A Novel Approach to Detect Vulnerability in
Docker Images through the DevSecOps Approach
Mohan Kumar TG Anand Kumar Rai
Nitte Meenakshi Institute of Technology Nitte Meenakshi Institute of Technology Nitte Meenakshi Institute of Technology
Information Science and Engineering Information Science and Engineering
Bengaluru, India Bengaluru, India
[email protected]
[email protected]
[email protected]
Sanjeev S
Nitte Meenakshi Institute of Technology
Information Science and Engineering
Bengaluru, India
[email protected]
[email protected]
Abstract—With the rapid adoption of containerized envi-
ronments for application deployment, ensuring the security of
Docker images has become increasingly critical. The emergence
of DevSecOps, an extension of DevOps that integrates security
into every stage of the software development lifecycle, has led to
the creation of numerous methods and tools aimed at detecting
vulnerabilities in Docker images. This survey delves into the
latest approaches, technologies, and tools used for automated
vulnerability detection in Docker images, with a focus on static
and dynamic analysis, CI/CD pipeline integration, and compli-
ance checks. The paper further identifies existing gaps in the
research and proposes potential future directions, emphasizing
the need for improved tool interoperability, AI-driven analytics,
and scalable security solutions in the context of DevSecOps.
Index Terms—Docker, vulnerabilities, DevSecOps, container
security, CI/CD pipelines, automated vulnerability detection.
I. I NTRODUCTION
The widespread adoption of container technologies such
as Docker has dramatically transformed the way applications
are deployed and managed, offering significant advantages
in scalability, flexibility, and resource optimization. However,
this transition has also introduced unique security challenges,
particularly with respect to Docker images, which serve as the
foundation for containerized environments. To address these
security challenges, DevSecOps integrates security practices
directly into the software development and deployment pro-
cess. This paper presents a comprehensive review of existing
literature on the detection of vulnerabilities in Docker images,
highlighting current tools, methodologies, and best practices
for securing containerized environments. The objective is
to provide a detailed overview of the latest research while
identifying critical gaps and proposing avenues for future
advancements.
II. R EVIEWED S TUDIES AND F INDINGS
A. Assessing Security Risks of Software Supply Chains
Using Software Bill of Materials This study investigates
Niraj Agarwal
Information Science and Engineering
Bengaluru, India
Yashi Sehgal
Nitte Meenakshi Institute of Technology
Information Science and Engineering
Bengaluru, India
the security risks present in the software supply chain by
analyzing Software Bill of Materials (SBOMs) from Docker
images and open-source repositories. The authors focused on
scanning 1,151 SBOMs, utilizing tools like Trivy and Grype
for vulnerability detection. Trivy identified a significantly
higher number of vulnerabilities (309,022) compared to Grype
(43,553), highlighting discrepancies between tools and their
ability to detect vulnerabilities across various layers. The
study emphasizes the importance of consistency in vulnera-
bility detection tools, especially when dealing with complex
dependency trees found in Docker images.
Technologies Used:
• Trivy v0.44.1 and Grype v0.53.1 for vulnerability scanning
• Public databases such as CVE and GHSA for vulnerability
matching
Limitations:
• Inconsistencies between different vulnerability detection
tools lead to diverging reports.
• The risk of missing vulnerabilities in transitive dependen-
cies, which could go undetected.
B. Design and Practice of Security Architecture via De-
vSecOps Technology This research explores the integration
of security architecture within DevSecOps, focusing on cloud-
native technologies like Docker and Kubernetes. It proposes
a ten-phase cycle for ensuring security, including threat mod-
eling, runtime protection, and vulnerability identification. By
adopting this comprehensive approach, the study reports im-
proved deployment times and fewer production bugs. However,
it also identifies runtime risks, such as container escape
vulnerabilities, and the increased resource overhead associated
with monitoring and securing containerized environments.
Technologies Used:
• Docker and Kubernetes for container orchestration
• DevSecOps security architecture model
Limitations:
• Runtime risks, particularly container escape threats, remain
a concern.
• Increased resource consumption and potential performance
degradation due to additional security monitoring.
C. Detection, Analysis, and Countermeasures for
Container-Based Misconfiguration Using Docker and
Kubernetes This study introduces the Configuration Check
Model, which identifies and mitigates misconfigurations in
Docker and Kubernetes environments. By using benchmarks
like the CIS Docker Benchmark and OWASP CSVS, the
model offers a structured approach to security assessments
during deployment. However, the research also highlights
challenges such as excessive user permissions and the
complexity of verifying security settings in large-scale
deployments.
Technologies Used:
• CIS Docker Benchmark for security configuration checks
• OWASP CSVS for container security validation
Limitations:
• Risks associated with excessive user permissions can under-
mine security.
• Difficulty in verifying security settings in complex config-
urations, leading to potential gaps in security.
D. Development of Secure Software Based on the New
DevSecOps Technology This paper discusses the integra-
tion of DevSecOps into the software development lifecycle,
specifically addressing the challenges of incorporating security
checks in CI/CD pipelines. The research outlines the benefits
of early vulnerability detection and continuous security vali-
dation throughout development. However, challenges such as
gaps in traditional cybersecurity models and compliance issues
with industry standards are noted, hindering the full realization
of a secure DevSecOps pipeline.
