I'm looking to run such a scanner as part of my docker build pipelines and hopefully this should do the trick. If anyone's aware of similar or alternatives please post them as well
Perhaps Pravin Goyal, currently at Cavirin, has had a large part in organizing and authoring the "CIS 1.xx.xx Security Benchmarks", at least per https://www.linkedin.com/pulse/docker-1110-security-benchmar.... The OP git repo claims to be based on these CIS (Center for Internet Security) benchmarks a.k.a. "best pratices", so Pravin might be someone you want to ping.
If you choose to engage Cavirin or use its solution, be sure to do a full POC and make sure your use case and scale are fully covered and the product is reliable, I know there were many quality issues in the past (full disclosure, I worked there for a while). I'm sure there are other vendors or open source projects that can do a much better job in a Docker-specific environment. The CIS content itself probably is golden, the implementation I'd be skeptical about.
Not far behind is the open documentation for the military, DISA STIGs, for Linux and Unix environments. Not sure they have anything for Docker yet unless you count treating each container like a vanilla Linux or Unix box, and many here know that only gets you so far if you don't understand container system hardening; even CIS controls specific to Docker here are a surprise to me as someone who deployed them for traditional platforms in years past. From experience there is a lot of overlap between both for OS management. The templates and documentation for DoD stuff does not require email signups for PDFs or an expensive org membership for GPO templates for Windows and other nonsense, unlike SANS-affiliated CIS.
Either way, blindly taking these policies, or from a vendor like Calvirin, who I'm sure are good, is a recipe for disaster when you and/or fellow admins do not review all hundreds of controls and know your environment very well, if previous life experience taught me anything.
