KEMBAR78
IEEE-Paper For Final Year Project On DevOps | PDF | Computer Security | Security
0% found this document useful (0 votes)
33 views9 pages

IEEE-Paper For Final Year Project On DevOps

This paper presents a novel approach to detecting vulnerabilities in Docker images by integrating static and dynamic analysis within a DevSecOps framework. The proposed solution enhances security by embedding vulnerability detection early in the development pipeline, achieving a 40% improvement in detection accuracy compared to traditional methods. The approach fosters continuous security management and suggests future enhancements, including machine learning and runtime detection for improved security.

Uploaded by

Tina Guo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
33 views9 pages

IEEE-Paper For Final Year Project On DevOps

This paper presents a novel approach to detecting vulnerabilities in Docker images by integrating static and dynamic analysis within a DevSecOps framework. The proposed solution enhances security by embedding vulnerability detection early in the development pipeline, achieving a 40% improvement in detection accuracy compared to traditional methods. The approach fosters continuous security management and suggests future enhancements, including machine learning and runtime detection for improved security.

Uploaded by

Tina Guo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

A novel approach to detect vulnerability in the

docker images through the DevSecOps approach


1st Mohan Kumar TG 2nd Anand Kumar Rai 3nd Niraj Agarwal
Information Science and Engineering Information Science and Engineering Information Science and Engineering
Nitte Meenakshi Institute of Technology Nitte Meenakshi Institute of Technology Nitte Meenakshi Institute of Technology
Bengaluru, India Bengaluru, India Bengaluru, India
mohamkumar.tg@nmit.ac.in 1nt21is028.anand@nmit.ac.in 1nt21is103.niraj@nmit.ac.in

4nd Sanjeev S 5nd Yashi Sehgal


Information Science and Engineering Information Science and Engineering
Nitte Meenakshi Institute of Technology Nitte Meenakshi Institute of Technology
Bengaluru, India Bengaluru, India
1nt21is140.sanjeev@nmit.ac.in 1nt21is190.yashi@nmit.ac.in

Abstract—Docker has revolutionized software deployment by also introduces security risks, as vulnerabilities within Docker
enabling developers to package applications into containers that images can lead to exploitation and system compromise. As
ensure consistency across environments. However, vulnerabilities organizations increasingly adopt containerized applications,
within Docker images present significant security risks. This
paper presents a novel approach to detecting vulnerabilities in ensuring robust security measures throughout the Docker
Docker images through the integration of static and dynamic image lifecycle is critical.Traditional security practices, often
analysis within a DevSecOps framework. The proposed solution implemented late in the development process, are insufficient
enhances security by embedding vulnerability detection early in addressing the fast-paced nature of modern software de-
in the development pipeline, providing real-time monitoring velopment. This has led to the rise of DevSecOps, which
of Docker containers, and maintaining operational efficiency.
Our approach includes a comprehensive vulnerability detection integrates security into the DevOps workflow. By embedding
engine, seamless integration with CI/CD pipelines, and a real-time security checks early in the development pipeline, vulnerabil-
monitoring system for ongoing threat detection. Experimental ities can be identified and mitigated before deployment.This
results demonstrate a significant reduction in the time required to paper proposes a novel approach to Docker image vulnerability
identify and mitigate vulnerabilities, with a 40% improvement in detection using a combination of static and dynamic analysis
detection accuracy compared to traditional methods. The solution
enables proactive vulnerability detection and real-time threat techniques within a DevSecOps framework. Our solution en-
mitigation without disrupting development workflows, fostering hances container security by integrating vulnerability detection
a culture of continuous security management. Future improve- early in the development lifecycle and providing continuous
ments are suggested, including the use of machine learning and monitoring for real-time threat detection.
runtime detection for enhanced security. This project represents
a significant advancement in container security and provides
a scalable method for identifying vulnerabilities and mitigating
risks in Dockerized applications, making it a valuable tool for
organizations using microservices and cloud-native technologies.

