Security Misconfigurations Detection and Repair in Dockerfile

Containers offer a lightweight model for quick deployment of applications in cloud-based infrastructures, based on small, modular and transient services. Several companies in IT industry adopt this mode of deployment instead of hypervisor-based infrastructures for different reasons: container images are portable in any locations without the need of being modified, containers offer near-native performance and permit a high degree of scalability. Despite the numerous advantages, containerization technology raises different security concerns. In this regard, the most alarming factor is the minor layer of isolation between instances compared with hypervisor-based solutions. In this sense, the first barrier against several attacks is a container configured according to the most recent security best practices. Unfortunately, manually hardening containers in a wide and complex environment is an error-prone and time-consuming activity. For this reason, numerous tools has been designed in order to help developers in this task. Among the different containerization technologies, this work is focused on the de-facto standard in this field: Docker. In particular, this work aims to describe security misconfigurations that might affect Dockerfile and outline the current awareness of developers about them. We perform a thorough evaluation of existing tools that identify misconfigurations in Dockerfile, using well-know and publicly available datasets. As a result of this evaluation, we discuss how common are security misconfigurations in Dockerfiles and the lack of tools that help to automatically repair such misconfiguration. In order to fill this gap, we develop a system which allows detecting and automatically repairing security misconfiguration in Dockerfile.