Dockle vs kube-hunter
GitHub Stats
About Dockle
Dockle is a container image linter for security, helping build the best practice Docker/OCI image. It checks built container images for security issues and best practice violations based on the CIS Docker Benchmark and additional security checks. Unlike Dockerfile linters that only analyze the build instructions, Dockle inspects the actual built image, catching issues like credentials left in image layers, unnecessary setuid/setgid binaries, missing USER directives (running as root), writable executables, and unused environment variables containing secrets. Dockle outputs clear, actionable findings with severity levels (FATAL, WARN, INFO) and references to CIS benchmark sections. It integrates easily into CI/CD pipelines, supports JSON output for automation, and can be configured with an ignore file for accepted risks. Dockle fills the gap between Dockerfile linting (like Hadolint) and runtime scanning (like Falco).
About kube-hunter
kube-hunter is an open-source tool from Aqua Security that hunts for security weaknesses in Kubernetes clusters. It can run from outside the cluster (remote scanning), from a machine inside the network, or as a pod within the cluster itself to simulate different attacker perspectives. kube-hunter checks for a wide range of vulnerabilities including exposed API servers, kubelet API access, etcd access, privilege escalation paths, container escape vectors, and misconfigurations in RBAC, network policies, and pod security. Each finding includes a severity rating, description, and remediation guidance. The tool generates reports in JSON, YAML, or human-readable formats, making it easy to integrate into CI/CD pipelines or compliance workflows. kube-hunter is particularly valuable for security teams validating the hardening of their Kubernetes deployments.
Platform Support
Tags
Dockle only
kube-hunter only