[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-container-security-en":3,"seo:pack:container-security:en":65},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":64},"container-security","🔒","#991B1B","stable","Stable","Container Security","Harbor registry, Grype + Syft scanners, Checkov IaC linter, CrowdSec, Cilium eBPF — patch your supply chain before someone else does.",[16,28,36,43,50,57],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},970,"c9f4655f-353d-11f1-9bc6-00163e2b0d79","harbor-cloud-native-trusted-container-registry-c9f4655f","Harbor — Cloud Native Trusted Container Registry","Harbor is a CNCF-graduated open-source container registry that stores, signs, and scans container images. Vulnerability scanning, RBAC, replication, and OCI support.","Script Depot",318,0,"en","skill","Skill",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1198,"87aec817-372b-11f1-9bc6-00163e2b0d79","grype-container-image-vulnerability-scanner-87aec817","Grype — Container Image Vulnerability Scanner","Grype is a vulnerability scanner for container images and filesystems. It matches installed packages against vulnerability databases (CVE, GHSA) to identify known security issues — essential for securing your container supply chain.","AI Open Source",297,{"id":37,"uuid":38,"slug":39,"title":40,"description":41,"author_name":22,"view_count":42,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1199,"87cf1b00-372b-11f1-9bc6-00163e2b0d79","syft-generate-software-bill-materials-container-images-87cf1b00","Syft — Generate Software Bill of Materials from Container Images","Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.",296,{"id":44,"uuid":45,"slug":46,"title":47,"description":48,"author_name":22,"view_count":49,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1425,"accdd5bb-38fa-11f1-9bc6-00163e2b0d79","checkov-static-security-scanning-iac-containers-accdd5bb","Checkov — Static Security Scanning for IaC and Containers","Checkov is a Bridgecrew static-analysis tool that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and more for misconfigurations and policy violations before anything is deployed.",311,{"id":51,"uuid":52,"slug":53,"title":54,"description":55,"author_name":34,"view_count":56,"vote_count":24,"lang_type":25,"type":26,"type_label":27},949,"ed64dcb7-34d8-11f1-9bc6-00163e2b0d79","crowdsec-open-source-collaborative-security-engine-ed64dcb7","CrowdSec — Open Source Collaborative Security Engine","CrowdSec is a collaborative security engine that analyzes logs, detects attacks, and shares threat intelligence. Like fail2ban but with crowd-sourced IP reputation and modern architecture.",282,{"id":58,"uuid":59,"slug":60,"title":61,"description":62,"author_name":34,"view_count":63,"vote_count":24,"lang_type":25,"type":26,"type_label":27},969,"30500e42-3535-11f1-9bc6-00163e2b0d79","cilium-ebpf-powered-cloud-native-networking-security-30500e42","Cilium — eBPF-Powered Cloud Native Networking & Security","Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level.",299,"tokrepo install pack\u002Fcontainer-security",{"pageType":66,"pageKey":8,"locale":25,"title":67,"metaDescription":68,"h1":13,"tldr":69,"bodyMarkdown":70,"faq":71,"schema":87,"internalLinks":96,"citations":109,"wordCount":122,"generatedAt":123},"pack","Container Security Pack: Harbor, Grype, Checkov, Cilium","Open-source container security pack: Harbor registry, Grype + Syft scanners, Checkov IaC linter, CrowdSec runtime defense, Cilium eBPF. Install via TokRepo.","Six open-source tools that cover the four layers of container supply-chain risk: registry, image scan, IaC config, and runtime. One-command install via TokRepo CLI.","## What's in this pack\n\nThis pack assembles the **six open-source tools** most teams converge on after dropping commercial container-security platforms. Together they cover registry storage, image scanning, infra-as-code linting, and runtime defense — the four layers that show up in every supply-chain breach post-mortem.