Investigating the inner workings of container image vulnerability scanners
MetadataShow full item record
The use of container technology as a main part of software development increasing exponentially. Containers do not only provide a huge benefit for Integration/Continuous Delivery (CI/CD) pipelines, but also simplify shipping problems. However, the security of container images is a primary concern. Exploitation of a single vulnerability in an image could have huge consequences and result in loss of CIA (Confidentiality, Integrity, Availability) in an application. While there are a variety of image scanners that create vulnerability reports informing the security teams, there is a lack of knowledge about the inner workings of container images and how they interact with different types of images. First, this thesis describes the history of containers, tools, and technology related to containers. Second, we discuss some of the most popular container image scanners and have selected two which are both opensource and highly ranked. Next, the thesis explains how scanners detect packages and vulnerabilities. Finally, a few experiments are conducted with three different types of containers; standard container images, distroless, and images that have been slimmed down. These kinds of images are scanned using the image scanners and the results are compared. Our findings reveal that: 1. Both selected images scanners use roughly the same algorithm to detect vulnerabilities 2. Trivy supports more OS and application packages 3. The majority of the detected vulnerabilities are unfixed vulnerabilities 4. None of the tested scanners were able to detect vulnerabilities when using slimmed down images.