Link Search Menu Expand Document

Container & Kubernetes Security Tools

Container Attack Surface Assessment & Breakout Tools

Useful tools to run inside a container to assess the sandbox that’s in use, and exploit some common breakout issues.

  • amicontained - will show you information about the container runtime and rights you have
  • ConMachi - Pentester focused container attack surface assessment tool
  • deepce - Docker Enumeration, Escalation of Privileges and Container Escapes
  • botb - Container breakout assessment tool. Can automatically exploit common issues like the Docker socket mount
  • keyctl-unmask - Tool that specifically focuses on grabbing kernel keyring entries from containers that allow the keyctl syscall

Container Vulnerability Scanning Tools

  • Trivy - Vulnerability and IaC scanner
  • Grype - Container vulnerability scanner
  • clair - Container vulnerability scanner

IaC Scanning Tools that cover container formats

  • Trivy - Vulnerability and IaC scanner
  • Checkov - IaC scanner
  • KICS - IaC scanner

Docker Security Tools

Container Runtime Security Tools

  • Tracee. Container runtime security tooling
  • Falco. Container runtime security tooling
  • Kubearmor. Container runtime security enforcement tool

Container Registry Tools

  • reg - Tool for interacting with Container registries
  • regclient - Another tool for interacting with container registries
  • go-pillage-registries - Tool to search the manifests and configuration for images in a registry for potentially sensitive information

Container Orchestration Tools

RBAC Assessment Tools

  • kubectl-who-can - Tool that lets you ask “who can” do things in RBAC, e.g. who can get secrets
  • rakkess - Shows the RBAC permissions available to a user as a list
  • rback - tool for graphical representation of RBAC permissions in a kubernetes cluster
  • rbac-tool - RBAC Tool for Kubernetes
  • kubiScan - Tool to scan Kubernetes clusters for risky permissions
  • krane - Kubernetes RBAC static analysis & visualisation tool

Kubernetes Security Auditing Tools

  • kube-bench - Tool to assess compliance with the CIS benchmark for various Kubernetes distributions
  • kubescape - Kubernetes security assessment tool
  • kubeaudit - Kubernetes security assessment tool focusing on workload security
  • kubesec - Kubernetes security assessment tool focusing on workload security
  • kubescore - Kubernetes security and reliability assessment tool focusing on workload security.

Kubernetes Penetration Testing Tools

  • kube-hunter - Tool to test and exploit standard Kubernetes Security Vulnerabilities
  • kubestrike - Security auditing tool for Kubernetes looks at Authenticated and unauthenticated scanning
  • peirates - Kubernetes container breakout tool
  • kdigger - Kubernetes breakout/discovery tool

Kubernetes Post-Exploitation Tools

  • kubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments

Kubelet Tools

  • kubeletctl - This is a good tool to automate the process of assessing a kubelet instance. If the instance is vulnerable it can also carry out some exploit tasks

etcd Tools

  • auger - Tool for decoding information pulled directly from the etcd database

Security Observability Tools

Training Tools

If you’re looking to practice with some of the tools here, in a safe environment, there are projects to help with that.