Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Containerization

Containerization

Section titled “Containerization”

5 automated security scanners

Kubernetes Security

Section titled “Kubernetes Security”

Purpose: The Kubernetes Security Scanner is designed to assess and report on the security posture of Kubernetes environments hosted under a given domain. It aims to identify potential vulnerabilities, misconfigurations, and insecure practices that could compromise the integrity, availability, and confidentiality of the systems.

What It Detects:

  • Kubernetes API Exposure: Identifies if the Kubernetes API is exposed publicly, which can lead to unauthorized access.
  • Dashboard Exposure: Checks if the Kubernetes dashboard (used for management) is accessible without proper authentication, exposing sensitive information and administrative interfaces.
  • RBAC Security Gaps: Detects if Role-Based Access Control (RBAC) is enabled or if roles are configured with least privilege, which helps in reducing the risk of overprivileged access.
  • Pod Security Policies: Evaluates whether pod security policies are implemented to enforce security best practices for containers within pods.
  • Network Policies: Identifies the absence of network policies that could restrict traffic between pods and services, thus exposing potential attack vectors.
  • Secrets Management: Assesses the use of external secrets management solutions or encryption at rest for Kubernetes secrets, which is crucial for securing sensitive data.
  • Insecure Configurations: Detects misconfigurations in Kubernetes configurations files (e.g., using privileged containers without proper security contexts).
  • Admission Controllers: Evaluates if admission controllers are enabled and configured correctly to enforce security policies during the lifecycle of resources in a cluster.

Inputs Required:

  • domain: The target domain name for which the Kubernetes environment is hosted. This input is essential as it defines the scope of the scan.

Business Impact: Ensuring robust Kubernetes security practices is critical to protect against potential threats and maintain the integrity of cloud-native applications. Poorly configured or unsecured Kubernetes environments can lead to unauthorized access, data leakage, service disruptions, and other severe consequences.

Risk Levels:

  • Critical: Immediate exposure to high-risk vulnerabilities that could be exploited by malicious actors without prior knowledge of security measures.
  • High: Significant risks where an attacker could gain substantial privileges with minimal effort after initial access.
  • Medium: Moderate risk involving potential unauthorized access or data leakage, requiring immediate attention for mitigation.
  • Low: Minimal to no risk if the detected issues are properly addressed and secured.
  • Info: Informational findings that do not directly impact security but should be considered for continuous improvement in Kubernetes management practices.

Example Findings:

  1. A Kubernetes API is exposed on ports 6443, which could lead to unauthorized access if the port is targeted by attackers.
  2. The Kubernetes dashboard is accessible without authentication, exposing sensitive information and administrative interfaces that can be exploited for further attacks.

Service Mesh Security

Section titled “Service Mesh Security”

Purpose: The purpose of this scanner is to analyze the security posture of service meshes within containerized environments by evaluating various aspects such as control plane exposure, mutual TLS configuration, authorization policies, sidecar injection settings, and observability security.

What It Detects:

  • This scanner detects whether a service mesh is present in the environment.
  • It checks for exposure of the control plane through unauthenticated access points.
  • It evaluates the strength of mutual TLS configurations to ensure proper encryption between services.
  • It identifies gaps in authorization policies, including overpermissive settings that could lead to unauthorized access.
  • It assesses the effectiveness of sidecar injection to secure communication and prevent bypass techniques.
  • It examines the observability aspects for potential exposure of sensitive data or unauthenticated access points.
  • It flags any insecure configurations that may allow plaintext traffic or overpermissive policies.

Inputs Required:

  • domain: The target domain name (e.g., acme.com) to be scanned for service mesh security issues.

Business Impact: This scanner is crucial as it directly impacts the confidentiality, integrity, and availability of data within a containerized environment by identifying weaknesses in the service mesh’s security architecture. Poorly configured service meshes can lead to unauthorized access, data breaches, and system unavailability if not addressed promptly.

Risk Levels:

  • Critical: If the control plane is exposed without authentication or authorization mechanisms are severely lacking with overpermissive policies that cannot be enforced, this poses a critical risk as it directly compromises security across all services in the mesh.
  • High: Weak mutual TLS configurations or significant gaps in authorization policies can lead to high risks if they enable unauthorized access or data leakage.
  • Medium: Issues such as partial enforcement of strict mode for mTLS or incomplete sidecar injection settings pose medium risk, potentially affecting some aspects of service-to-service communication without full compromise.
  • Low: Informational findings like unmentioned versions of the mesh software are generally low risk unless they indicate a lack of updates or compliance with security best practices.

Example Findings:

  1. A critical vulnerability was detected where the control plane is exposed to unauthenticated access, posing significant risks for data leakage and unauthorized modifications.
  2. The mutual TLS configuration is set to permissive mode, which fails to enforce encryption between services, leading to potential eavesdropping attacks that could compromise sensitive information.

Container Registry Security

Section titled “Container Registry Security”

Purpose: The Container Registry Security Scanner is designed to assess and evaluate the security posture of container registries associated with a given domain. It aims to identify potential vulnerabilities, misconfigurations, and exposure to unauthorized access that could compromise the integrity and confidentiality of the data stored in these registries.