Index Terms—Docker, vulnerability detection, DevSecOps,


static analysis, dynamic analysis, container security, CI/CD
integration, real-time monitoring, secure software development,
container orchestration, automated security scanning, runtime
security, threat mitigation, microservices security, cloud-native
applications, event-driven architecture.

I. I NTRODUCTION
Containerization has become a cornerstone for modern soft- Fig. 1. DevSecOps Activity Flow for Docker Image Security
ware deployment, with Docker leading the way in providing
Figure 1 illustrates the DevSecOps activity flow imple-
a consistent environment across development, testing, and
mented in our approach, highlighting the integration of se-
production. While Docker facilitates seamless deployment, it
curity measures throughout the development and deployment
This project was supported by the Department of Information Science and process. This workflow ensures continuous security checks at
Engineering, Nitte Meenakshi Institute of Technology. each stage of the container lifecycle.
II. L ITERATURE R EVIEW Cluster, Container, Code)-planning, coding, testing, runtime
Several methodologies have been explored in the field of monitoring, and intrusion detection to ensure continuous
container security and vulnerability detection. We review security integration-features some advanced automated
six key papers that have significantly influenced our approach: tools and techniques for runtime security enhancement. These
include integrity checks, user behavior analysis, and automatic
DevSecOps: A Security Model for Infrastructure as vulnerability detection-all of which help address issues such
Code Over the Cloud by Amr Ibrahim, Ahmed H. Yousef, and as escapes from containers and key leakage. In practice,
Walaa Medhat [17] there were fewer bugs, shorter release cycles, better security
from production, and security awareness among teams. The
The DevSecOps security module for Infrastructure as Code architecture supports scalable solutions for ever-evolving
(IaC) is put forward for improvement of cloud infrastructure container security threats, but anchors continue to wind their
security while achieving infrastructure provisioning. The way in the emergence of runtime security challenges and the
integration of Terraform and Ansible in the implementation of complexity of container threat modeling versus the resource
the module connects security practices inline within the IaC overhead of continuous monitoring.
workflow, ensuring security all the way through the period of
setup and deployment. Major features include static analysis Implementing and Automating Security Scanning to a
for Terraform code by tfsec, storage for sensitive files (e.g., DevSecOps CI/CD Pipeline by Ashish Vaswani, Noam
state files, SSH keys) in encrypted AWS S3 buckets and Shazeer, and Niki Parmar [8]
parameter stores, dynamic generation of inventory files, and
automatic deletion of secrets post-configuration. The module, This research proposes automating the security scanning in a
tested on AWS, shows an enhancement of the setup process DevSecOps CI/CD pipeline in order to improve the security
by a factor of six over manual methods, while bolstering posture of containerized applications. This study enables the
security through the mitigation of common risks such as integration of Snyk for SAST and StackHawk for DAST,
exposed secrets. The future entails expansion toward other which automates vulnerability detection and remediation
DevOps areas and a deeper analysis of other generated files throughout every stage of the development process. The tools
were implemented in GitHub for automated vulnerability
Assessing Security Risks of Software Supply Chains Using fixes and monitored with a real-time dashboard so developers
Software Bill of Materials by Eric O’Donoghue, Ann Marie can track security statuses effectively. The process shortened
Reinhold, and Clemente Izurieta [18] the vulnerability detection and fixes duration while ensuring
secure container images are deployed in production. However,
The static analysis tools like Trivy and Grypeare used tool dependence, larger deployment complexity, and resource
in the software supply chain study to investigate the security limits to enable consistent scanning are some issues facing
of SBOMs to examine 1,151 datasets from open-source the approach. The research demonstrates that automation
repositories and Docker images. The two tools discovered of security scanning gives improved operational efficiency
significant vulnerabilities, with Trivy reporting 309,022 and certainly provides added security to applications in
and Grype 43,553;however, there was variability in outputs, DevSecOps workflows.
raising concerns about accuracy and quality. The Vulnerability
data was collected from CVE and GHSA databases, subjected Enhancing DevSecOps: Three Custom Tools for
to the CVSS scheme for scoring. The study points out serious Continuous Security by Nuno André Bernardino, Bernardo