\n\n| # | Asset | Layer | Why it's here |\n|---|---|---|---|\n| 1 | Harbor | Registry | CNCF graduated registry with built-in scan, signing, replication |\n| 2 | Grype | Image scan | Vulnerability scanner that reads OCI images directly |\n| 3 | Syft | SBOM | Generates Software Bill of Materials for any image or filesystem |\n| 4 | Checkov | IaC | Lints Terraform, Kubernetes, Helm, CloudFormation against 1000+ policies |\n| 5 | CrowdSec | Runtime | Behavioral detection + crowd-sourced blocklist for live traffic |\n| 6 | Cilium | Network | eBPF-based networking, NetworkPolicy enforcement, Hubble observability |\n\nThe split matters: registry without scan is theater, scan without SBOM gives you CVE numbers but no remediation surface, runtime without network policy can detect intrusion but can't contain blast radius.\n\n## Why container security matters now\n\nThe 2024-2025 wave of supply-chain incidents (xz-utils, polyfill.io, npm worm campaigns) made one thing concrete: the binary you ship is the sum of every dependency you didn't audit. A modern container image pulls from base OS, language runtime, app layer, and build tooling — four supply chains stacked on each other. The cost of one compromised transitive dep is the same whether you're a 5-person startup or a Fortune 500.\n\nCommercial scanners (Snyk, Wiz, Aqua) work, but they want $30-100 per node per month and ship telemetry to their cloud. The open-source pack here delivers:\n\n- **Pre-merge IaC scanning** (Checkov in CI catches misconfigured S3 buckets, missing securityContext, exposed secrets before review)\n- **Post-build image scanning** (Grype + Syft on every push to Harbor — fail the build if CVSS ≥ 7)\n- **Runtime defense** (CrowdSec ingests nginx\u002FTraefik logs and shares attacker IPs with 100k+ peers)\n- **Network containment** (Cilium NetworkPolicy means a compromised pod can't pivot to your DB)\n\n## Install in one command\n\n```bash\n# Install the entire pack into the current project\ntokrepo install pack\u002Fcontainer-security\n\n# Or pick individual assets\ntokrepo install grype\ntokrepo install checkov\n```\n\nThe TokRepo CLI writes scanner configs, CI job templates, and Helm value snippets into your repo. Each asset's page documents the actual flags Anchore, Bridgecrew, Isovalent, and the Harbor team recommend for production.\n\n## Common pitfalls\n\n- **Running Grype against `latest` tags only.** Pin to digests in production manifests; `latest` drifts and your scan history becomes meaningless.\n- **Treating CVSS score as priority.** A CVSS 9.8 in a dev-only base image you never expose is lower priority than a CVSS 6.5 in your edge proxy. Combine Grype output with reachability analysis from your runtime.\n- **Skipping SBOM generation.** When the next xz-style backdoor lands, the teams that already have Syft SBOMs in artifact storage answer \"are we exposed?\" in minutes. Teams without SBOMs spend a week.\n- **Checkov as the only IaC gate.** Checkov is excellent at known-bad-pattern detection but won't catch business-logic security (e.g. an IAM role that's technically valid but grants too much). Pair with `tfsec` or OPA for the second pass.\n- **CrowdSec without scenarios review.** Default scenarios block obvious attackers but can false-positive on aggressive crawlers. Tune `parsers\u002Fscenarios` or you'll block your own monitoring.\n\n## A typical day with this stack\n\nA representative pipeline using these six tools looks like this. Developer pushes a feature branch. CI runs `checkov -d terraform\u002F` and `checkov -d k8s\u002F` first — fail-fast on misconfigured manifests before anything builds. Build job produces an OCI image and pushes it to Harbor; a Harbor webhook triggers `grype harbor.example.com\u002Fteam\u002Fapp:sha-abc123` and stores the JSON report. A nightly job re-runs Grype against the SBOMs in artifact storage so newly disclosed CVEs surface against last week's images automatically.\n\nIn production, every node runs the CrowdSec agent. The agent watches access logs, classifies suspicious patterns (credential stuffing, SQL injection probes, scraper bursts), and pushes verdicts to a local API that nginx + Traefik query. Cilium runs as the CNI; NetworkPolicies are versioned in the same repo as application code, and `cilium connectivity test` is part of every cluster bootstrap. Hubble flows are sampled to a long-term store so post-incident forensics has the data ready.