A Study on Early & Non-Intrusive Security Assessment for Container Images

The ubiquitous adoption of container images to virtualize the software contents bring significant attention in its security configuration due to intricate and evolving security issues. Early security assessment of container images can prevent and mitigate security attacks on containers, and enabling practitioners to realize the secured configuration. Using security tools, which operate in intrusive manner in the early assessment, raise critical concern in its applicability where the container image contents are considered as highly sensitive. Moreover, the sequential steps and manual intervention required for using the security tools negatively impact the development and deployment of container images. In this regard, we aim to empirically investigate the effectiveness of Open Container Initiative (OCI) properties with the Machine Learning (ML) models to assess the security without peeking inside the container images. We extracted OCI properties from 1,137 real-world container images and investigated six traditional ML models with different OCI properties to identify the optimal ML model and its generalizability. Our empirical results show that the ensemble ML models provide the optimal performance to assess the container image security when the model is built with all the OCI properties. Our empirical evidence will guide practitioners in the early security assessment of container images in non-intrusive way as well as reducing the manual intervention required for using security tools to assess the security of container images.