Twistlock 2.0 brings compliance controls to Docker containers


, founded by Microsoft alumni, aimed to bring better security to Docker containers by making containers less opaque and more readily monitored. But that was before  started developing native security and introspection features.

The latest version of Twistlock, released this week, hints where third-party container security tools are going next: compliance.  

Twistlock 2.0 sports a toolset for regulatory compliance with containerized applications. Its new  feature analyzes an organization’s containers and reports back on anything that does not follow rules, such as those defined by HIPAA or PCI. The Explorer provides a rolling 30-day history of an organization’s compliance state for containerized environments, and allows the export of data about violations for use in other tools.

Twistlock CEO Ben Bernstein emphasized that compliance scanning includes vulnerability checks–such as looking for the use of secrets in production–but doesn’t end there. “We allow users to test compliance at three critical locations – the registry, during the CI/CD process, and in production,” he said in an email. Checking for compliance during CI/CD allows users to push back non-compliant items to the developer instead of waiting for them to go to production, he noted.

 to provide container scanning and vulnerability detection for Container Registry and Container Engine. Those services also claimed to be , but Twistlock is promoting its solution as capable of accepting rulesets for most kinds of compliance, using NIST’s for security configuration rules.

This isn’t the first set of container compliance tools on the market. Apcera, for instance, on its platform. But Twistlock is meant to be a more general solution that runs anywhere Docker containers are found, and with a modifiable ruleset for future compliance jobs.

Tools like these are meant to address the hesitancy that legacy IT organizations have about moving to containers. Those with stiff regulatory measures are likely to be slow to adopt any new technology. And while in theory it’s easier to , it’s not always wholly automatic–especially if you’re dealing with your own containerized stack, as opposed to a service that’s been pre-certified.

Twistlock’s compliance feature brings oversight to containerized apps. But it also demonstrates that third-party providers of container software (essentially, anything that’s not Docker) can bring more to the table than just slight variations on already-offered features. By looking at the areas where containers still haven’t made inroads, it’s possible to build products that make containers easier to adopt.