Smart policy-driven scanning of Docker images
At a glance
- Project leader : Dr. Josef Spillner
- Deputy of project leader : Christof Marti
- Project team : Panagiotis Gkikopoulos
- Project status : completed
- Funding partner : Innosuisse (Innovationsscheck / Projekt Nr. 43731.1 INNO-ICT)
- Project partner : Puzzle ITC GmbH
- Contact person : Josef Spillner
Description
Docker has become the de-facto standard for containerised
application
delivery. Hundreds of companies in Switzerland develop, deploy
and
operate Docker-packaged software regularly, often involving
publicly
available Docker images produced by third parties. For banks,
insurances
and other companies with high compliance requirements, this poses a
risk
due to unknown origin and content of the images. Therefore,
only
approved images are allowed to be used, and the approval is
conditional
on passing quality scanning which is mostly a manual analysis
process by
experts. The questions are: How does a suitable policy language
look
like? How can we flag images as having been scanned by a
trustworthy
scanner? Can we use machine learning to learn over time if one
source of
container images is more trustworthy than another one? How can we
make
the scanner invocation resilient while minimising the time it needs
to
be connected to the Internet? Is the open source tool Clair
suitable as
base for the planned product?