Technologies Used:
• DevSecOps integration within CI/CD pipelines
• Automation of security checks during the development
lifecycle
Limitations:
• Gaps in existing cybersecurity models can lead to missed
vulnerabilities.
• Compliance challenges with industry standards and regula-
tions hinder implementation.
E. DevSecOps: A Security Model for Infrastructure as
Code Over the Cloud This study proposes a security model
for Infrastructure as Code (IaC) using DevSecOps practices.
By integrating tools like Terraform and Ansible into the
IaC workflows, the model automates security tasks such as
vulnerability scanning and configuration management. While
the model proves effective in automating security tasks, it is
limited by its narrow scope and the need for manual oversight
in some areas.
Technologies Used:
• Terraform and Ansible for IaC workflows
• Security automation for configuration management
Limitations:
• Narrow scope of the security model, limiting its applicabil-
ity.
• Manual oversight requirements, reducing the level of au-
tomation.
F. Enhancing DevSecOps: Three Custom Tools for Contin-
uous Security This paper presents three custom tools designed
to enhance DevSecOps capabilities by automating various
aspects of security:
• Bulk Issue Creator (BIC): Automates vulnerability report-
ing to JIRA.
• Version Checker: Identifies outdated components in the
software stack.
• Cloud Cleaner: Manages shared folders to minimize data
exposure.
While these tools improve security efficiency, the study ac-
knowledges challenges related to tool specificity and integra-
tion with existing systems.
Technologies Used:
• Custom tools (BIC, Version Checker, Cloud Cleaner)
• JIRA for issue management
Limitations:
• Tool specificity limits broader application across diverse
environments.
• Integration challenges with existing DevSecOps pipelines
and tools.
G. Framework to Secure Docker Containers This re-
search proposes a security framework specifically designed
for Docker containers, integrating tools such as SonarQube,
Anchore Engine, and Jenkins. The framework aims to provide
comprehensive security measures, from vulnerability scanning
to continuous monitoring. While effective in securing Docker
containers, the framework faces limitations in terms of re-
source overhead and the lack of flexibility in customizing
security policies.
Technologies Used:
• SonarQube for static code analysis
• Anchore Engine for container image scanning
• Jenkins for continuous integration and security monitoring
Limitations:
• High resource overhead, which may impact system perfor-
mance.
• Limited customization options for security policies within
the framework.
H. Implementation of DevSecOps by Integrating Static
and Dynamic Security Testing in CI/CD Pipelines This
study focuses on the integration of static and dynamic security
testing into CI/CD pipelines, using tools such as GitLab
CI/CD, NJSSCAN, and OWASP ZAP. By automating both
static and dynamic analysis, the research aims to enhance
vulnerability detection throughout the development lifecycle.
However, challenges related to scalability and the absence of
AI-driven analytics are noted as limitations in this approach.
Technologies Used:
• GitLab CI/CD for pipeline management
• NJSSCAN and OWASP ZAP for static and dynamic security
testing
Limitations:
• Scalability issues in large projects with complex codebases.
• Lack of AI-driven analytics for more sophisticated vulner-
ability detection.
I. Implementing and Automating Security Scanning to
a DevSecOps CI/CD Pipeline This paper explores the im-
plementation of automated security scanning within a De-
vSecOps CI/CD pipeline. The research focuses on integrating
various security tools, such as OWASP Dependency-Check
and SonarQube, into the pipeline to detect vulnerabilities in
both application code and dependencies. The study highlights
the benefits of early detection and continuous monitoring but
also notes challenges in tool integration and false positive
management.
Technologies Used:
• Jenkins for CI/CD pipeline orchestration
• OWASP Dependency-Check for dependency scanning
• SonarQube for code quality and security analysis
Limitations:
• Complexity in managing and interpreting results from mul-
tiple security tools.
• Potential for false positives leading to alert fatigue among
developers.
J. Improving Substation Network Security with DevSec-
Ops and AIOps This research combines DevSecOps practices
with AIOps to enhance the security of substation networks. By
leveraging AI to detect and respond to security threats dynam-
ically, the study aims to improve real-time threat detection and
response. However, challenges related to adapting to rapidly
evolving threats and ensuring the model’s effectiveness across
different environments remain significant.
Technologies Used:
• AIOps for dynamic threat detection
• GitLab CI/CD and OWASP ZAP for continuous security
validation
Limitations:
• Difficulty in adapting to rapidly evolving threats.
• Potential limitations in the model’s effectiveness across
diverse environments.
K. Native Container Security for Running Applications:
A Review This paper presents a snapshot analysis of con-
tainerization solutions and their security components. It inves-
tigates LXC, LXD, Singularity, Docker, Kata-containers and
gVisor in terms of isolation capability and where it is de-
rived from (namespaces, hypervisor/kernel isolation), network
management (bridges, bandwidth limits), storage (directory,
SIF, BTRFS, LVM, ZFS, OverlayFS, and security measure
in place (cgroups, capabilities, seccomp, AppArmor). Finally,
this paper states that Kata-containers have the best isolation
because of the hypervisor use and LXD as it has the best
network and storage features at a decent security level.