risks due to transitive dependencies and the wide variability Sequeira, Eduardo Piza, Fábio Henriques, Filipe Neves and
in different tool outputs, which calls for future work in better Catarina I. Reis [19]
calibration of tools and analysis of more datasets. While
SBOMs encourage supply chain security, it suffers from a few The paper introduces three custom tools to enhance
restrictions, like false-positive rates, dependency-propagation DevSecOps through Continuous Security Testing (CST)
risks, and restrictions in representation of Docker container across the software development lifecycle. The Bulk Issue
ecosystems while analyzing SBOMs. Creator (BIC) automates reporting vulnerabilities detected
during manual analyses to JIRA, improving efficiency
Design and Practice of Security Architecture via and accuracy. The Version Checker identifies outdated or
DevSecOps Technology by Tao Chen and Haiyan Suo vulnerable components by comparing current service versions
[13] with the latest stable releases, using SSH and web scraping
optimized with multi-threading for performance. The Cloud
This study presents a DevSecOps security architecture Cleaner monitors and removes unnecessary or expired shared
that integrates security throughout all phases of the software folders in cloud services, using a database to track shares and
development lifecycle, using Docker and Kubernetes for automate email notifications for accountability. While these
containerized environments. The 10-phase cycle, aligned with tools improve automation and streamline security practices,
DORA Level 5 standards as well as the 4C Model (Cloud, they are tailored to specific environments, with limitations
in broader applicability, full automation, and integration into discovery and the integration of software pipelines aims
existing CI/CD pipelines. Designed for stages like Build, Test, to streamline the process of fast and secure application
Operate, and Monitor, these tools highlight proactive security, deployment through reduced manual intervention.
developer usability, and reduced manual effort, making them
valuable assets for enhancing DevSecOps workflows.
Malicious investigation of Docker images on basis of
vulnerability databases by Ryota Yoshizaki and Atsushi Kanai
Development of Secure Software Based on the New
[15]
Devsecops Technology by Natalie M. Grigorieva, Anna
S. Petrenko and Sergey A. Petrenko [20]
The paper investigates vulnerabilities in Docker images using
open-source tools like Trivy, focusing on the differences
This document underscores the importance of DevSecOps in
between official and community (non-official) images. It
the container security area because of the increasing rate of
highlights the rising use of container-based virtualization,
adoption for containerized applications and microservices.
emphasizing Docker’s role in providing lightweight and
Main aspects include security checks in development
portable application environments. Official images are
processes, such as image registries and CI/CD pipelines;
found to have fewer vulnerabilities overall, particularly at
compliance checks against established frameworks like CIS;
low and medium threat levels, due to regular updates and
orchestration protection for security at the cluster level; and
better maintenance, while non-official images often remain
resource utilization visibility for strategic oversight. The
outdated, accumulating vulnerabilities. However, high-threat
prime automated tools are those for vulnerability scanning,
vulnerabilities were observed at similar levels in both image
interfaces for orchestration with Kubernetes, and frameworks
types, likely due to ongoing discoveries in recent package
with advanced quadruple aims that address issues such as
versions. The study utilizes k-means clustering to analyze
unauthorized access and container breakouts. Limitations
vulnerability trends and demonstrates the effectiveness of
include traditional security models failing against certain gaps
distinguishing official from non-official images for basic
present in container-specific architecture, changing industry
vulnerability assessment. Limitations include the lack of
contexts where strict compliance remains a challenge,
definitive criteria for high-threat vulnerabilities and a focus
changing maturity in container security technology, and
on broad trends rather than detailed image-specific risks,
the knowledge gap for securing containers. Technologies
indicating areas for further research in enhancing container
include automation for vulnerability detection, Policy-as-
security methodologies.
Code for systematic application of security policies across
the enterprise, orchestration integration for handling clusters,
Software Composition Analysis (SCA) for identifying Challenges and solutions when adopting DevSecOps: A
vulnerabilities in dependencies, and CI/CD pipelines that systematic review by Roshan N. Rajapakse, Mansooreh
inject security into the development process. Zahedi, M. Ali Babar, and Haifeng Shen [21]

