CIS Docker Benchmark, continuously evidenced.
The CIS Docker Benchmark v1.8.0 defines 118 controls covering Docker host configuration, daemon configuration, daemon configuration files, container images and build files, container runtime, Docker security operations, and Docker Swarm. CISGuard's agent runs on Docker hosts (not inside containers), evaluating host-level configuration and per-container runtime properties.
Docker benchmark at a glance.
- Benchmark version
- v1.8.0
- Total controls
- 118
- Scan type
- Agent
- Available tier
- All plans
- Category
- Container & Orchestration
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Docker host configuration
- Docker daemon hardening
- Daemon configuration files (permissions, ownership)
- Container image security
- Container runtime (capabilities, AppArmor, SELinux)
- Docker security operations
- Docker Swarm hardening (if applicable)
Docker questions, answered directly.
When should I use the Docker benchmark vs the Kubernetes benchmark?
Use the Docker benchmark for hosts running Docker directly (Docker Compose, Docker Swarm, or bare Docker). Use the Kubernetes benchmark for orchestrated container workloads on Kubernetes clusters. Most production container deployments are on Kubernetes, so the Kubernetes benchmark applies; standalone Docker hosts are typically development or legacy infrastructure.
Does CISGuard scan container images for CIS compliance?
CISGuard validates the runtime properties of containers (capabilities, security context, AppArmor profile) against the benchmark. For image-build-time validation, the CISGuard CLI integrates into CI/CD as a build-step policy gate that fails images failing benchmark expectations.
How does CISGuard handle Podman and other Docker alternatives?
CISGuard supports Docker, Podman, and containerd runtimes. The benchmark validations are runtime-agnostic where applicable; runtime-specific controls (Docker daemon configuration) apply only where the runtime is Docker. Podman-specific scanning uses the corresponding configuration model.
Often deployed together with Docker.
Want a Docker scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.