Dockle vs Falco
GitHub Stats
About Dockle
Dockle is a container image linter for security, helping build the best practice Docker/OCI image. It checks built container images for security issues and best practice violations based on the CIS Docker Benchmark and additional security checks. Unlike Dockerfile linters that only analyze the build instructions, Dockle inspects the actual built image, catching issues like credentials left in image layers, unnecessary setuid/setgid binaries, missing USER directives (running as root), writable executables, and unused environment variables containing secrets. Dockle outputs clear, actionable findings with severity levels (FATAL, WARN, INFO) and references to CIS benchmark sections. It integrates easily into CI/CD pipelines, supports JSON output for automation, and can be configured with an ignore file for accepted risks. Dockle fills the gap between Dockerfile linting (like Hadolint) and runtime scanning (like Falco).
About Falco
Falco is a cloud-native runtime security tool originally created by Sysdig and now a CNCF graduated project. It monitors system calls in real-time using eBPF or a kernel module to detect abnormal behavior, intrusions, and data theft in containers, Kubernetes clusters, and Linux hosts. Falco ships with a comprehensive rule set covering the MITRE ATT&CK framework, detecting events like shell spawning in containers, unauthorized process execution, sensitive file access, network connections to suspicious destinations, and privilege escalation attempts. Rules are written in a human-readable YAML format and can be customized to match any organization's security requirements. Falco integrates with Kubernetes admission controllers to enforce security policies at deploy time, and its output can be routed to Slack, PagerDuty, SIEM systems, or any webhook endpoint for alerting.
Platform Support
Tags
Dockle only
Falco only