DFScan: Security Scanner of the Dockerfile Based on Instruction Coverage and Attack Perspective

With cloud technology's development and widespread use, container technology plays an essential role in the Internet-of-Things field. However, containers also face security threats, mainly due to the ever-looming security flaw of a Dockerfile with the entire lifecycle of a docker, while previous Dockerfile scanning solutions are not enough. They mainly focus on the grammar problems of a Dockerfile or the reason for the build error, or just focus on package security in it. To solve the problem of insufficient security-scanning capabilities, we introduce DFScan-a Dockerfile security scanning system to complement existing scanning capabilities. We transform the raw content of a Dockerfile into structured data and design appropriate analysis rules to extract potential vulnerabilities based on existing best practices and container attack tools. Based on DFScan, we analyzed the security problems of 10,064 Dockerfile projects with a high STAR ranking in GitHub for more than 30 mainstream risk types, and the results have shown that more than 90% of the projects suffer from at least one security risk. Moreover, DFScan has a higher problem coverage and more inspection types than Hadolint, DAYS, and Shipwright.