit framework designed to identify and exploit vulnerabilities in web applications. It functions as a vulnerability scanner that crawls targets to find injection points and a fuzzer used to discover hidden endpoints and test input validation. The project distinguishes itself by providing an intercepting HTTP proxy for capturing and modifying traffic, combined with a knowledge-base driven exploitation system. It enables the execution of security exploits to gain remote shell access and supports post-exploitation activities, such as routing traffic through compromised hosts via reverse TCP tunnels and SOCKS proxies. The platform covers a broad range of security capabilities, including REST API auditing, infrastructure fingerprinting, and automated login processing. It supports session maintenance through various authentication methods and provides tools for visualizing site structures and analyzing HTTP response clusters. Users can manage the scanner via a graphical interface or a programmatic API to automate scans and retrieve vulnerability data. The application is delivered as a dockerized environment to ensure consistent runtime behavior and simplified dependency management.

Watchtower is a container-based solution designed to automate the lifecycle management of Docker applications. It functions as a background service that monitors running containers, detects when new base image versions are available in registries, and automatically redeploys the containers to ensure they remain synchronized with the latest builds. The project distinguishes itself through its ability to orchestrate complex deployment workflows and maintain service availability during updates. It interacts directly with the container runtime to manage service dependencies and restart sequences, ensuring that dependent containers are handled in the correct order. Users can further customize the update process by defining lifecycle hooks that execute shell commands before or after a container is replaced, allowing for tailored initialization and cleanup tasks. Beyond automated updates, the tool provides extensive infrastructure observability and flexible management options. It supports event-driven updates via HTTP webhooks, declarative filtering to target specific containers, and secure remote management through encrypted communication and private registry authentication. Operational statistics can be exported to external monitoring systems, and the service can be configured to run in a passive observation mode to track image changes without performing automated redeployments.

This project is a comprehensive, community-curated directory of cybersecurity resources, tools, and educational materials. It functions as a centralized index for researchers and students to discover frameworks and utilities across the entire security lifecycle, ranging from initial vulnerability assessment to post-exploitation analysis. The repository distinguishes itself through a hierarchical taxonomy that organizes diverse security disciplines into a searchable, version-controlled knowledge base. Rather than hosting software directly, it utilizes a decentralized aggregation model that links to external platforms, training environments, and specialized toolkits, ensuring the index remains current through community-driven contributions. The collection covers a broad spectrum of security domains, including automated vulnerability scanning, network traffic analysis, and digital forensics. It also provides access to specialized resources for binary reverse engineering, penetration testing training, and competitive platforms such as capture-the-flag events and bug bounty programs. All information is maintained in a lightweight, markdown-based format, allowing for rapid navigation and reference within the repository.

Podman is a container engine designed for managing containerized applications and images without the need for a persistent background daemon. By utilizing a fork-exec process model, it executes container management commands as direct child processes of the host system, ensuring that container lifecycles are handled through standard host-level process control. The project distinguishes itself through a focus on rootless security and cross-platform compatibility. It employs user namespace mapping to allow unprivileged users to manage isolated workloads without requiring administrative system access. On non-Linux operating systems, it integrates with lightweight virtual machines to provide a native command-line experience for container development. The engine supports the full container lifecycle, including image management, registry interaction, and orchestration of background or interactive services. It adheres to open industry standards for container runtimes and includes capabilities for checkpointing and restoring the memory and process state of running containers to facilitate workload migration.

Kubescape is a security platform for Kubernetes that provides tools for scanning clusters, configurations, and container images against industry compliance and security benchmarks. It functions as a suite of security utilities, including a compliance auditor, a misconfiguration scanner, and a container vulnerability scanner. The project differentiates itself through automated remediation and active enforcement. It can automatically patch operating system vulnerabilities in images and fix security errors within manifest files. It also utilizes an admission controller to block the deployment of workloads that violate predefined security policies. The platform covers a broad range of security operations, including runtime threat detection via system probes, the generation of network policies to restrict unauthorized communication, and continuous configuration monitoring. It further supports security auditing by verifying clusters against regulatory frameworks.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

Grype is a command-line security scanner designed to identify known vulnerabilities within container images, filesystems, and software manifests. It functions as a software composition analysis tool that detects security flaws in application components and open-source libraries to support supply chain security. The tool distinguishes itself by reconstructing the final state of container images through layered filesystem inspection and normalizing diverse package formats into a unified dependency graph. It maintains a local cache of security advisories synchronized from multiple upstream sources, allowing for consistent vulnerability matching and offline scanning capabilities. The scanner supports automated security workflows by generating structured vulnerability reports in formats such as JSON and CycloneDX. These outputs facilitate integration with external security pipelines, visualization dashboards, and automated oversight systems for tracking and remediating risks across software infrastructure.

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

This project is a comprehensive security platform providing an LLM security orchestration framework, an AI agent firewall, and tools for vulnerability remediation, compliance automation, and endpoint protection. It functions as a centralized system to protect AI models from adversarial exploits while managing the identification and patching of software flaws. The platform distinguishes itself through the coordination of specialized AI agents to automate complex security workflows, including reconnaissance, bug hunting, and exploit development. It implements dedicated guardrails to block prompt injection and prevent the manipulation of autonomous agent behavior. The system covers a broad range of security capabilities, including multi-OS endpoint threat protection, edge-based bot and injection defense, and automated compliance mapping. It further integrates vulnerability scanning with one-click encrypted patching, immutable audit logging, and real-time data breach monitoring.