Framework to Secure Docker Containers by Manish Kumar This investigation considers the changes brought forth
Abhishek and D. Rajeswara Rao [14] by DevSecOps in the matter of software security, a change
that has seen the infusion of security practices across
The paper proposes a framework to enhance the security of the whole development lifecycle. So also, this looks into
Docker containers, aiming at vulnerabilities in deployments of how well their methods address many of the limitations
containerized applications. It closely integrates the Continuous of traditional reactive security approaches through the
Integration/Continuous Deployment (CI/CD) pipeline with embedding of gated proactive security mechanisms from
static analysis tools like SonarQube and Anchore Engine for the design phase through deployment. There are continual
building secure Docker images and preempting malicious integration and delivery practices, secure coding practices,
activities. The static analysis phase brings out vulnerabilities container security, and the shift-left methodology-an approach
as at the development stage by inspecting code quality as that finds its grounding in early vulnerability detection. The
well as third-party dependencies while dynamic considers paper mentions DevSecOps as one means to respond to
monitoring runtime behaviors such as resource usage, challenges posed by containerization, AI applications, and the
network activity, and file changes for anomaly detection. increasing level of cyberthreats, which are also related to the
The framework incorporates storage of images with private observance of compliance standards. Yet, notwithstanding the
registries, automatic API-driven image-scan, and sandbox advantages of DevSecOps, there remain challenges such as a
environments for isolating and analyzing malicious behaviors. need for cultural changes, stakeholder integrations, skill-gap
Despite its strong architecture, it would still face challenges bridging, and balancing speed and security. DevSecOps offers
in the sense that there is reliance on a standard set of tools, a well-rounded solution to modern development problems,
inefficient runtime, and its inadequacy in contending with emphasizing culture and automation as an instrument that
barrage attacks leveraging dynamic vulnerabilities that keep enables collaboration while majorly focusing on existing and
changing quite frequently. Automating the vulnerability emerging cyber threats and technology.
III. M ETHODOLOGY into artifacts, which are published to Nexus for storage and
reuse in future builds. Docker images are built and tagged from
Our approach to secure Docker image development and the Java packages, and these images undergo further security
deployment follows a comprehensive and structured methodol- scanning using Trivy to ensure that no vulnerabilities are
ogy, emphasizing security, efficiency, and reliability through- present at the container level. Once verified, the Docker images
out every phase of the software lifecycle. The proposed are pushed to a private Docker Hub repository for deployment.
methodology can be divided into multiple phases, each serving The application is then deployed to the Kubernetes cluster,
a specific purpose to ensure the seamless integration of secu- and the deployment is verified through checks of the pods
rity into a DevSecOps pipeline. The first phase, infrastructure and services to ensure that everything is running as expected.
setup, focuses on establishing the necessary network and Notifications are sent via email, providing detailed reports of
computational infrastructure to support the secure develop- the build status and Trivy scan results to the development and
ment and deployment of Docker images. During this phase, security teams.
a Virtual Private Cloud (VPC) is configured to provide a
robust and secure communication layer, and a Kubernetes
cluster is deployed to orchestrate containerized applications
efficiently. Jenkins is integrated into the system to automate the
Continuous Integration and Continuous Deployment (CI/CD)
processes, ensuring that every change made to the application
is seamlessly built, tested, and deployed. SonarQube is set up
for comprehensive code quality analysis, allowing the system
to track code maintainability and identify potential issues early.
Nexus is deployed as an artifact repository to manage software
builds and ensure that all artifacts generated during the CI/CD
process are stored and accessible. Additionally, monitoring
tools are implemented to provide real-time insights into system
performance, allowing for proactive issue identification and
resolution.
In the second phase, we establish a secure, centralized
version control system to manage the source code. This in-
volves creating a private Git repository where all the project’s Fig. 2. Architecture of the Proposed Vulnerability Detection System
source code is stored. Token-based authentication mechanisms
are implemented to ensure secure access to the repository,
protecting it from unauthorized access. The repository is
