Abstract

Container is a lightweight virtualization technology which packages an application, its dependencies and an operating system (OS) to run as an isolated unit. However, the pressing concern with the use of containers is its susceptibility to security attacks. Consequently, a number of container scanning tools are available for detecting container security vulnerabilities. Therefore, in this experience report, we investigate the quality of existing container scanning tools by considering two metrics that reflect coverage and accuracy. We analyze popular public container images hosted on DockerHub using different container scanning tools (i.e., Clair, Anchore, and Microscanner). Our findings show that existing container scanning tools do not detect application package vulnerabilities. Furthermore, we find that existing tools do not have high accuracy.