Investigating the inner workings of container image vulnerability scanners
Master thesis
Published version
Permanent lenke
https://hdl.handle.net/11250/3017416Utgivelsesdato
2022Metadata
Vis full innførselSamlinger
Sammendrag
The use of container technology as a main part of software development
increasing exponentially. Containers do not only provide a huge benefit
for Integration/Continuous Delivery (CI/CD) pipelines, but also simplify
shipping problems. However, the security of container images is a primary
concern. Exploitation of a single vulnerability in an image could have
huge consequences and result in loss of CIA (Confidentiality, Integrity,
Availability) in an application. While there are a variety of image scanners
that create vulnerability reports informing the security teams, there is a lack
of knowledge about the inner workings of container images and how they
interact with different types of images.
First, this thesis describes the history of containers, tools, and technology
related to containers. Second, we discuss some of the most popular
container image scanners and have selected two which are both opensource
and highly ranked. Next, the thesis explains how scanners detect
packages and vulnerabilities. Finally, a few experiments are conducted
with three different types of containers; standard container images, distroless,
and images that have been slimmed down. These kinds of images
are scanned using the image scanners and the results are compared. Our
findings reveal that:
1. Both selected images scanners use roughly the same algorithm to
detect vulnerabilities
2. Trivy supports more OS and application packages
3. The majority of the detected vulnerabilities are unfixed vulnerabilities
4. None of the tested scanners were able to detect vulnerabilities when
using slimmed down images.