Technologies Used:
• Namespaces, control groups, capabilities, seccomp, AppAr-
mor, hypervisors, Linux bridges, Open vSwitch
• Various file systems such as BTRFS, LVM, ZFS,
OverlayFS, SIF, Docker, LXC, LXD, Singularity, kata-
containers, gVisor, runc, kata-runtime, runsc, OCI specifi-
cations.
Limitations:
• The study bears no performance comparison and is therefore
purely static. It doesn’t address issues related to container
scheduling or the security of applications running on con-
tainers.
• It deals with default settings, and in practice, default settings
are not very often used; instead, users set up their own
configurations.
L. Last Line of Defense: Towards certifying dependable
SCADA networks, we propose to foster cyber threat hunt-
ing with deception in Reliability Through Inducing Cyber
Threat Hunting with Deception in SCADA Networks This
research envisages using cyber deception and the attack kill
chain for an anticipatory threat hunting in SCADA networks. It
employs a ’bating farm’ of mimicked SCADA parts and lures
that lure the attackers into concealing all their TTPs while the
threat hunters gather IOCs from them. This information is then
used to refine threat detection and prevention in real SCADA
network environment. Its idea is based on the goals of the
analysis and setting up the identification of hitherto unknown
threats that cannot be countered by merely using a system of
reactive security steps.
Technologies Used:
• SCADA systems, PLCs, HMIs, RTUs, MTUs, threat hunt-
ing, cyber deception, kill chain, SDN Mininet, Ryu con-
troller, honeypots Honeynet, Nova.
• honeyd, Conpot, lures canary tokens, sandboxes Cuckoo
Sandbox, NM tools RITA, Zeek, Bro, Maltrail, YARA,
STIX, OpenCTI, malleable C.
Limitations:
• Nevertheless, effectiveness of the proposed decoy farm de-
pends on its authenticity to a certain extent. Most advanced
intruders might be able to gauge which one of them is a
decoy among the systems.
• The paper lacks information on the identified procedures
used to evaluate the attacker behavior in the decoy farm and
how this information is used to enhance the defense. The
basic operational processes in the execution of deploying
and managing the decoy farm might have been cumbersome
and resource consuming.
M. Secure Inter-Container Communications Using XD-
P/eBPF In this paper, we explore security concerns in con-
tainer networks, focusing on the inadequacies of using IPs
to manage access and application layer inspection. It pro-
poses, Bastion+, a micro-level solution that enforces stringent
network security per container. A security showcase named
Bastion+ leverages XDP/eBPF to construct a security stack
for each container to make certain that traffic is only allowed
between pairs of containers and can chain select security
capabilities. This also comprises of a security policy assistant
to assist administrators in creation as well as in fine tuning of
the networks policies.
Technologies Used:
• Containers, microservices, Docker, Kubernetes, container
network interface (CNI) plugins (Flannel, Weave, Calico,
Cilium), iptables, network namespaces.
• XDP, eBPF, security policies in the network, implementa-
tion of chaining security functions, API integrated access
control.
Limitations:
• Bastion+ creates extra container network enhancements that
may not be possible in some settings. It was observed
that the performance of the security function chaining is
proportional to the efficiency of the chained functions.
• The security policy assistant is advised and not automated,
and this has implications of needing administrator run.
N. Towards an Understanding of Docker Images and
Performance Consequences on Container Storage Systems
at Scale This research investigates the storage characteristics
of Docker Hub image data contents and has processed an un-
precedented dataset with 167 Terabytes when uncompressed.
It covers the layer and image dimensions, the degree of
compression, the file format and organization of folders more
closely. There are some clear observations out of which one
is the file level redundancy Indeed, 97% of the files are
duplicates. The paper also compares different container storage
drivers in terms of how they perform with small I/O requests
and copy-on-write operations.
Technologies Used:
• Containers, docker, docker hub, ships, layers, storages,
docker registries, container storage drivers: overlay2, de-
vicemapper, zfs, btrfs, Copy on Write (CoW).
• File level deduplication, Gzip, pigz, Lz4 compression,
tmpfs, SSD, HDD, fio, dd, docker archive, tar.
Limitations:
• It should also be noted that the dataset is a date-sliced sam-
ple, and it may not represent the current picture of Docker
Hub. Specifically, the performance evaluation concerns only
small I/Os and, generally, the results may not reflect all
kinds of workloads that can be run in a container.
• The study does not consider the effects of more modern
technologies of storage or enhanced methods of deduplica-
tion.
O. Hyperion: Impact Hardware High-Performance and
Secure System for Container Networks To this end, this pa-
per presents Hyperion, a smartNIC-based network architecture
that offloads container networking to hardware. Hyperion em-
ploys Data plane On-Board-Services on the smartNIC for ser-
vice address translation mapping, eNetwork isolation, and L7
processing. It also contains dynamic optimization mechanism
for changing the container environment also. The evaluation
proves the effectiveness in comparison with software-based
approaches at much higher performance.
Technologies Used:
• Containers, microservices, CN for kubernetes, smartNICs,
NDP, NV for kubernetes, ACL for containers, L7 process-
ing, NP for containers, DP for containers.
• SR-IOV, VXLAN, extended BPF, iptables, Kubernetes,
Docker, Cilium, Istio, Flannel, Nginx, Memcached, wrk2,
mpstat.