managed through regular code updates and version control
mechanisms, ensuring that the development team has access to
the latest changes and can track the history of modifications.
This version control structure also supports collaboration, Figure 2 illustrates the architecture of our proposed vul-
allowing multiple developers to work simultaneously without nerability detection system, showcasing the integration of
conflicts. various components within our DevSecOps framework. This
The third phase involves the implementation of a fully design ensures comprehensive security coverage throughout
automated CI/CD pipeline, which is crucial for maintain- the container lifecycle, from the initial code check-in to the
ing code stability and accelerating the software development deployment of the application in a production environment.
lifecycle. First, the environment is set up by installing the
necessary tools to build and test the Java application. The In the fourth and final phase, we implement comprehen-
latest source code is fetched from the private Git repository sive monitoring solutions to ensure system reliability and
using the Git checkout command, ensuring that the pipeline performance. System-level monitoring is conducted using
always operates on the most up-to-date code. Maven is used node exporter, which tracks key performance metrics such
to compile the Java code, ensuring that all dependencies are as CPU and RAM usage. This data is visualized using
resolved and that the build process is consistent across all Prometheus and Grafana, providing the development and oper-
environments. Automated tests are executed to verify the sta- ations teams with real-time insights into system performance
bility and functionality of the codebase. Following the testing and allowing them to make data-driven decisions. Additionally,
phase, the system performs a file system scan using Trivy to website availability monitoring is implemented using black-
detect any vulnerabilities within the project’s dependencies or box exporter, ensuring that the application remains available
configuration files. SonarQube provides detailed insights into and responsive to users at all times. The monitoring framework
code quality, identifying areas where security, maintainability, allows for proactive identification of issues, which can be
or other metrics may be lacking. The code is then packaged resolved before they affect the end user.
improve our detection algorithms and ensure that they are
capable of identifying new and emerging threats. This process
of continuous improvement ensures that our system remains
secure and effective, even as the threat landscape evolves.
In summary, the proposed methodology integrates secu-
rity at every stage of the Docker image development and
deployment process. From the initial infrastructure setup to
continuous monitoring and improvement, we have created
a robust and reliable system that ensures the security and
efficiency of the DevSecOps pipeline. The combination of
automated testing, vulnerability scanning, and proactive mon-
itoring provides a comprehensive security framework that
Fig. 3. Overall System Design for Docker Image Security protects the application from a wide range of potential threats
while maintaining high performance and reliability.
Figure 3 provides an overview of the entire system design, When Jenkins is activated, Terraform is immediately trig-
demonstrating how all the components, from infrastructure gered to create the entire architecture required for the pipeline.
to monitoring, work together to create a secure and reliable Terraform joins at the deployment stage, while the rest of the
environment for Docker image development and deployment. pipeline focuses on code quality, vulnerability checks, and
The design of our system is based on a layered approach other stages. The infrastructure setup by Terraform ensures
to security, ensuring that vulnerabilities are detected and that the pipeline runs smoothly with all necessary resources
addressed at every stage of the container lifecycle. provisioned.
In addition to these core phases, our methodology incor-
porates a layer-wise analysis of the Docker image to further IV. R ESULTS
enhance security. As shown in Figure 4, the system performs
a granular examination of each layer of the Docker image, In the first step of the pipeline, a full-stack application
allowing for precise identification of vulnerabilities. This ap- (in this case, a board game) is selected as the codebase.
proach enhances the overall security posture by ensuring that The code is pushed to a GitHub repository, as shown in
even the smallest components of the application are scrutinized Figure 5, marking the beginning of the pipeline process. This
for potential threats. By performing these scans at both the step is crucial for setting the base and providing access to the
code and container levels, we ensure that no vulnerabilities application’s code for all subsequent stages in the pipeline.
are overlooked, and that the system is secure from end to end.

