Container Security
Harbor registry, Grype + Syft scanners, Checkov IaC linter, CrowdSec, Cilium eBPF — patch your supply chain before someone else does.
What's in this pack
This pack assembles the six open-source tools most teams converge on after dropping commercial container-security platforms. Together they cover registry storage, image scanning, infra-as-code linting, and runtime defense — the four layers that show up in every supply-chain breach post-mortem.
| # | Asset | Layer | Why it's here |
|---|---|---|---|
| 1 | Harbor | Registry | CNCF graduated registry with built-in scan, signing, replication |
| 2 | Grype | Image scan | Vulnerability scanner that reads OCI images directly |
| 3 | Syft | SBOM | Generates Software Bill of Materials for any image or filesystem |
| 4 | Checkov | IaC | Lints Terraform, Kubernetes, Helm, CloudFormation against 1000+ policies |
| 5 | CrowdSec | Runtime | Behavioral detection + crowd-sourced blocklist for live traffic |
| 6 | Cilium | Network | eBPF-based networking, NetworkPolicy enforcement, Hubble observability |
The split matters: registry without scan is theater, scan without SBOM gives you CVE numbers but no remediation surface, runtime without network policy can detect intrusion but can't contain blast radius.
Why container security matters now
The 2024-2025 wave of supply-chain incidents (xz-utils, polyfill.io, npm worm campaigns) made one thing concrete: the binary you ship is the sum of every dependency you didn't audit. A modern container image pulls from base OS, language runtime, app layer, and build tooling — four supply chains stacked on each other. The cost of one compromised transitive dep is the same whether you're a 5-person startup or a Fortune 500.
Commercial scanners (Snyk, Wiz, Aqua) work, but they want $30-100 per node per month and ship telemetry to their cloud. The open-source pack here delivers:
- Pre-merge IaC scanning (Checkov in CI catches misconfigured S3 buckets, missing securityContext, exposed secrets before review)
- Post-build image scanning (Grype + Syft on every push to Harbor — fail the build if CVSS ≥ 7)
- Runtime defense (CrowdSec ingests nginx/Traefik logs and shares attacker IPs with 100k+ peers)
- Network containment (Cilium NetworkPolicy means a compromised pod can't pivot to your DB)
Install in one command
# Install the entire pack into the current project
tokrepo install pack/container-security
# Or pick individual assets
tokrepo install grype
tokrepo install checkov
The TokRepo CLI writes scanner configs, CI job templates, and Helm value snippets into your repo. Each asset's page documents the actual flags Anchore, Bridgecrew, Isovalent, and the Harbor team recommend for production.
Common pitfalls
- Running Grype against
latesttags only. Pin to digests in production manifests;latestdrifts and your scan history becomes meaningless. - Treating CVSS score as priority. A CVSS 9.8 in a dev-only base image you never expose is lower priority than a CVSS 6.5 in your edge proxy. Combine Grype output with reachability analysis from your runtime.
- Skipping SBOM generation. When the next xz-style backdoor lands, the teams that already have Syft SBOMs in artifact storage answer "are we exposed?" in minutes. Teams without SBOMs spend a week.
- Checkov as the only IaC gate. Checkov is excellent at known-bad-pattern detection but won't catch business-logic security (e.g. an IAM role that's technically valid but grants too much). Pair with
tfsecor OPA for the second pass. - CrowdSec without scenarios review. Default scenarios block obvious attackers but can false-positive on aggressive crawlers. Tune
parsers/scenariosor you'll block your own monitoring.
A typical day with this stack
A representative pipeline using these six tools looks like this. Developer pushes a feature branch. CI runs checkov -d terraform/ and checkov -d k8s/ first — fail-fast on misconfigured manifests before anything builds. Build job produces an OCI image and pushes it to Harbor; a Harbor webhook triggers grype harbor.example.com/team/app:sha-abc123 and stores the JSON report. A nightly job re-runs Grype against the SBOMs in artifact storage so newly disclosed CVEs surface against last week's images automatically.
In production, every node runs the CrowdSec agent. The agent watches access logs, classifies suspicious patterns (credential stuffing, SQL injection probes, scraper bursts), and pushes verdicts to a local API that nginx + Traefik query. Cilium runs as the CNI; NetworkPolicies are versioned in the same repo as application code, and cilium connectivity test is part of every cluster bootstrap. Hubble flows are sampled to a long-term store so post-incident forensics has the data ready.
When this pack alone isn't enough
If you run on Kubernetes at scale, layer in Falco for syscall-level runtime detection (it's the OG runtime tool — Cilium's Tetragon now overlaps but Falco's rule corpus is larger). For secrets specifically, add Vault or Infisical — neither is in this pack because secrets management is a different problem space. For supply-chain provenance (who built this image, on what runner), look at Sigstore + in-toto attestations; Harbor supports cosign signing natively, so the path is short. For compliance reports auditors actually accept, pipe Grype + Checkov JSON into DefectDojo to get a vulnerability management UI on top of the raw findings.
6 assets in this pack
Frequently asked questions
Is this pack free to run end-to-end?
Yes. Every tool in the pack is open source under permissive licenses (Apache 2.0 or MIT). You'll need compute for Harbor (registry storage scales with image count) and a Postgres for Harbor's metadata, but no per-seat licensing. CrowdSec offers a paid tier for centralized console, but the agent + community blocklists are free and that's the load-bearing part.
How does this compare to Snyk Container or Wiz?
Snyk and Wiz add a managed UI, vendor-curated CVE prioritization, and SOC 2 compliance reports. The pack here gives you the same scanning depth (Grype's vulnerability database is sourced from the same NVD + GHSA feeds) at zero per-node cost, but you build the dashboard yourself or pipe results to Grafana / DefectDojo. Pick managed if compliance reporting is the bottleneck; pick this pack if engineering time and self-hosting are cheaper than seat fees.
Will this work with Claude Code or Cursor for automated remediation?
Yes. Claude Code can run grype <image> and checkov -d . directly, parse the JSON output, and propose patches as PRs. The TokRepo asset pages include subagent prompts that wire Grype + Checkov into a security-fix slash command. Cursor users get the same via custom rules — both surfaces are documented per-asset.
What's the difference between Grype and Syft?
Syft generates an SBOM — the inventory of every package in your image. Grype takes that SBOM (or scans an image directly) and matches each package against vulnerability databases. You almost always run them together: Syft once at build time, Grype on a schedule against the SBOM (cheap) plus on every new push (catches new CVEs in old images).
Operational gotcha when rolling Cilium out?
Cilium replaces kube-proxy by default in many install paths, and migrating from a running cluster needs care — DNS resolution can break during the cutover if hostNetwork pods aren't accounted for. Use Cilium's --kube-proxy-replacement=partial mode first, validate with cilium connectivity test, then go to strict. Don't enable Hubble UI on a public ingress unless you front it with auth.
12 packs · 80+ hand-picked assets
Browse every curated bundle on the home page
Back to all packs