[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-container-security-zh":3,"seo:pack:container-security:zh":65},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":64},"container-security","🔒","#991B1B","stable","稳定","容器安全栈","Harbor 镜像库 + Grype\u002FSyft 扫描器 + Checkov IaC 检查 + CrowdSec + Cilium eBPF — 在被打之前堵住供应链漏洞。",[16,28,36,43,50,57],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},970,"c9f4655f-353d-11f1-9bc6-00163e2b0d79","harbor-cloud-native-trusted-container-registry-c9f4655f","Harbor — Cloud Native Trusted Container Registry","Harbor is a CNCF-graduated open-source container registry that stores, signs, and scans container images. Vulnerability scanning, RBAC, replication, and OCI support.","Script Depot",318,0,"en","skill","Skill",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1198,"87aec817-372b-11f1-9bc6-00163e2b0d79","grype-container-image-vulnerability-scanner-87aec817","Grype — Container Image Vulnerability Scanner","Grype is a vulnerability scanner for container images and filesystems. It matches installed packages against vulnerability databases (CVE, GHSA) to identify known security issues — essential for securing your container supply chain.","AI Open Source",297,{"id":37,"uuid":38,"slug":39,"title":40,"description":41,"author_name":22,"view_count":42,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1199,"87cf1b00-372b-11f1-9bc6-00163e2b0d79","syft-generate-software-bill-materials-container-images-87cf1b00","Syft — Generate Software Bill of Materials from Container Images","Syft generates Software Bill of Materials (SBOMs) from container images and filesystems. It detects packages across OS and language ecosystems, outputting SPDX, CycloneDX, and custom formats for compliance, vulnerability scanning, and supply chain security.",296,{"id":44,"uuid":45,"slug":46,"title":47,"description":48,"author_name":22,"view_count":49,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1425,"accdd5bb-38fa-11f1-9bc6-00163e2b0d79","checkov-static-security-scanning-iac-containers-accdd5bb","Checkov — Static Security Scanning for IaC and Containers","Checkov is a Bridgecrew static-analysis tool that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and more for misconfigurations and policy violations before anything is deployed.",311,{"id":51,"uuid":52,"slug":53,"title":54,"description":55,"author_name":34,"view_count":56,"vote_count":24,"lang_type":25,"type":26,"type_label":27},949,"ed64dcb7-34d8-11f1-9bc6-00163e2b0d79","crowdsec-open-source-collaborative-security-engine-ed64dcb7","CrowdSec — Open Source Collaborative Security Engine","CrowdSec is a collaborative security engine that analyzes logs, detects attacks, and shares threat intelligence. Like fail2ban but with