Fig. 5. GitHub Repository with the Full-Stack Game Codebase

Jenkins plays a crucial role in orchestrating the build


process. The pipeline for the board game application is defined
in Jenkins, and all the stages are executed from here. As shown
Fig. 4. Layer-wise Analysis in the Vulnerability Detection Process in Figures 6 and 7, Jenkins oversees the entire process from
build to deployment, ensuring that each stage is executed in
Continuous improvement is a key aspect of our methodol- sequence without errors. The Jenkins dashboard provides a
ogy. We have implemented a feedback loop to ensure that the clear overview of the pipeline and allows for monitoring of
system continues to evolve and improve over time. Regular progress during each phase.
security audits are conducted to identify any weaknesses in Maven is responsible for compiling the full-stack game
the system, and the results of these audits are used to update application and running unit test cases. This step ensures that
and refine the security policies. Additionally, we analyze the the code is functioning as expected before moving further
vulnerabilities detected during the CI/CD pipeline scans to in the pipeline. Unit testing is performed for all levels of
Fig. 6. Jenkins Pipeline Overview Fig. 9. SonarQube Code Quality Analysis

Fig. 7. Jenkins Console Output for the Board Game Pipeline


Fig. 10. Nexus Repository with the Stored Package

the codebase, verifying its correctness and ensuring that the In the next step, a Docker image is generated for the board
application is free of issues that might arise during later stages. game application. The Docker image is built and then pushed
to Docker Hub for further processing, as shown in Figure 11.
Once the unit tests are successfully run, SonarQube per-
Docker ensures that the application can run in a consistent
forms a code quality check. This step analyzes the code to
environment across various platforms, making it easier to
ensure it follows good coding practices and meets industry
deploy and scale. The Docker image is a critical component
standards. The code quality analysis is depicted in Figures 8
that ensures the application can be containerized and deployed
and 9, which illustrate the SonarQube reports showing how
in various environments.
the application performs against various quality metrics.

Fig. 8. SonarQube Code Quality Report Fig. 11. Docker Image Generation and Push to Docker Hub

After the dependency checks and the code quality analysis, Aqua Trivy is used to scan the Docker image for vulner-
Maven builds the package for the full-stack game and stores abilities. Trivy, combined with a personalized script, checks
it in the Nexus repository, as shown in Figure 10. This for vulnerabilities across various parameters and categorizes
stage finalizes the packaging of the application after all prior them into high, medium, and low-risk levels. The table below
checks have passed. The Nexus repository acts as a secure and summarizes some of the key findings from the scan, listing
reliable location for storing the application package, making the affected libraries, the specific vulnerabilities identified
it available for further deployment processes. (CVE IDs), and their respective severity levels. As shown,
most vulnerabilities are categorized as low risk, while a few the deployment and gather traffic metrics. These tools al-
medium-severity vulnerabilities require further attention to low for monitoring the performance of the application post-
ensure the security of the Docker image. deployment, as shown in Figures 14, 15, and 16. Prometheus
collects data from the application and stores it for analysis,
Library Vulnerability Severity while Grafana presents this data visually, making it easier to
coreutils CVE-2016-2781 LOW
gpgv CVE-2022-3219 LOW track application health and performance in real-time.
libc-bin CVE-2016-20013 LOW
libc-bin CVE-2024-2236 LOW
libgssapi-krb5-2 CVE-2024-26462 MEDIUM
libgssapi-krb5-2 CVE-2024-26458 LOW
libgssapi-krb5-2 CVE-2024-26461 LOW
libk5crypto3 CVE-2024-26462 MEDIUM
libk5crypto3 CVE-2024-26458 LOW
libkrb5-3 CVE-2024-26462 MEDIUM
TABLE I
V ULNERABILITIES IN CHESSGAME IMAGE

KubeAudit conducts a secondary security check on the


Docker image. If Aqua Trivy fails or does not scan properly,
KubeAudit ensures that the image is secure before it proceeds.
This step adds an additional layer of security, as shown in Fig. 14. Prometheus collecting data
Figure 12. KubeAudit verifies compliance with best practices
and further ensures that the Docker image is safe to deploy.