Limitations:
• Hyperion needs smartNICs and may not be found in all
deployments. As previously discussed, can Hyperion scale
up as needed? The answer is no – up to the capabilities of
the smartNIC.
• The paper doesn’t explore the matter of smartNIC security
or, for that matter, the safe medium between the smartNIC
and the host.
P. A Hybrid System Call Profiling Model for Container
Protection This paper discusses an innovation to improve the
protection of containers while reducing system call availability.
There is manifest analysis of container images to find all the
might-be-needed system calls, and running containers tracking
to find the used system calls during boot, active use, and
shutdown. Its goal is to establish super-fine-grained seccomp
profiles, which reduce the attack vector as much as possible
while maintaining operability.
Technologies Used:
• Linux containers, Docker, system calls, libc, seccomp, sec-
comp filters, BPF, prctl(), dynamic tracking, static analysis,
objdump, ldd, strace, KProbes.
• Dockerfile, decreased cases of security as well as the other
sorts of openings, attack vulnerability.
Limitations:
• The dynamic profiling may not identify all the system calls
required for special, or novel applications. Some of the
system calls identified in the static analysis can therefore
be falsely positive.
• The approach does not counter system call within allowed
ones or other forms of attack that do not include system
calls.
Q. Cloud Migration Research: A Systematic Review This
paper provides a systematic literature review (SLR) of the lit-
erature on cloud migration. The authors identified 23 publica-
tions from 2010 to 2013 that are categorized by method, tech-
nique, and solution for transitioning legacy systems to cloud
platforms. They proposed a Cloud-RMM (Cloud-Reference
Migration Model) to organise the research according to differ-
ent processes and concern-cutting across. The result of the
review shows that research studies on cloud migration are
limited and increasing while pointing out the lack of a standard
migration framework.
Technologies Used:
• Cloud computing platforms (various, according to the pa-
pers reviewed hereinabove).
• Operational systems (different as it will be described in the
papers to be reviewed).
• Cloud- RMM (Proposed Reference Model).
Limitations:
• Restricted to articles published within the calendar years
ranging from 2010 to 2013, thus might have excluded the
advance developments.
• The first gives prominence to legacy-to-cloud migration only
and does not include other forms of migrations to the cloud.
• Excludes industry practices that have not been reported in
the scholarly literature.
R. SysFlow: Towards a Programmable Zero Trust Se-
curity Architecture for Systems SysFlow is a new pro-
grammable system security platform developed to provide
zero-trust based, unified, dynamic, and resource granular se-
curity control capability. It presents a system flow abstraction
for describing system activities over an infrastructure and
offers a system level data and control plane division. The
functions of Policy Decisions Point (PDP) are performed by
the SysFlow Controller (SC), while Policy Enforcement Point
(PEP) functions are performed by the SysFlow Data Plane
(SDP). SysFlow adds micro-segmentation and risk visibility
to its programmable APIs to help secure systems with a zero-
trust posture.
Technologies Used:
• Linux kernel modules and the system calls it supports.
• Optional features for the kernel: full eBPF (Extended Berke-
ley Packet Filter)
• Java (for SysFlow Controller and security applications).
• C for SysFlow Data Plane implementation.
• Docker (for the container-based experiment).
• Different benchmarking utilties ( LMBench, ApacheBench,
sysbench).
Limitations:
• Operational only for the Linux operating system environ-
ment.
• The concept of the kernel and SysFlow components neces-
sarily implies trust.
• May cause slight performance degradation.
• Doesn’t cover all aspects of Zero Trust, including the
continuous authentication.
S. Container Cloud Security Vulnerability: An Empirical
Analysis of Security Risks Associated with Information
Leakages In this paper, we give a comprehensive survey of
information leak sources in container clouds. The authors iden-
tify and discuss different leakage points through which system-
wide host information is made accessible to containers with
poor resource isolation. They also show how such leakages can
be used for malevolent intent; to pry into private information;
identify people residing in the same dwelling; construct hidden
channels; and engage in other forms of advanced cloud-based
attacks.
Technologies Used:
• Mentioned container technologies include Docker and Linux
containers.
• Linux Kernel Module and Linux System calls.
• As for various benchmarking tools (LMBench,
ApacheBench, sysbench etc.)
• Cloud computing platforms : eBPF (Extended Berkeley
Packet Filter)
Limitations:
• This research may not on focus all possible leakage channels
in container environments.
• There are still some limitations of the study, the experiments
were carried out in rather artificial setting and therefore the
results probably do not reflect the real one as closely as they
could.
T. Ambush from All Sides: Analyzing security threats for
open-source SWE CI/CD Pipelines This paper performs
a large-scale measurement and comprehensive analysis of
security threats in practice OS OSS CI/CD pipelines. The
authors investigate more than 322K GitHub repositories with
CI/CD configurations to identify different security concerns
and vulnerabilities. They perform practical attacks to prove
their model and provide recommendations on how to improve
CI/CD security.
Technologies Used:
• CIAnalyser: A parse CI/CD-script/pipeline tool to system-
atically extract security vulnerabilities or security-relevant
information.
• Node.js and Docker as the primary preconditions for CI/CD
script execution
• Javascript, yaml for examining continuous integration and
delivery script and configuration files
• Travis CI, Jenkins, and GitHub.Action.