What It Detects:

  • Public Registry Access: The scanner detects if there is any public access to container repositories on Docker Hub and GitHub Container Registry (GHCR). This includes checking for unauthenticated API access and publicly accessible repositories.
  • Authentication Issues: It identifies registries that do not enforce proper authentication mechanisms, exposing them to potential unauthorized access.
  • Missing Security Controls: The scanner checks if there are any documented security controls or best practices related to registry management, such as webhook configurations without adequate authentication or encryption.
  • Webhook Security Issues: It flags the detection of insecure webhooks that do not use HTTPS or properly authenticate messages, which could be exploited for unauthorized activities.

Inputs Required:

  • Domain Name: The primary input required to specify the target organization’s domain for assessment. This allows the scanner to crawl and analyze relevant registries associated with this domain.

Business Impact: The security of container registries is critical as they often house sensitive data, configurations, and dependencies that are essential for various applications and services. Unauthorized access or exposure can lead to significant data breaches, service disruptions, and reputational damage. This scanner helps organizations proactively identify and mitigate such risks, enhancing their overall cybersecurity posture.

Risk Levels:

  • Critical: If the registry is publicly accessible without any authentication mechanisms in place, posing a high risk of unauthorized access and potential data leakage.
  • High: When there are documented issues with authentication or missing security controls that could lead to unauthorized access.
  • Medium: When there are public repositories accessible without proper authorization, indicating a need for improved registry management practices.
  • Low: When the registry is well-secured with appropriate authentication and encryption mechanisms in place, but no significant issues are detected.
  • Info: When minor findings such as unencrypted webhooks or outdated documentation are present, generally not affecting the criticality of the system.

Example Findings:

  1. The domain “example.com” has 3 publicly accessible repositories on Docker Hub, which poses a risk of unauthorized access to sensitive data.
  2. A registry associated with “example.com” does not enforce any authentication mechanisms, indicating a critical security issue that could lead to unauthorized data leakage.

Container Runtime Security

Section titled “Container Runtime Security”

Purpose: This scanner evaluates the container runtime security posture of a given domain by assessing various aspects including Docker daemon exposure, unauthenticated API access, lack of documented security policies, insecure configuration settings, and outdated software versions.

What It Detects:

  • Docker Daemon Exposure: Identifies if the Docker daemon is exposed on any ports which could lead to unauthorized access.
  • Unauthenticated Docker API Access: Detects if the Docker API is accessible without authentication which poses a security risk.
  • Lack of Documented Security Policies: Indicates whether there are no documented runtime security policies in place.
  • Insecure Configuration Settings: Flags any configuration settings that may lead to insecure behavior such as running containers with elevated privileges.
  • Outdated Software Versions: Detects if the Docker or related software components are using outdated versions which might have known vulnerabilities.

Inputs Required:

  • <domain>: The target domain whose container runtime security is to be assessed.

Business Impact: Evaluating and ensuring robust container runtime security is crucial as it directly impacts the integrity, availability, and confidentiality of applications running in containers. Poorly secured containers can lead to unauthorized access, data breaches, and system compromises which could have significant financial, legal, and reputational consequences.

Risk Levels:

  • Critical: The scanner identifies that Docker daemon is exposed on multiple ports and unauthenticated API access is possible.
  • High: There are no documented security policies in place or there are insecure configuration settings detected which could lead to critical vulnerabilities if exploited.
  • Medium: Outdated software versions are present, posing a moderate risk of being targeted by attackers exploiting known vulnerabilities.
  • Low: No significant issues are found indicating a generally secure container runtime environment.
  • Info: Informational findings such as the presence of Docker but no exposed daemon or unauthenticated access which does not pose an immediate threat but should be monitored for potential future risks.

Example Findings:

  1. The scanner identified that the Docker daemon is running on ports 2375 and 2376 without authentication, posing a significant security risk.
  2. Insecure configuration settings were detected allowing containers to run with elevated privileges which could be exploited by malicious users.

Container Image Security

Section titled “Container Image Security”

Purpose: The purpose of this scanner is to analyze container image security for a given domain, including checking for base image practices, vulnerability scanning, image signing, secrets management, and hardening practices. It aims to provide insights into the security posture of container images used in software supply chains.

What It Detects:

  • Base Image Practices: Identifies whether minimal or distroless base images are used and if there is a policy for updating these images.
  • Vulnerability Scanning: Detects whether automated scanning is performed, the tools used, enforcement of scan results, continuous scanning capabilities, and threshold policies.
  • Image Signing: Checks if image signing is implemented using tools like cosign, verifies at deployment, and enforces provenance attestation.
  • Secrets Management: Determines if secret scanning is conducted, whether runtime injection is documented, and the presence of no baked secrets in images.
  • Hardening Practices: Evaluates non-root user configuration, minimal base image usage, security context settings, and capability restrictions.

Inputs Required:

  • Domain: The target domain for which to analyze container image security.

Business Impact: This analysis is crucial as it helps in identifying potential vulnerabilities that could be exploited through compromised images, ensuring secure software supply chain practices. It also aids in detecting unauthorized access and data breaches by managing secrets effectively within the containerized environment.

Risk Levels:

  • Critical: When no container image security controls are identified, leading to a critical risk of supply chain attacks through compromised images.
  • High: When vulnerability scanning is present but not enforced or when there is an unclear implementation of image signing and verification.
  • Medium: When hardening practices are unclear or insufficient, allowing excessive privileges and a large attack surface.
  • Low: When comprehensive container image security measures such as vulnerability scanning, image signing, and hardening practices are in place.

Example Findings:

  1. The domain uses minimal base images without updating them, which poses a risk of having outdated software components that could be exploited.
  2. There is no secret scanning conducted, exposing potential hardcoded credentials within the container image layers.