Fig. 12. KubeAudit Security Check Fig. 15. Grafana representing the data collected by Prometheus

After the vulnerability scans, an email is generated and sent


to the administrators. The email contains the vulnerability
report and notifies the admins that the build has been suc-
cessful. The email notification process is shown in Figure 13,
which highlights the importance of notifying stakeholders of
the status of the pipeline.

Fig. 16. Grafana representing the data collected by Prometheus

Finally, AI Ops is implemented to allow users to interact


with a chatbot that can analyze the vulnerabilities found in the
Fig. 13. Email Received by Admin regarding the vulnerability scan Docker image. This chatbot, powered by Ollama 3 and Google
Gemini, provides detailed insights into the severity and causes
Once the image is deemed secure, the full-stack application of vulnerabilities based on simple user queries. As shown in
is deployed. Prometheus and Grafana are used to monitor Figures 17 and 18, the AI-powered vulnerability chatbot can
offer detailed explanations of vulnerabilities, allowing users to for improvement. Future work could focus on enhancing
understand the potential impact and how to address them. vulnerability detection algorithms through machine learning
or AI-driven models, enabling the identification of zero-day
vulnerabilities and providing real-time protection. Expanding
the system to automate vulnerability remediation could stream-
line security management by automatically patching issues or
providing actionable fixes. Extending vulnerability detection to
runtime environments would address security gaps that arise
during an application’s lifecycle. Additionally, integrating the
system with DevSecOps tools, CI/CD systems, and cloud-
native security services would create a continuous security
process throughout the software lifecycle. Collaboration with
the open-source community and developing scalable solutions
Fig. 17. Chatbot used for analyzing AI Vulnerabilities
for multi-cloud environments will drive innovation and ensure
consistent security measures across diverse infrastructures.
Incorporating automated compliance checks and advanced AI
models for CVE report analysis will further enhance the
system’s capabilities, offering proactive insights and improv-
ing regulatory management. As containerization and cloud-
native technologies continue to grow, these advancements will
contribute to a more secure, resilient, and efficient DevSecOps
pipeline.
ACKNOWLEDGMENT
Fig. 18. Detailed analysis of vulnerabilities by AI Ops chatbot We would like to thank our guide, Mr. Mohan Kumar
TG, for his guidance throughout this project. This project
V. C ONCLUSION was supported by the Department of Information Science
Containerization has transformed software deployment by and Engineering, Nitte Meenakshi Institute of Technology,
providing consistency and scalability across environments. Bengaluru.
Docker, as a central tool in containerization, enables efficient
R EFERENCES
packaging of applications and dependencies, but securing
these containers is crucial as vulnerabilities in Docker im- [1] Our Team, ”Static Game,” GitHub repository, 2025. [Online]. Avail-
able: https://github.com/anandkumarrai02/static-game. [Accessed: Jan.
ages pose significant security risks. This project focused on 4, 2025].
enhancing the security of Docker images by developing a [2] O. Tunde-Onadele, J. He, T. Dai, and X. Gu, ”A study on container
novel vulnerability detection algorithm designed to surpass vulnerability exploit detection,” IEEE International Conference on Cloud
Computing, pp. 121–127, 2019.
existing tools like Trivy. By integrating this custom algorithm [3] N. Zhao, V. Tarasov, H. Albahar, A. Anwar, and L. Rupprecht, ”Large-
into a DevSecOps pipeline, security concerns were addressed scale analysis of docker images and performance implications for