• Security knowledge repositories like NVD and CVE for
discovering existing security problems in CI/CD scripts
Limitations:
• The data size (324,672 repositories) is not the biggest of the
kind compared to some related works but still significant.
• The authors did not conduct attack case studies using
actual and exposed repositories for ethical consideration but
replicated them precisely.
U. Condo: Enhancing Container Isolation Through Ker-
nel Permission Data Protection The paper first presents
Condo, the intended solution to enhance container isolation
through protecting the kernel permission data. Containers
are implemented as light weight virtualization therefore the
isolation occurs through kernel access control mechanisms.
Nevertheless, currently existing protective measures such as
namespaces and the cgroup systems are still risky to memory
corruption attacks, especially non-CTL-Flow-Data ones. This
Condo does by employing a shallow, fast, simple kernel data
protection strategy unrelated to control flow. The solution is
designed where all accesses to the KPDs are caught by kernel
exceptions with a light-weight and complete protection system.
Condo interacts seamlessly with pre-existing other container
platforms such as Docker, as well as Kubernetes.
 Technologies Used:
• Tools: ARM TrustZone to facilitate a tutorial on how to use
it for setting up a Trusted Execution Environment (TEE).
Requests an implementation and testing of Modified Linux
Kernel (v4.19.35) and Docker v20.10.17.
• Dataset: 31 released kernel CVEs out of which eight belong
to privilege escalation class such as CVE-2017-5123 and
CVE-2021-42008 and one belongs to speculative execution.
• Protection Mechanisms: Page Fault Exception Handling:
Switching the way to obtain kernel permission data to TEE
• Pointer Protection: Permission pointers encoded as ad-
dresses holding real data.
• Polling Mechanism: Scheduling routines checks for certain
icons or pointers associated with permissions to see if they
have being manipulated.
Limitations:
• Performance Overhead: While still reasonably performant,
general container startup time is 5-9% longer and workloads
suffer up to 8% additional overhead.
• Complexity in Kernel Modifications: Kernel data of various
types must be guarded and for this, one has to inject into
various and often remote kernel functions – an approach
that is far from being safe.
• Focused Scope: Condo only discusses non-control flow data
attack while other attack type Condo does not deal with
them but they are covered by other schemes.
• Hardware Dependency: Dependent with the TEE support
and limits by its availability to some specific hardware
platforms only.
• Limited Evaluation: Security analysis centers around se-
lected CVEs and PoC which may not explore all actual
case scenarios.
V. DIVDS: Docker Image Vulnerability Diagnostic System
The Docker Image Vulnerability Diagnostic System (DIVDS)
is a newly developed instrument proposed in this paper, which
is aimed at resolving Docker environment security issues
by diagnosing vulnerability risks of Docker images during
the upload and download processes. DIVDS consists of two
main modules: IVD (Image Vulnerability Detection): Identi-
fies vulnerability from the metadata and checks them with
Ubuntu CVE Tracker and RedHat Security Data among other
vulnerability databases. IVE (Image Vulnerability Evaluation):
Estimates a vulnerability value according to the analyzed
threats, checks the value with the given tolerance for usage,
and decides whether the image can be employed. DIVDS
increases the level of security by stopping the distribution
of the potentially unsafe Docker images and offering an
organized method of assessment. The evaluation demonstrated
the effectiveness of DIVDS in identifying vulnerabilities in
widely-used images like ubuntu:latest and java:latest.
Technologies Used:
• Clair: Software tool that is used, for scanning for vulnera-
bilities.
• Docker Engine: Allows for image management and to tie-in
with DIVDS.
• Databases: Some of the trackers include: Ubuntu CVE
Tracker; Debian Security Bug Tracker; & RedHat Security
Data etc.
• Metrics: Of the nine types of risk assessment, this one is
based on Common Vulnerability Scoring System (CVSS).
• Analysis: Inactive deep scanning of the OS and Docker
image package information.
• Deployment Environment: Currently only gets tested on an
x86 64 CentOS 7 system with DIVDS modules deployed.
Limitations:
• Static Analysis Only: Similar to M2D2, DIVDS relies
mainly on static analysis (with the help of the Clair tool),
which makes it ineffective when it comes to runtime devi-
ations.
• Whitelist Feature: In specific cases, identified vulnerabilities
can be excluded from consideration if they are in the
whitelist, which is inadmissible in critical security assess-
ment.
• Threshold Dependency: There is flexibility in the user-
defined threshold scores that may cause changes to the
computed vulnerability level and reliability.
• Performance Overhead: The steps that are going to be added
to improve the vulnerability detection and evaluation mech-
anisms might slightly affect the Docker image processing
time.
W. Malicious Investigation of Docker Images on Basis of
Vulnerability Databases This paper aims at identifying the
main weaknesses that exist in Docker images and distinguish-
ing between the official and community images. The tool
unveiled an even higher, 66% rate of exposure to potentially
critical vulnerabilities in the community images because of
old software and no updates. Scanning was performed using
Trivy that utilized multiple databases for different operating
systems’ vulnerabilities. K-means clustering was used to make
a comparison of threats depending on various image types.
Technologies Used:
• Tool: Trivy for static vulnerability scanning.
• Data Source: Docker Hub repository images classified as
official or community.
