Security specialty

Container Security

Browse every cataloged workflow for container security, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

33 skills

cybersecuritySkill

Analyzing Kubernetes Audit Logs

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

Container Security
audit-log-analysiscontainer-securityk8s-api-serverkubernetes-security+3
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Auditing Kubernetes RBAC Privilege Escalation

Find over-permissive RBAC roles and service-account token abuse paths in Kubernetes using kubectl auth can-i, rbac-police, kubectl-who-can, and rakkess during authorized cluster security reviews.

Container Security
access-controlattack-pathskubectlkubernetes+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Benchmarking Kubernetes with kube-bench

Run CIS Kubernetes Benchmark checks and remediate findings with kube-bench.

Container Security
cis-benchmarkcluster-securitycompliancecontainer-security+3
ATT&CK, 1 mappingNIST CSF, 1 mapping
cybersecuritySkill

Detecting Container Drift at Runtime

Detect unauthorized modifications to running containers by monitoring for binary execution drift, file system changes, and configuration deviations from the original container image.

Container Security
container-driftcontainer-securitydrift-detectionfalco+4
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Detecting Container Escape Attempts

Container escape is a critical attack technique where an adversary breaks out of container isolation to access the host system or other containers. Detection involves monitoring for escape indicators such as namespace manipulation, capability abuse, kernel exploits, mounted sensitive paths, and anomalous syscall patterns using runtime security tools like Falco, Sysdig, and custom seccomp/audit rules.

Container Security
containersdockerescape-detectionkubernetes+2
ATT&CK, 7 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Container Escape with Falco Rules

Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.

Container Security
container-escapedetectionfalcokubernetes+2
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Detecting Container Runtime Threats with Falco

Write and deploy Falco rules with the modern eBPF driver to detect container escape, namespace abuse, privileged mounts, and anomalous syscalls at runtime in Kubernetes and Docker.

Container Security
container-escapedetection-engineeringebpffalco+4
ATT&CK, 5 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Detecting Privilege Escalation in Kubernetes Pods

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.

Container Security
capabilitiesdetectionkubernetespod-security+2
ATT&CK, 8 mappingsNIST CSF, 4 mappingsD3FEND, 5 mappings
cybersecuritySkill

Escaping Containers to Host

Exploit privileged pods, host mounts, runC CVEs, and exposed Docker sockets to break out of a container and reach the underlying host during authorized container-security assessments.

Container Security
breakoutcontainer-escapedocker-sockethost-mount+4
ATT&CK, 4 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Hardening Docker Containers for Production

Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce least-privilege principles across Docker daemon, images, containers, and runtime configurations.

Container Security
cis-benchmarkcontainersdockerhardening+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Hardening Docker Daemon Configuration

Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless mode, and CIS benchmark controls.

Container Security
cis-benchmarkcontainer-securitydaemon-hardeningdocker+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Container Image Minimal Base with Distroless

Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.

Container Security
attack-surfacecontainer-imagesdistrolessdocker+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Container Network Policies with Calico

Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control pod-to-pod traffic, restrict egress, and implement zero-trust microsegmentation.

Container Security
calicocnicontainer-securitykubernetes+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Image Provenance Verification with Cosign

Sign and verify container image provenance using Sigstore Cosign with keyless OIDC-based signing, attestations, and Kubernetes admission enforcement.

Container Security
cosignimage-signingkeylessprovenance+3
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Kubernetes Network Policy with Calico

Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod communication.

Container Security
calicocnikubernetesnetwork-policy+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Kubernetes Pod Security Standards

Pod Security Standards (PSS) define three levels of security policies -- Privileged, Baseline, and Restricted -- enforced by the Pod Security Admission (PSA) controller built into Kubernetes 1.25+. PSA replaces the deprecated PodSecurityPolicy and provides namespace-level enforcement with three modes: enforce, audit, and warn.

Container Security
containerskubernetespod-securitypsa+1
ATT&CK, 6 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Network Policies for Kubernetes

Kubernetes NetworkPolicies provide pod-level network segmentation by defining ingress and egress rules that control traffic flow between pods, namespaces, and external endpoints. Combined with CNI plugins like Calico or Cilium, network policies enforce zero-trust microsegmentation to prevent lateral movement within the cluster.