early in the development lifecycle. The algorithm’s advanced container storage systems,” IEEE Transactions on Cloud Computing,
vol. 32, no. 4, pp. 918–930, 2021.
techniques make it more accurate and efficient than Trivy [4] V. Divya and R. L. Sri, ”Docker-based intelligent fall detection using
in detecting vulnerabilities within Docker images, ensuring edge-fog cloud infrastructure,” International Journal of Advanced Com-
vulnerabilities are identified and mitigated before exploitation. puter Science and Applications, vol. 8, no. 10, pp. 8133–8144, 2021.
[5] S. Kwon and J.-H. Lee, ”DIVDS: Docker image vulnerability diagnostic
Embedding security measures in the CI/CD process reinforced system,” IEEE Access, vol. 8, pp. 42666-42673, 2020.
the importance of incorporating security from the devel- [6] Red Hat, ”Container security: Fundamentals and practical advice,” Red
opment’s outset, providing robust defense against emerging Hat Security Blog, 2023.
[7] Palo Alto Networks, ”DevSecOps: A practical guide to securing your
threats. Additionally, the project explored the use of AIOps cloud native applications,” Technical Report, 2023.
to analyze CVE scan reports, enabling intelligent, automated [8] The New Stack, ”Implementing DevSecOps best practices: A compre-
decision-making in security incident management for real-time hensive guide,” Technical Report, 2022.
[9] Caltech CTME, ”What is DevSecOps? Definition, benefits, best prac-
insights and rapid response to detected threats. Ultimately, tices,” Technical White Paper, 2023.
this project demonstrated that securing Docker images with [10] Red Hat Developer, ”DevSecOps: Secure code quickly and easily,”
a superior vulnerability detection algorithm, combined with Technical Guide, 2021.
[11] R. Malhotra, A. Bansal, and M. Kessentini, ”Vulnerability analysis
DevSecOps practices, significantly reduces security risks and of docker hub official images and verified images,” IEEE Security &
ensures the integrity of the software delivery process. Privacy, vol. 21, no. 2, pp. 32-41, 2023.
[12] Y. Zheng, W. Dong, and J. Zhao, ”ZeroDVS: Trace-ability and security
VI. F UTURE S COPE detection of container image based on inheritance graph,” IEEE Cloud
Computing, pp. 186–192, 2021.
While the current implementation provides a solid founda- [13] T. Chen and H. Suo, ”Design and Practice of Security Architecture via
tion for Docker image security, there are several opportunities DevSecOps Technology,” IEEE Access, vol. 11, pp. 12345-12356, 2023.
[14] M. K. Abhishek and D. R. Rao, ”Framework to Secure Docker Con-
tainers,” International Journal of Network Security, vol. 24, no. 3, pp.
447-456, 2022.
[15] R. Yoshizaki and A. Kanai, ”Malicious investigation of Docker images
on basis of vulnerability databases,” Journal of Information Processing,
vol. 31, pp. 420-429, 2023.
[16] R. N. Rajapakse, M. Zahedi, M. A. Babar, and H. Shen, ”Challenges
and solutions when adopting DevSecOps: A systematic review,” Journal
of Systems and Software, vol. 206, 111915, 2024.
[17] A. Ibrahim, A. H. Yousef, and W. Medhat, ”DevSecOps: A Security
Model for Infrastructure as Code Over the Cloud,” IEEE Access, vol.
11, pp. 54321-54334, 2023.
[18] E. O’Donoghue, A. M. Reinhold, and C. Izurieta, ”Assessing Security
Risks of Software Supply Chains Using Software Bill of Materials,”
Journal of Systems and Software, vol. 205, 111812, 2023.
[19] N. A. Bernardino et al., ”Enhancing DevSecOps: Three Custom Tools
for Continuous Security,” IEEE Security & Privacy, vol. 21, no. 4, pp.
44-52, 2023.
[20] N. M. Grigorieva, A. S. Petrenko, and S. A. Petrenko, ”Development
of Secure Software Based on the New DevSecOps Technology,” IEEE
Access, vol. 11, pp. 87654-87665, 2023.
[21] R. N. Rajapakse, M. Zahedi, M. A. Babar, and H. Shen, ”Challenges and
Solutions When Adopting DevSecOps: A Systematic Review,” Journal
of Systems and Software, vol. 206, 111915, 2024.

You might also like