crowd-sourced IP reputation and modern architecture.",282,{"id":58,"uuid":59,"slug":60,"title":61,"description":62,"author_name":34,"view_count":63,"vote_count":24,"lang_type":25,"type":26,"type_label":27},969,"30500e42-3535-11f1-9bc6-00163e2b0d79","cilium-ebpf-powered-cloud-native-networking-security-30500e42","Cilium — eBPF-Powered Cloud Native Networking & Security","Cilium provides high-performance networking, observability, and security for Kubernetes using eBPF. CNI plugin, service mesh, and network policy — all kernel-level.",299,"tokrepo install pack\u002Fcontainer-security",{"pageType":66,"pageKey":8,"locale":67,"title":68,"metaDescription":69,"h1":13,"tldr":70,"bodyMarkdown":71,"faq":72,"schema":88,"internalLinks":98,"citations":111,"wordCount":124,"generatedAt":125},"pack","zh","容器安全栈：Harbor \u002F Grype \u002F Checkov \u002F Cilium 全开源","六件套开源容器安全栈：Harbor 镜像仓库 + Grype\u002FSyft 扫描 + Checkov IaC 检查 + CrowdSec 运行时防御 + Cilium eBPF 网络。TokRepo 一条命令装齐。","六个开源工具覆盖容器供应链四层风险：镜像仓库 \u002F 镜像扫描 \u002F IaC 配置 \u002F 运行时。TokRepo CLI 一条命令装齐。","## 这个 pack 装了什么\n\n这个包收齐了多数团队在告别商业容器安全平台后会落地的 **六个开源工具**。它们覆盖镜像仓库、镜像扫描、基础设施代码静态检查、运行时防御 —— 每次供应链事故复盘里都会出现的四层。\n\n| # | 资产 | 层 | 为什么放它 |\n|---|---|---|---|\n| 1 | Harbor | 镜像仓库 | CNCF 毕业级仓库，自带扫描 \u002F 签名 \u002F 复制 |\n| 2 | Grype | 镜像扫描 | 直接读 OCI 镜像的漏洞扫描器 |\n| 3 | Syft | SBOM | 给任意镜像 \u002F 文件系统生成软件物料清单 |\n| 4 | Checkov | IaC 检查 | 1000+ 策略覆盖 Terraform \u002F K8s \u002F Helm \u002F CloudFormation |\n| 5 | CrowdSec | 运行时 | 行为检测 + 全网共享黑名单 |\n| 6 | Cilium | 网络 | eBPF 网络 + NetworkPolicy + Hubble 可观测 |\n\n这个分工很关键：只有仓库没扫描是摆设；只扫不出 SBOM，拿到 CVE 编号也没法定位修复面；运行时没有网络策略，能看见入侵也压不住爆破半径。\n\n## 为什么现在要做容器安全\n\n2024-2025 的供应链事件（xz-utils、polyfill.io、npm 蠕虫）把一件事钉死了：你交付的二进制等于你没审过的所有依赖之和。一个现代容器镜像要拉系统底包、语言运行时、应用层、构建工具 —— 四条供应链叠在一起。一个被污染的间接依赖造成的代价，五人创业团队和五百强一个数量级。\n\n商业扫描器（Snyk \u002F Wiz \u002F Aqua）能用，但每节点每月要 30-100 美金，还把遥测送回他们云端。这套开源 pack 给的是：\n\n- **合并前 IaC 扫描**（Checkov 在 CI 抓 S3 桶配置错、缺 securityContext、明文密钥）\n- **构建后镜像扫描**（每次推 Harbor 跑 Grype + Syft，CVSS ≥ 7 直接 fail）\n- **运行时防御**（CrowdSec 吃 nginx \u002F Traefik 日志，跟 10 万 + 节点共享攻击者 IP）\n- **网络隔离**（Cilium NetworkPolicy 让被打穿的 pod 也跳不到数据库）\n\n## 一条命令装齐\n\n```bash\n# 把整个 pack 装进当前项目\ntokrepo install pack\u002Fcontainer-security\n\n# 或只装单个\ntokrepo install grype\ntokrepo install checkov\n```\n\nTokRepo CLI 把扫描器配置、CI 任务模板、Helm value 片段写进你仓库。每个资产页都给了 Anchore \u002F Bridgecrew \u002F Isovalent \u002F Harbor 团队推荐的生产参数。\n\n## 常见踩坑\n\n- **只扫 `latest` tag**。生产 manifest 必须钉到 digest，`latest` 会漂，扫描历史会失去意义。\n- **拿 CVSS 当优先级**。一个 dev-only 基础镜像里的 CVSS 9.8 比你边缘代理里的 CVSS 6.5 优先级低。Grype 输出要叠运行时可达性分析。\n- **不生成 SBOM**。下次 xz 级别后门一来，已经把 Syft SBOM 入库的团队几分钟内回答「我们暴露了吗」，没做的团队要查一周。\n- **只用 Checkov 当 IaC 门**。Checkov 擅长抓「已知坏模式」，抓不到业务安全（例如 IAM 角色技术上有效但权限过大）。叠 `tfsec` 或 OPA 做第二遍。