Container Vulnerability Scanners: An Analysis

Abstract: Containers are rising in popularity as a technique for deploying services to cloud infrastructures. A Container image is a static format of a running container, storing all essential information needed to boot and run a container. Container images are often stored in repositories and widely shared among users. Container images stored on registries such as Docker Hub are shown to contain numerous known vulnerabilities.‌ This study investigates differences between containers and VMs, and why security tooling, such as known-vulnerability scanners, need to adapt. Further, we present necessary steps of a workflow when implementing container vulnerability scanners, along with problems and solutions to consider for each step. Finally, a comparison was conducted of two open-source scanners, Anchore and Clair. The tools were compared on 8 versions of common OS distributions. We show that there are differences between the two tools when scanning OS-packages. A majority of these differences likely appear because of definition disagreement. Disregarding definition disagreements, other differences are more likely due to implementation, but these differences are not large enough to be significant.