Container Security
containerskubernetesmicrosegmentationnetwork-policies+1
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing OPA Gatekeeper for Policy Enforcement

Enforce Kubernetes admission policies using OPA Gatekeeper with ConstraintTemplates, Rego rules, and the Gatekeeper policy library.

Container Security
admission-controlgatekeeperkubernetesopa+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Pod Security Admission Controller

Implement Kubernetes Pod Security Admission to enforce baseline and restricted security profiles at namespace level using built-in admission controller.

Container Security
admission-controllerkubernetespod-security-admissionpod-security-standards+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing RBAC Hardening for Kubernetes

Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating external identity providers.

Container Security
access-controliamkubernetesleast-privilege+4
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Implementing Runtime Security with Tetragon

Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.

Container Security
ciliumcncfcontainer-securityebpf+5
ATT&CK, 7 mappingsNIST CSF, 4 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Implementing Supply Chain Security with in-toto

Implement software supply chain integrity verification for container builds using the in-toto framework to create cryptographically signed attestations across CI/CD pipeline steps.

Container Security
attestationcncfcontainer-securityin-toto+5
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Container Escape Detection

Detects container escape attempts by analyzing namespace configurations, privileged container checks, dangerous capability assignments, and host path mounts using the kubernetes Python client. Identifies CVE-2022-0492 style escapes via cgroup abuse. Use when auditing container security posture or investigating escape attempts.

Container Security
container-escapecontainer-securitylinux-capabilitiesnamespace-analysis+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Container Security Scanning with Trivy

Scan container images, filesystems, and Kubernetes manifests for vulnerabilities, misconfigurations, exposed secrets, and license compliance issues using Aqua Security Trivy with SBOM generation and CI/CD integration.

Container Security
container-securitydevsecopsdockerkubernetes+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Docker Bench Security Assessment

Docker Bench for Security is an open-source script that checks dozens of common best practices around deploying Docker containers in production. Based on the CIS Docker Benchmark, it audits host configuration, Docker daemon settings, container images, runtime configurations, and security operations to generate a compliance report with pass/fail/warn results.

Container Security
assessmentcis-benchmarkcontainersdocker+1
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Kubernetes CIS Benchmark with kube-bench

Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC.

Container Security
aquasecuritycis-benchmarkcompliancehardening+2
ATT&CK, 4 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Kubernetes etcd Security Assessment

Assess the security posture of Kubernetes etcd clusters by evaluating encryption at rest, TLS configuration, access controls, backup encryption, and network isolation.

Container Security
backupcontrol-planeencryptionetcd+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Performing Kubernetes Penetration Testing

Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools like kube-hunter, Kubescape, peirates, and manual kubectl exploitation, testers identify misconfigurations that could lead to cluster compromise.

Container Security
containerskubernetesoffensive-securitypenetration-testing+1
ATT&CK, 7 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Scanning Container Images with Grype

Scan container images for known vulnerabilities using Anchore Grype with SBOM-based matching and configurable severity thresholds.

Container Security
anchorecontainer-securitygrypesbom+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Scanning Docker Images with Trivy

Trivy is a comprehensive open-source vulnerability scanner by Aqua Security that detects vulnerabilities in OS packages, language-specific dependencies, misconfigurations, secrets, and license violations within container images. It integrates into CI/CD pipelines and supports multiple output formats including SARIF, CycloneDX, and SPDX.

Container Security
containersdockersecuritytrivy+1
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Scanning Kubernetes Manifests with Kubesec

Perform security risk analysis on Kubernetes resource manifests using Kubesec to identify misconfigurations, privilege escalation risks, and deviations from security best practices.

Container Security
ci-cddevsecopskuberneteskubesec+4
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing Container Registry with Harbor

Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replication, and audit logging. Securing Harbor involves configuring these features to enforce image provenance, prevent vulnerable image deployment, and maintain registry access control.

Container Security
containersdockerharborkubernetes+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings
cybersecuritySkill

Securing Helm Chart Deployments

Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing security contexts in Kubernetes releases.

Container Security
chart-securityconfiguration-securitydeploymenthelm+2
ATT&CK, 5 mappingsNIST CSF, 4 mappings