\n- **CrowdSec 不调 scenarios**。默认场景能挡明显攻击但会误伤激进爬虫。`parsers\u002Fscenarios` 不调，你监控自己都会被封。\n\n## 这套不够用的时候\n\nK8s 大规模上线还要叠 **Falco** 做 syscall 级运行时检测（最早的运行时工具，Cilium Tetragon 现在重合但 Falco 规则库更大）。密钥单独管要加 **Vault** 或 **Infisical** —— 两个都没放进 pack 是因为密钥管理是另一个问题域。供应链溯源（这个镜像谁建的、在哪个 runner）看 **Sigstore** + **in-toto** 证明；Harbor 原生支持 cosign 签名，路径很短。",[73,76,79,82,85],{"q":74,"a":75},"整套全跑下来收费吗？","不收。每个工具都是 Apache 2.0 或 MIT 许可证开源。你需要给 Harbor 准备存储（按镜像数扩）和 Postgres 存元数据，但没有按席位收费。CrowdSec 有付费集中控制台，但 agent + 社区黑名单免费，那部分才是承重的。",{"q":77,"a":78},"比 Snyk Container \u002F Wiz 怎么样？","Snyk \u002F Wiz 多出来的是托管 UI、厂商策展的 CVE 优先级、SOC 2 合规报告。这个 pack 给一样深度的扫描（Grype 漏洞库源头是同一份 NVD + GHSA），零节点费用，但仪表盘要自己搭或者把结果灌进 Grafana \u002F DefectDojo。合规报告是瓶颈选托管，工程时间和自建比席位费便宜选这个 pack。",{"q":80,"a":81},"用 Claude Code \u002F Cursor 能自动修吗？","能。Claude Code 可以直接跑 `grype \u003Cimage>` 和 `checkov -d .`，解析 JSON，按 PR 出补丁。TokRepo 资产页带了把 Grype + Checkov 连起来的 `security-fix` 斜杠命令的 subagent prompt。Cursor 用户走自定义规则，两边都按资产单独写好了。",{"q":83,"a":84},"Grype 跟 Syft 区别？","Syft 生成 SBOM —— 镜像里每个包的清单。Grype 拿这个 SBOM（或直接扫镜像）跟漏洞库匹配。基本永远一起用：构建时 Syft 跑一次，按计划用 Grype 扫 SBOM（便宜），加上每次新推时再扫（捉旧镜像里的新 CVE）。",{"q":86,"a":87},"Cilium 上线运维坑？","Cilium 默认在很多安装路径里会替换 kube-proxy，从已运行集群迁要小心 —— hostNetwork pod 没考虑到时 DNS 解析会断。先用 `--kube-proxy-replacement=partial`，跑完 `cilium connectivity test` 验证再切 `strict`。Hubble UI 不要直接挂公网入口，前面必须套鉴权。",{"@context":89,"@type":90,"name":91,"description":92,"numberOfItems":93,"publisher":94},"https:\u002F\u002Fschema.org","CollectionPage","Container Security","Open-source registry, vulnerability scanners, IaC linter and runtime defense for the container supply chain.",6,{"@type":95,"name":96,"url":97},"Organization","TokRepo","https:\u002F\u002Ftokrepo.com",[99,103,107],{"url":100,"anchor":101,"reason":102},"\u002Fzh\u002Fpacks\u002Fpostgres-for-agents","Postgres for Agent","数据层与加固容器配套",{"url":104,"anchor":105,"reason":106},"\u002Fzh\u002Fpacks\u002Fworkflow-orchestration","工作流编排","扫描定时任务的承载",{"url":108,"anchor":109,"reason":110},"\u002Fzh\u002Ftools\u002Fclaude-code","Claude Code","驱动扫描 + 修复循环的 agent",[112,116,120],{"claim":113,"source_name":114,"source_url":115},"Harbor is a CNCF graduated project providing a secure registry for container images and artifacts","Harbor (CNCF)","https:\u002F\u002Fgoharbor.io",{"claim":117,"source_name":118,"source_url":119},"Grype scans container images and filesystems for vulnerabilities; Syft generates SBOMs","anchore\u002Fgrype","https:\u002F\u002Fgithub.com\u002Fanchore\u002Fgrype",{"claim":121,"source_name":122,"source_url":123},"Cilium provides eBPF-based networking, observability, and security for cloud-native workloads","cilium\u002Fcilium","https:\u002F\u002Fgithub.com\u002Fcilium\u002Fcilium",484,"2026-05-02T15:00:00Z"]