Container Security Software

Container Security Software Overview

Because of their relative number of abstraction layers, containers pose a relatively large number of vulnerability issues. Container security (or Kubernetes security) tools scan containers for vulnerabilities and policy-violations, and provide remediation. Container security applications provide policy-based orchestration, starting with scanning and discovery for containers and images.


The main goal of most container security tools is to scan container images for vulnerabilities and identify additional security needs for said images. This is particularly crucial for images that come from public sources, but all containers benefit from some external security. Some tools will also bundle vulnerability scanning with other application security testing and access control capabilities. They often focus on securing container development processes earlier in the software development lifecycle (SDLC). Some tools can also continue vulnerability scanning and runtime management into production environments as well. These broader tools will overlap more heavily with Runtime Application Self-Protection (RASP) software.


There are many open source point solutions for container security, in addition to paid offerings. Open source container security tools usually focus on scanning containers for common vulnerabilities and exposures. They utilize publicly available lists of known vulnerabilities to identify these risks in container images. Open source container security products can work as a baseline for security, especially if there are in-house resources for managing the tools more proactively. However, they are less likely to be sufficient on their own, and are best used when complemented with other security measures, such as application security testing tools.

Container Security Products

(1-25 of 26) Sorted by Most Reviews

The list of products below is based purely on reviews (sorted from most to least). There is no paid placement and analyst opinions do not influence their rankings. Here is our Promise to Buyers to ensure information on our site is reliable, useful, and worthy of your trust.
NGINX

NGINX, a business unit of F5 Networks, powers over 65% of the world's busiest websites and web applications. NGINX started out as an open source web server and reverse proxy, built to be faster and more efficient than Apache. Over the years, NGINX has built a suite of infrastructure…

Tenable.io

Vulnerability management specialist Tenable offers their cloud application and container security platform Tenable.io, a vulnerability management tool that emphasizes visibility of web applications, automatic scanning, and a unified view of cloud infrastructure and possible…

Lacework

Lacework in San Jose delivers security and compliance for the cloud. The Lacework Cloud Security Platform is cloud-native and offered as-a-Service; delivering build-time to run-time threat detection, behavioral anomaly detection, and cloud compliance across multicloud environments,…

Trend Micro Cloud One - Workload Security (formerly Deep Security)

Trend Micro Cloud One Workload Security (formerly Deep Security) is cloud security software suite, from Trend Micro, for hybrid cloud environments and virtualization security.

Palo Alto Networks Prisma Cloud

Prisma Cloud, from Palo Alto Networks (based on technology acquired with Evident.io, or the Evident Security Platform) is presented as a comprehensive Cloud Native Security Platform (CNSP) that delivers full lifecycle security and full stack protection for multi- and hybrid-cloud…

Aptible Deploy

Aptible Deploy (formerly Aptible Enclave) is a container orchestration platform built for developers that automates security best practices and controls needed for deploying and scaling Dockerized apps in regulated industries. Aptible Deploy is ISO 27001-certified and can be used…

Threat Stack Cloud Security Platform

Threat Stack is a cloud security option from the company of the same name in Boston, Massachusetts, providing vulnerability assessments of cloud assets, container security, and other features.

NGINX Plus

NGINX Plus is presented as a cloud‑native, easy-to-use reverse proxy, load balancer, and API gateway, from F5.

CipherTrust Container Security (formerly Vormetric)

Encryption and data protection specialist Thales eSecurity headquartered in San Jose offers CipherTrust Container Security (formery Vormetric), encrypting and securing access to containerized applications and data.

BMC Helix Cloud Security (formerly TrueSight Cloud Security)

Designed for the cloud, in the cloud, BMC Helix Cloud Security (formerly TrueSight Cloud Security) is designed to take the pain out of security and compliance for cloud resources and containers. The product provides cloud security scoring and remediation for public cloud services…

IBM Cloud Data Shield

IBM Cloud™ Data Shield enables users to run containerized applications in a secure enclave on an IBM Cloud Kubernetes host, providing data-in-use protection.

StackRox

StackRox, headquartered in Mountain View, offers their containerized, cloud-app security platform for monitoring container access and privileges, and locating and eliminating potential vulnerabilities in containerized app infrastructure.

NGINX Ingress Controller

NGINX Ingress Controller is a traffic management solution for cloud‑native apps in Kubernetes and containerized environments.

DivvyCloud, by Rapid7

DivvyCloud protects cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges by using automation and real-time remediation to ensure continuous security and compliance. Rapid7 announced their intent to acquire DivvyCloud April 2020.

Jetstack Preflight

Jetstack Preflight helps users understand their Kubernetes environments by constantly scanning for mis-configurations that may be opening security holes, causing costly excess resource usage or making a cluster harder to maintain. Preflight checks the environment against policy rules,…

cert-manager

cert-manager is an open source software for machine identity automation in cloud native environments. It aims to make it easy for developers to secure applications in Kubernetes and OpenShift platforms, automating X.509 certificate issuance and renewal from a certificate provider…

Confluera

Confluera, an XDR platform from the company of the same name in Palo Alto, tracks and intercepts cyberattacks along its lifecycle in real-time, stitching together live events based on cause and effect instead of correlating past events after the breach.

