container-security-testing

Original：🇨🇳 Chinese

Translated

Professional Skills and Methodologies for Container Security Testing

2installs

Sourceed1s0nz/cyberstrikeai

Added on2026-03-08

NPX Install

npx skill4agent add ed1s0nz/cyberstrikeai container-security-testing

SKILL.md Content (Chinese)

View Translation Comparison →

Container Security Testing

Overview

Container security testing is a critical component to ensure the security of containerized applications. This skill provides methods, tools, and best practices for container security testing, covering container technologies such as Docker and Kubernetes.

Testing Scope

1. Image Security

Check Items:

Base image vulnerabilities
Dependencies vulnerabilities
Image configuration
Sensitive information

2. Runtime Security

Check Items:

Container permissions
Resource limits
Network isolation
File system

3. Orchestration Security

Check Items:

Kubernetes configuration
Service accounts
RBAC
Network policies

Docker Security Testing

Image Scanning

Using Trivy:

bash

# 扫描镜像
trivy image nginx:latest

# 扫描本地镜像
trivy image --input nginx.tar

# 只显示高危漏洞
trivy image --severity HIGH,CRITICAL nginx:latest

Using Clair:

bash

# 启动Clair
docker run -d --name clair clair:latest

# 扫描镜像
clair-scanner --ip 192.168.1.100 nginx:latest

Using Docker Bench:

bash

# 运行Docker安全基准测试
docker run --rm --net host --pid host --userns host --cap-add audit_control \
  -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
  -v /etc:/etc:ro \
  -v /usr/bin/containerd:/usr/bin/containerd:ro \
  -v /usr/bin/runc:/usr/bin/runc:ro \
  -v /usr/lib/systemd:/usr/lib/systemd:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --label docker_bench_security \
  docker/docker-bench-security

Container Configuration Check

Checking Dockerfile:

dockerfile

# 安全问题示例
FROM ubuntu:latest  # 使用latest标签
RUN apt-get update && apt-get install -y curl  # 未指定版本
COPY . /app  # 可能包含敏感文件
ENV PASSWORD=secret  # 硬编码密码
USER root  # 使用root用户

Security Best Practices:

dockerfile

# 使用特定版本
FROM ubuntu:20.04

# 指定包版本
RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu2.7

# 使用非root用户
RUN useradd -m appuser
USER appuser

# 最小化镜像
FROM alpine:3.15

# 多阶段构建
FROM golang:1.18 AS builder
WORKDIR /app
COPY . .
RUN go build -o app

FROM alpine:3.15
COPY --from=builder /app/app /app

Runtime Check

Checking Container Permissions:

bash

# 检查特权容器
docker ps --filter "label=privileged=true"

# 检查挂载的主机目录
docker inspect container_name | grep -A 10 Mounts

# 检查容器网络
docker network inspect network_name

Checking Resource Limits:

bash

# 检查内存限制
docker stats container_name

# 检查CPU限制
docker inspect container_name | grep -i cpu

Kubernetes Security Testing

Configuration Check

Using kube-bench:

bash

# 运行kube-bench
kube-bench run

# 检查特定基准
kube-bench run --targets master,node,etcd

Using kube-hunter:

bash

# 运行kube-hunter
kube-hunter --remote target-ip

# 主动模式
kube-hunter --active

Pod Security

Checking Pod Security Policies:

yaml

# 不安全的Pod配置
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    image: nginx
    securityContext:
      privileged: true  # 特权模式
      runAsUser: 0  # root用户

Secure Configuration:

yaml

apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: app
    image: nginx
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
        add:
        - NET_BIND_SERVICE

RBAC Check

Checking Role Permissions:

bash

# 列出所有角色
kubectl get roles --all-namespaces

# 检查角色绑定
kubectl get rolebindings --all-namespaces

# 检查集群角色
kubectl get clusterroles

# 检查用户权限
kubectl auth can-i --list --as=system:serviceaccount:default:sa-name

Common Issues:

Excessive permissions
Unused roles
Unused service accounts

Network Policies

Checking Network Policies:

bash

# 列出所有网络策略
kubectl get networkpolicies --all-namespaces

# 检查网络策略配置
kubectl describe networkpolicy policy-name -n namespace

Network Policy Example:

yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Tool Usage

Falco

Runtime Security Monitoring:

bash

# 安装Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco

# 检查规则
falco -r /etc/falco/rules.d/

Aqua Security

bash

# 扫描镜像
aqua image scan nginx:latest

# 扫描Kubernetes集群
aqua k8s scan

Snyk

bash

# 扫描Dockerfile
snyk test --docker nginx:latest

# 扫描Kubernetes配置
snyk iac test k8s/

Testing Checklist

Image Security

Scan base image vulnerabilities
Scan dependencies vulnerabilities
Check Dockerfile configuration
Check sensitive information leakage

Runtime Security

Check container permissions
Check resource limits
Check network isolation
Check file system mounts

Orchestration Security

Check Kubernetes configuration
Check RBAC configuration
Check network policies
Check Pod security policies

Common Security Issues

1. Image Vulnerabilities

Issues:

Base images contain vulnerabilities
Dependencies contain vulnerabilities
Not updated in a timely manner

Fixes:

Regularly scan images
Update base images promptly
Use minimal images

2. Excessive Permissions

Issues:

Containers run as root
Privileged mode enabled
Sensitive directories mounted

Fixes:

Use non-root users
Disable privileged mode
Restrict file system access

3. Misconfiguration

Issues:

Insecure default configurations
Missing network policies
Incorrect RBAC configurations

Fixes:

Follow security best practices
Implement network policies
Configure RBAC correctly

4. Sensitive Information Leakage

Issues:

Images contain secrets
Environment variables exposed
Configuration files leaked

Fixes:

Use secret management
Avoid hardcoding
Use Secret objects

Best Practices

1. Image Security

Use official base images
Update images regularly
Scan images for vulnerabilities
Minimize image size

2. Runtime Security

Use non-root users
Restrict container permissions
Implement resource limits
Enable security context

3. Orchestration Security

Configure network policies
Implement RBAC
Use Pod security policies
Enable audit logs

Notes

Only perform testing in authorized environments
Avoid impacting production environments
Note differences between different container platforms
Conduct regular security scans

container-security-testing

NPX Install

Tags

SKILL.md Content (Chinese)

Container Security Testing

Overview

Testing Scope

1. Image Security

2. Runtime Security

3. Orchestration Security

Docker Security Testing

Image Scanning

Container Configuration Check

Runtime Check

Kubernetes Security Testing

Configuration Check

Pod Security

RBAC Check

Network Policies

Tool Usage

Falco

Aqua Security

Snyk

Testing Checklist

Image Security

Runtime Security

Orchestration Security

Common Security Issues

1. Image Vulnerabilities

2. Excessive Permissions

3. Misconfiguration

4. Sensitive Information Leakage

Best Practices

1. Image Security

2. Runtime Security

3. Orchestration Security

Notes