• Analysis: K-means clustering for threat level categorization
and elbow method for optimal cluster
• Scoring: Vulnerability severity was evaluated using CVSS
scores.
Limitations:
• Tool Limitations: Trivy only depends on selected vulnera-
bility databases so that some unique opportunities can be
unnoticed outside its database.
• Data Bias: Covers only Docker images which presents po-
tential limited re- applicability in other container platforms
or environments.
• Static Analysis Constraints: Some of the exposed vulner-
abilities could only be discovered in still captures and not
when actively running and undergoing configuration change.
• Inconsistent Updates: Many images, especially community-
provided ones, had not been updated for over a year,
 skewing the number of vulnerabilities identified.
• Security Thresholds: The lack of standardized thresholds for
determining ”maliciousness” impacted result interpretation.
X. Monitoring Solution for Cloud-Native DevSecOps This
research offer an architectural solution and implementation of
an automated monitoring solution for cloud native DevSecOps
environments to fill the gap on lack of homogenous monitoring
framework for the infrastructure as well as the applications.
This becomes achievable through incorporating of tools from
the open source domain to deliver health metrics, log analysis,
and alerting in real time while supporting agility, scalability,
and security.
Technologies Used:
• Infrastructure Tools: For example, Docker to management
containers and the Transport Layer proxy and communica-
tion technology called Traefik.
• Monitoring Tools: For system level, node exporter,
Prometheus and Grafana.
• Application Monitoring: ELK for logging collection and
analysis as one of the major innovations in Big Data and
Analytics.
• Data Collection: For extracting log data from worker nodes
you have Filebeat and Logstash. Framework: Thanks to
the microservices architecture, modularity and scalability
aspects are achieved.
• Deployment: Distribution on the cloud-native OpenStack
computing platform with support for
Limitations:
• Evaluation Pending: Lack of results obtained from experi-
ments on the efficiency of the proposed framework.
• Agent-Based Approach: Tied exclusively to data collected
by agents within the computing system, therefore may not
capture serverless or other transient resource information.
• Toolchain Integration Challenges: Interdependency on sev-
eral components can lead to integration and compatibility
problems since the components are open source.
Y. Reflections on Trusting Docker: Invisible Malware in
Continuous Integration Systems This work explores the risks
and trust issues which are associated with Docker-based CI
systems. Self-hosted architecture properties are identified and
the research shows how malware can backdoor CI systems,
persist through updates, and compromise production artifacts.
A PoC targeting GitLab CI was done showing how covert
channels for malware updates exist and the difficulties in
detecting them because nothing exists in the source repo.
Technologies Used:
• Proof-of-Concept: A self-generating virus working on
Docker client interface.
• Environment: This has been testified in GitLab CI inside a
custom Docker image.
• Methodology: Used CI container life-cycle also targeted
dependency injection used covert channels for the controls
and updates.
• Payload: Some of them are: placing Trojans in pre-release
software binaries, copying and transmitting key information
out from the target network, and network hopping.
Limitations:
• Detection Complexity: Self-propagating malware can hardly
be detected and prevented with the
• Scope: Mainly investigated Docker-based CI systems; re-
sults might not be applicable to systems with other CI
structures.
• Resource Requirements: A requirement of certain CI con-
figurations such as Docker in Docker setups are a feature
of demonstrations.
• Mitigation Challenges: Other solutions such as reproducible
builds imply a massive shift in CI
Z. Security Analysis of Docker Containers for ARM Ar-
chitecture This paper assesses the security risks of Docker
containers for ARM architecture which is important to IoT and
edge computing devices. Analyzing official Docker images for
vulnerabilities was done with help of Trivy, Clair, Snyk and
JFrog; the impact of tools and time on vulnerabilities detection
was also compared. Real life examples learnt through dynamic
analysis on Raspberry Pi devices depicted the significance of
security.
Technologies Used:
• Scanning Tools: Since it deals with identification of CVE,
we have Trivy, Clair, Snyk and JFrog.
• Devices: This cluster is utilized from Raspberry Pi 4B+
model for dynamic testing.
• Metrics: Used CVSS for severity; GHSA for the vulnera-
bility focused on unique and non-unique vulnerabilities in
the Linux distributions such as Debian and Ubuntu.
• Dynamic Testing: Attacked known vulnerable systems on
simple but armable Kubernetes structures such as K3S.
Limitations:
• Tool Constraints: There are tools (for example, Clair, JFrog)
which are incompatible with ARM-based engines that re-
duce the efficiency of full scanning.
• Dynamic Analysis Challenges: Few resources are available
for observing system calls on ARM when considering
runtime issues.
• Dataset Restrictions: Due to practical limitations stemming
from the analysis of large datasets, scanning was only
performed on the official ARM images.
• Temporal Limitations: At two different time, given vul-
nerability values were calculated which do not illustrate
continuous evolution.
AA. Security Audit of Docker Container Images in
Cloud Architecture This paper provides a way of auditing
security of Docker container images in cloud environment.
This paper proposes a Vulnerability-Centric Analysis (VCA)
of Docker images, as well as use cases compatible with the
OWASP Container Security Verification Standards and the
NIST SP 800-190 standards. Essential discoveries point more
risks that are as a result of; old packages, wrong setting, and
poor barriers on systems.
