Recent Trends in Information Technology and its Application (e-ISSN:2584-0991)

Docker has gained significant traction among software developers due to the portability, scalability, and versatility provided by container technology. However, as application security increasingly relies on the integrity of the images used as foundational components, concerns over vulnerabilities in these images have grown. With more development workflows transitioning to cloud environments, ensuring the security of images sourced from various repositories becomes crucial. This paper presents a CI/CD (Continuous Integration and Continuous Deployment) system designed to validate Docker image security throughout the software development lifecycle. We deliberately introduce vulnerable images to evaluate the system's ability to detect these issues. Additionally, we incorporate dynamic analysis to examine the runtime behaviour of Docker containers, demonstrating how this approach complements the static analysis methods commonly employed in security evaluations.

S. Winkel, “Security Assurance of Docker Containers: Part 1,” ISSA Journal, April 2017.

P. Mell, K. Scarfone, and S. Romanosky, “The Common Vulnerability

Scoring System (CVSS) and Its Applicability to Federal Agency Systems,”

National Institute of Standards and Technology, Tech. Rep. Interagency Report 7435, August 2007.

V. Adethyaa and T. Jernigan, “Scanning Docker Images for Vulnerabilities using Clair, Amazon ECS, ECR, and AWS CodePipeline,” AWS Compute Blog, November 2018, online:

https://aws.amazon.com/blogs/compute/scanning-docker- images-forvulnerabilities-using-clair-amazon-ecs-ecr-aws- codepipeline/.

J. Valance, “Using Anchore Policies to Help Achieve the CIS Docker Benchmark,” Anchore Blog, May 2019, online: https://anchore.com/cisdocker-benchmark/.

——, “Adding Container Security and Compliance Scanning to your AWS CodeBuild pipeline,” Anchore Blog, February 2019, online: https://anchore.com/adding-container-security-and- compliancescanning-to-your-aws-codebuild-pipeline/.

J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener, “AVLeak: Fingerprinting Antivirus Emulators through Black- Box Testing,” in 10th USENIX Workshop on Offensive Technologies. Austin, TX: USENIX

Association, Aug. 2016. [Online]. Available: https://www.usenix.org/ conference/woot16/workshop- program/presentation/blackthorne

Z. Wan, D. L. Lo, X. Xia, L. Cai, and S. Li, “Mining Sandboxes for Linux Containers,” in Proceedings of the 2017 IEEE International Conference on Software Testing, Verification and Validation, ser. ICST ’17, March 2017, pp. 92–102.

V. Rastogi, D. Davidson, L. De Carli, S. Jha, and P. McDaniel, “Cimplifier:

Automatically Debloating Containers,” in Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, ser.

ESEC/FSE 2017. New York, NY, USA: ACM, September 2017, pp. 476–486.

V. Rastogi, C. Niddodi, S. Mohan, and S. Jha, “New directions for container debloating,” in Proceedings of the 2017 Workshop on Forming an Ecosystem Around Software Transformation, ser. FEAST ’17. New York, NY, USA: ACM, November 2017, pp. 51–56.

D. Goodin, “Backdoored images downloaded 5 million times finally removed from Docker Hub,” Online: https://arstechnica.com/informationtechnology/2018/06/backd oored-images-downloaded-5-million-timesfinally-removed- from-docker-hub/, June 2018.