Docker has become the de-facto standard for containerised application delivery. Hundreds of companies in Switzerland develop, deploy and operate Docker-packaged software regularly, often involving publicly available Docker images produced by third parties. For banks, insurances and other companies with high compliance requirements, this poses a risk due to unknown origin and content of the images. Therefore, only approved images are allowed to be used, and the approval is conditional on passing quality scanning which is mostly a manual analysis process by experts.

The questions are: How does a suitable policy language look like? How can we flag images as having been scanned by a trustworthy scanner? Can we use machine learning to learn over time if one source of container images is more trustworthy than another one? How can we make the scanner invocation resilient while minimising the time it needs to be connected to the Internet? Is the open source tool Clair suitable as base for the planned product?