Technologies Used:
• Framework: Image security vulnerability assessment and
management approach known as Vulnerability-centric ap-
proach (VCA).
• Tools: Google Container Registry Vulnerability Scanning
API.
• Standards Alignment: We have identified the OWASP Con-
tainer Security Verification Standards and the NIST SP 800-
190 guidelines.
• Use Cases: The audit-focused scenarios of containers in dif-
ferent phases such as base image inspection and Dockerfile
settings, image signing and authorization.
• Scanning Categories: Had the major classes and subdeliv-
erables of operating systems, database, programming lan-
guages, web, and application platform.
Limitations:
• Narrow Scope: They are mainly oriented to vulnerabilities in
Docker images but they do not cover container orchestration
tools.
• Tool Dependency: Due to the heavy use of the Google
Container Registry’s API, vulnerability scanning was not
very generalizable.
• Static Analysis Bias: Concerning the dynamic and the
runtime security issues, there was no adequate solution.
• Compliance Gaps: While traditional methods of verification
do facilitate a relatively high degree of correlation between
security measures and cloud-native models, these processes
themselves may not be fully suited to the new paradigms.
AB. Scanning Categories: Had the major classes and
subdeliverables of operating systems, database, program-
ming languages, web, and application platform.
Summary: This study examines the consequences of en-
abling production accounts for official Docker Hub images. It
explores package changes in 37,000 images of 158 official
repositories. The research highlights problems arising from
package changes, particularly concerning the functionality of
utility packages, which may result in poor performance and
security threats. It discourages in-place updates in version
updates of Docker images and encourages testers to conduct
thorough checks before deployment.
Technologies Used:
• Tools:
– Docker Hub: Source used for data collection of infor-
mation repositories and images.
– Docker CLI: Utilized for image analysis, as well as for
metadata identification.
• Metrics: Types of package changes separated as major,
minor, or patch according to semantic versioning.
• Analysis: Standard deviation and variance of the nature of
packages that are upgraded and downgraded with different
repository categories.
• Dataset: Over 37,000 image tags crawled from 158 official
sources.
Limitations:
• Manual Branch Identification: Division of repositories
into branches was done manually, which may create incon-
sistencies.
• Scope Restriction: The work considers only official repos-
itories, excluding community or verified repositories.
• Limited Package Types: Focuses on native (OS), Node.js,
and Python packages while ignoring R or Java as package
types.
• Semantic Versioning Assumptions: Assumes homogeneity
in packages following semantic versioning, which isn’t
guaranteed.
• Exclusion of Anomalous Repositories: Five repositories
with poorly described versioning or branching were ex-
cluded.
AC. The Practice and Application of a Novel DevSecOps
Platform on Security
Summary: This paper introduces a self-designed DevSec-
Ops platform for safe and efficient software release by China
Telecom. The tool incorporates security features into DevOps
via its Security Center, which includes permission manage-
ment, scanning engines, and defect reporting. In this way,
the platform also checks code quality and performs security
checks for compliance into pipelines, enabling independent
scans. Currently, it supports approximately 62,000+ users,
includes over 10,000+ projects, and analyzes more than 4.5
billion+ lines of code.
Limitations:
• Static Scanning Limitations: Compared to pipeline scan-
ning, independent scanning does not support some lan-
guages, and the accuracy of the model is relatively low.
• Server Mode Constraints: The server scanning mode
combines some issues with elastic scalability methods, and
new questions regarding repository tokens’ security appear.
• False Positives: Static analysis tools may provide results
that contain errors, requiring additional verification by pro-
grammers.
• Implementation Challenges: It was assumed that a culture
change and a significant amount of training are the key
prerequisites for successful DevSecOps implementation.
Technology in Use:
• Tools:
– Static code scanners: SonarQube, Fortify, CodeSec.
– Software Component Analysis: Tools supplied by
Haiyunan and Woodpecker.
• Scanning Modes:
– Pipeline Scanning: Additional post-build scan to ensure
high accuracy of the program.
– Independent Scanning: For increased flexibility, stan-
dalone static analysis.
• Deployment: Two resource pools (Guangzhou and
Guizhou) were built with the client-server approach.
• Metrics: Risk classification: Critique, high, middle, and
low-risk categories of defects.
AD. Vulnerability Analysis of Docker Hub Official Im-
ages and Verified Images
 Summary: This study analyzes security vulnerabilities in
official and verified Docker Hub images using four popu-
lar open-source image scanning tools: Anchore, Aqua Trivy,
Docker Scan, and JFrog Xray. It reviews the general count,
the general risks, and the exclusive CVEs of images that
were chosen, such as Ubuntu, Nginx, MySQL, Mongo, and
Postgres. The study shows that official images are, as a rule,
less susceptible to threats compared to verified images and
are, therefore, safer. Additionally, Aqua Trivy found the most
vulnerabilities compared to other tools, while Docker Scan
was the least effective in detecting vulnerabilities.
Limitations:
• Tool Inconsistency: It was identified that there are vari-
ances in the number and intensity of these vulnerabilities
disclosed by different tools.
• Limited Scope: Chen and colleagues only included five
official and five corresponding verified images for analysis;
thus, the results may not be generalizable.