\n\n## When this pack alone isn't enough\n\nIf you run on Kubernetes at scale, layer in **Falco** for syscall-level runtime detection (it's the OG runtime tool — Cilium's Tetragon now overlaps but Falco's rule corpus is larger). For secrets specifically, add **Vault** or **Infisical** — neither is in this pack because secrets management is a different problem space. For supply-chain provenance (who built this image, on what runner), look at **Sigstore** + **in-toto** attestations; Harbor supports cosign signing natively, so the path is short. For compliance reports auditors actually accept, pipe Grype + Checkov JSON into **DefectDojo** to get a vulnerability management UI on top of the raw findings.",[72,75,78,81,84],{"q":73,"a":74},"Is this pack free to run end-to-end?","Yes. Every tool in the pack is open source under permissive licenses (Apache 2.0 or MIT). You'll need compute for Harbor (registry storage scales with image count) and a Postgres for Harbor's metadata, but no per-seat licensing. CrowdSec offers a paid tier for centralized console, but the agent + community blocklists are free and that's the load-bearing part.",{"q":76,"a":77},"How does this compare to Snyk Container or Wiz?","Snyk and Wiz add a managed UI, vendor-curated CVE prioritization, and SOC 2 compliance reports. The pack here gives you the same scanning depth (Grype's vulnerability database is sourced from the same NVD + GHSA feeds) at zero per-node cost, but you build the dashboard yourself or pipe results to Grafana \u002F DefectDojo. Pick managed if compliance reporting is the bottleneck; pick this pack if engineering time and self-hosting are cheaper than seat fees.",{"q":79,"a":80},"Will this work with Claude Code or Cursor for automated remediation?","Yes. Claude Code can run `grype \u003Cimage>` and `checkov -d .` directly, parse the JSON output, and propose patches as PRs. The TokRepo asset pages include subagent prompts that wire Grype + Checkov into a `security-fix` slash command. Cursor users get the same via custom rules — both surfaces are documented per-asset.",{"q":82,"a":83},"What's the difference between Grype and Syft?","Syft generates an SBOM — the inventory of every package in your image. Grype takes that SBOM (or scans an image directly) and matches each package against vulnerability databases. You almost always run them together: Syft once at build time, Grype on a schedule against the SBOM (cheap) plus on every new push (catches new CVEs in old images).",{"q":85,"a":86},"Operational gotcha when rolling Cilium out?","Cilium replaces kube-proxy by default in many install paths, and migrating from a running cluster needs care — DNS resolution can break during the cutover if hostNetwork pods aren't accounted for. Use Cilium's `--kube-proxy-replacement=partial` mode first, validate with `cilium connectivity test`, then go to `strict`. Don't enable Hubble UI on a public ingress unless you front it with auth.",{"@context":88,"@type":89,"name":13,"description":90,"numberOfItems":91,"publisher":92},"https:\u002F\u002Fschema.org","CollectionPage","Open-source registry, vulnerability scanners, IaC linter and runtime defense for the container supply chain.",6,{"@type":93,"name":94,"url":95},"Organization","TokRepo","https:\u002F\u002Ftokrepo.com",[97,101,105],{"url":98,"anchor":99,"reason":100},"\u002Fen\u002Fpacks\u002Fpostgres-for-agents","Postgres for AI Agents","secure data layer pairing with hardened containers",{"url":102,"anchor":103,"reason":104},"\u002Fen\u002Fpacks\u002Fworkflow-orchestration","Workflow Orchestration","scan jobs run as scheduled pipelines",{"url":106,"anchor":107,"reason":108},"\u002Fen\u002Ftools\u002Fclaude-code","Claude Code","agent that drives the scan + patch loop",[110,114,118],{"claim":111,"source_name":112,"source_url":113},"Harbor is a CNCF graduated project providing a secure registry for container images and artifacts","Harbor (CNCF)","https:\u002F\u002Fgoharbor.io",{"claim":115,"source_name":116,"source_url":117},"Grype scans container images and filesystems for vulnerabilities; Syft generates SBOMs","anchore\u002Fgrype","https:\u002F\u002Fgithub.com\u002Fanchore\u002Fgrype",{"claim":119,"source_name":120,"source_url":121},"Cilium provides eBPF-based networking, observability, and security for cloud-native workloads","cilium\u002Fcilium","https:\u002F\u002Fgithub.com\u002Fcilium\u002Fcilium",835,"2026-05-02T15:00:00Z"]