← Back to all products
$39
Container Security Toolkit
Dockerfile linting, image scanning configs, runtime security policies, and Kubernetes admission controllers.
YAMLShellJSONMarkdownDockerKubernetesGitHub ActionsCI/CD
📁 File Structure 21 files
container-security-toolkit/
├── LICENSE
├── README.md
├── dockerfiles/
│ ├── go-secure.Dockerfile
│ ├── java-secure.Dockerfile
│ ├── node-secure.Dockerfile
│ └── python-secure.Dockerfile
├── guides/
│ └── container-security-guide.md
├── policies/
│ ├── kyverno/
│ │ ├── require-image-digest.yaml
│ │ ├── require-non-root.yaml
│ │ └── require-resource-limits.yaml
│ └── opa/
│ ├── dockerfile-policy.rego
│ └── k8s-pod-security.rego
├── runtime/
│ ├── apparmor-profile
│ └── seccomp-profile.json
├── scanners/
│ ├── grype.yaml
│ ├── hadolint.yaml
│ └── trivy.yaml
├── scripts/
│ ├── audit-runtime.sh
│ └── scan-image.sh
└── workflows/
└── container-security.yml
📖 Documentation Preview README excerpt
Container Security Toolkit
Harden, scan, and enforce security policies across your container infrastructure.
Datanest Digital — datanest.dev
---
What You Get
- 4 Hardened Dockerfiles — Multi-stage builds for Python, Node.js, Go, and Java with non-root users, minimal base images, and security best practices
- 3 Scanner Configurations — Pre-tuned configs for Trivy, Hadolint, and Grype vulnerability scanners
- 2 OPA Policies — Rego policies for Dockerfile best practices and Kubernetes pod security
- 3 Kyverno Policies — Cluster policies enforcing non-root, resource limits, and image digests
- 2 Runtime Profiles — Seccomp and AppArmor profiles restricting dangerous syscalls
- 2 Automation Scripts — Image scanning and runtime auditing scripts for CI/CD
- 1 GitHub Actions Workflow — Complete container security pipeline
- 1 Comprehensive Guide — Container security from build to runtime
File Structure
container-security-toolkit/
├── README.md
├── manifest.json
├── LICENSE
├── dockerfiles/
│ ├── python-secure.Dockerfile
│ ├── node-secure.Dockerfile
│ ├── go-secure.Dockerfile
│ └── java-secure.Dockerfile
├── scanners/
│ ├── trivy.yaml
│ ├── hadolint.yaml
│ └── grype.yaml
├── policies/
│ ├── opa/
│ │ ├── dockerfile-policy.rego
│ │ └── k8s-pod-security.rego
│ └── kyverno/
│ ├── require-non-root.yaml
│ ├── require-resource-limits.yaml
│ └── require-image-digest.yaml
├── runtime/
│ ├── seccomp-profile.json
│ └── apparmor-profile
├── scripts/
│ ├── scan-image.sh
│ └── audit-runtime.sh
├── workflows/
│ └── container-security.yml
└── guides/
└── container-security-guide.md
Getting Started
1. Build a Hardened Image
*... continues with setup instructions, usage examples, and more.*
📄 Code Sample .yml preview
workflows/container-security.yml
# ============================================================================
# GitHub Actions: Container Security Pipeline
# ============================================================================
# Datanest Digital — datanest.dev
# ============================================================================
name: Container Security
on:
push:
branches: [main, develop]
paths:
- "Dockerfile*"
- "dockerfiles/**"
- ".github/workflows/container-security.yml"
pull_request:
branches: [main]
paths:
- "Dockerfile*"
- "dockerfiles/**"
permissions:
contents: read
security-events: write
packages: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
# ── Stage 1: Lint Dockerfiles ─────────────────────────────────────────────
lint:
name: Lint Dockerfiles
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
config: scanners/hadolint.yaml
format: sarif
output-file: hadolint-results.sarif
no-fail: true
- name: Upload Hadolint SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
# ... 164 more lines ...