• Severity Confusion: The issues discovered during the study
were presented in CVEs, some of which were categorized
with different severity levels depending on the tool used in
the analysis.
• Dependency on Free Tools: Freeware tools, which may
have better precision, were not considered because many of
them provide only a restricted number of features in the test
version.
• Outdated Data: Some of the risks were due to old libraries,
and sources like maybewhere.org or others may not contain
the latest information on how such programs or applications
may actually be used.
Technology in Use:
• Tools: Anchore, Aqua Trivy, Docker Scan, JFrog Xray.
• Metrics: The total number of weaknesses categorized as
Critical, High, Medium, and Low risk. Yearly trends in the
number of different CVEs from the year 2005 to 2023.
• Dataset: Top 5 official images (Ubuntu, Nginx, MySQL,
Mongo, Postgres) with their top 5 verified counterparts
using download counts and update frequency.
• Vulnerability Sources: CVE and NVD databases, as well
as advisories released by software vendors, are more formal
compared to the information provided by the wider commu-
nity.
• Analysis: Comparative analysis of total reported vulnerabil-
ities and their impact on both official and verified images.
III. C ONCLUSION AND F UTURE D ISCUSSIONS
This review of 30 studies on Docker image vulnerabilities
within DevSecOps highlights the critical need for integrating
security across the software lifecycle. Key insights include:
• Prevalence of Vulnerabilities: Many Docker images
contain significant vulnerabilities, necessitating continu-
ous monitoring.
• Tool Inconsistencies: Scanning tools (e.g., Trivy, Clair,
Snyk) often produce inconsistent results, requiring stan-
dardization.
• Static vs. Dynamic Analysis: Static tools lack runtime
detection capabilities, underscoring the need for dynamic
analysis.
• Supply Chain Security: Securing third-party dependen-
cies and base images is essential.
• Performance Trade-offs: Balancing robust security with
system performance remains a challenge.
• Compliance and Standards: Adherence to OWASP and
NIST standards is vital yet difficult in evolving ecosys-
tems.
Challenges include tool inconsistencies, scalability, dynamic
threats, CI/CD integration, and false positives/negatives. Fu-
ture directions focus on:
• Leveraging AI for vulnerability detection and automated
remediation.
• Improving tool interoperability and consistency.
• Advancing runtime security and automated compliance
checks.
• Enhancing supply chain security and addressing edge/IoT
challenges.
• Optimizing performance while maintaining robust secu-
rity.
In summary, integrating security throughout the develop-
ment lifecycle is essential. As containerization grows, scalable,
efficient, and innovative security solutions are increasingly
critical.
R EFERENCES
[1] Assessing Security Risks of Software Supply Chains Using Software
Bill of Materials.
[2] Design and Practice of Security Architecture via DevSecOps Technol-
ogy.
[3] Detection, Analysis, and Countermeasures for Container-Based Miscon-
figuration Using Docker and Kubernetes.
[4] Development of Secure Software Based on the New DevSecOps Tech-
nology.
[5] DevSecOps: A Security Model for Infrastructure as Code Over the
Cloud.
[6] Enhancing DevSecOps: Three Custom Tools for Continuous Security.
[7] Framework to Secure Docker Containers.
[8] Implementation of DevSecOps by Integrating Static and Dynamic Se-
curity Testing in CI/CD Pipelines.
[9] Implementing and Automating Security Scanning to a DevSecOps
CI/CD Pipeline.
[10] Improving Substation Network Security with DevSecOps and AIOps.
[11] Native Container Security for Running Applications: A Review.
[12] Last Line of Defense: Towards certifying dependable SCADA networks,
we propose to foster cyber threat hunting with deception in Reliability
Through Inducing Cyber Threat Hunting with Deception in SCADA
Networks.
[13] Secure Inter-Container Communications Using XDP/eBPF.
[14] Towards an Understanding of Docker Images and Performance Conse-
quences on Container Storage Systems at Scale.
[15] Hyperion: Impact Hardware High-Performance and Secure System for
Container Networks.
[16] A Hybrid System Call Profiling Model for Container Protection.
[17] Cloud Migration Research: A Systematic Review.
[18] SysFlow: Towards a Programmable Zero Trust Security Architecture for
Systems.
[19] Container Cloud Security Vulnerability: An Empirical Analysis of
Security Risks Associated with Information Leakages.
[20] Ambush from All Sides: Analyzing security threats for open-source
SWE CI/CD Pipelines.
[21] Condo: Enhancing Container Isolation Through Kernel Permission Data
Protection.
[22] DIVDS: Docker Image Vulnerability Diagnostic System.
[23] Malicious Investigation of Docker Images on Basis of Vulnerability
Databases.
[24] Monitoring Solution for Cloud-Native DevSecOps.
[25] Reflections on Trusting Docker: Invisible Malware in Continuous Inte-
gration Systems.
[26] Security Analysis of Docker Containers for ARM Architecture.
[27] Security Audit of Docker Container Images in Cloud Architecture.
[28] Scanning Categories: Had the major classes and subdeliverables of oper-
ating systems, database, programming languages, web, and application
platform.
[29] The Practice and Application of a Novel DevSecOps Platform on
Security.
[30] Vulnerability Analysis of Docker Hub Official Images and Verified
Images.