Capsule8, now part of Sophos

Capsule8 from Sophos (acquired 2021) provides attack protection for enterprise Linux -- whether containerized, virtualized, or bare metal. It is an EDR solution the vendor presents as performant and purpose built Linux detection that protects against threats, provides consistent…

Alcide, from Rapid7

Alcide is a Kubernetes security solution acquired by Rapid7 February, 2021. It enables DevOps teams to drive security guardrails to their CI/CD pipelines, and security teams to continuously secure and protect their growing Kubernetes deployments.

Qualys Container Security (CS)

Cloud security company Qualys offers the Qualys Countainer Security (CS) application.

Sonatype Nexus Platform

The Sonatype Nexus Platform is a software composition analysis tool that scans to build a repository components, and then checks security and licensing to ensure compliance. Sonatype acquired MuseDev in March 2021 to expand the capabilities of the Nexus platform. Current modules…

Sysdig Secure DevOps Platform

Sysdig headquartered in San Francisco offers the Sysdig Platform, providing end-to-end container vulnerability management, threat blocking, and container application security.

Trend Micro Deep Security Smart Check

The Trend Micro Deep Security Smart Check for container security helps DevOps teams adopt frictionless security with immediate, continuous scanning for threats, vulnerabilities, and secrets, as well as provides dashboard visibility, notifications, and scanning logs for compliance…

Symantec Data Center Security

Docker containers make it easy to develop, deploy, and deliver applications where containers can be deployed and brought down in a matter of seconds. This flexibility makes it very useful for DevOps to automate deployment of containers. Symantec Data Center Security: Server Advanced…

Aqua Cloud Native Security Platform

Aqua Security headquartered in Tel Aviv offers the Aqua Cloud Native Security Platform, providing full lifecycle security for server-less containerized applications.

Learn More About Container Security Software

What are Container Security Tools?

Because of their relative number of abstraction layers, containers pose a relatively large number of vulnerability issues. Container security (or Kubernetes security) tools scan containers for vulnerabilities and policy-violations, and provide remediation. Container security applications provide policy-based orchestration, starting with scanning and discovery for containers and images.


The main goal of most container security tools is to scan container images for vulnerabilities and identify additional security needs for said images. This is particularly crucial for images that come from public sources, but all containers benefit from some external security. Some tools will also bundle vulnerability scanning with other application security testing and access control capabilities. They often focus on securing container development processes earlier in the software development lifecycle (SDLC). Some tools can also continue vulnerability scanning and runtime management into production environments as well. These broader tools will overlap more heavily with Runtime Application Self-Protection (RASP) software.


There are many open source point solutions for container security, in addition to paid offerings. Open source container security tools usually focus on scanning containers for common vulnerabilities and exposures. They utilize publicly available lists of known vulnerabilities to identify these risks in container images. Open source container security products can work as a baseline for security, especially if there are in-house resources for managing the tools more proactively. However, they are less likely to be sufficient on their own, and are best used when complemented with other security measures, such as application security testing tools.

Features of Container Security Tools

Container security software provide the following features:

  • Full container stack scanning

  • View metadata for container and images

  • Image vulnerability detection

  • Container application performance tracking

  • Centralized policy management



Container Security Tools Comparison

Consider these factors when comparing container security tools:


  • Paid vs. Open Source: There is a strong open source presence among container security tools. These DIY tools generally focus on vulnerability scanning, which can be sufficient if the business has the in-house resources to run it. However, paid offerings are likely to have more runtime features and a more aggressively maintained vulnerabilities library to scan for.

  • Integration: Some container security tools largely run outside of the container environment itself. However, others are designed to integrate directly into the container orchestration platform. More robust integrations will create numerous efficiencies, but may require more upfront implementation effort.

  • Development vs. Runtime Security: Container security tools will span the spectrum of focus between inserting security into development processes and securing runtime management in production environments. Consider whether the business should utilize one, or both, use cases and narrow the options down to the tools that best align with that set of needs.


Start a container security tools comparison here

Container Security Tools Pricing

Container Security solutions are typically priced per instance at an annual rate. The exact price of the software will depend on the features offered, but businesses can expect to pay at least $500 annually, with prices extending into the thousands for enterprise solutions.

Frequently Asked Questions

What is container security?

Container security is the process of identifying and remediating vulnerabilities in containerized workloads and services, such as Kubernetes-based containers.

Why is container security important?

Container security is important given all of the layers of vulnerabilities that containers can present. Depending on what is in the container, they can present a large attack surface if not properly secured.

Who uses container security tools?

Container security tools are most heavily used by developers, but they are also used by security admins managing production environments.