ZeroDVS: Trace-Ability and Security Detection of Container Image Based on Inheritance Graph

Abstract

Docker image is the foundation for container operation. Docker Hub is the largest online repository of public container images. Users can upload and download any random image file to the hub due to the absence of adequate security scanning and detection, potentially causing substantial security risks. This paper introduces ZeroDVS, a container image traceability and security detection system based on inheritance graphs. In ZeroDVS, a basic image inheritance graph is built with 160 official images published by Docker Hub. Then, the basic image source of the downloaded image can be identified, and the public vulnerability database is used to scan for public vulnerabilities in image files. ZeroDVS scans the public container images of Docker Hub and identifies the inheritance relationship of public container images to detect public vulnerabilities in the image layer above the parent image simultaneously. Docker image is the foundation for container operation. Docker Hub is the largest online repository of public container images. Users can upload and download any random image file to the hub due to the absence of adequate security scanning and detection, potentially causing substantial security risks. This paper introduces ZeroDVS, a container image traceability and security detection system based on inheritance graphs. In ZeroDVS, a basic image inheritance graph is built with 160 official images published by Docker Hub. Then, the basic image source of the downloaded image can be identified, and the public vulnerability database is used to scan for public vulnerabilities in image files. ZeroDVS scans the public container images of Docker Hub and identifies the inheritance relationship of public container images to detect public vulnerabilities in the image layer above the parent image simultaneously.