信息安全研究 ›› 2023, Vol. 9 ›› Issue (8): 792-.

• 技术应用 • 上一篇    下一篇

容器镜像安全风险与防护研究

陈妍1张福2胡俊2   

  1. 1(公安部第三研究所上海200031)
    2(北京升鑫网络科技有限公司北京100093)
  • 出版日期:2023-08-01 发布日期:2023-09-05
  • 通讯作者: 陈妍 博士,副研究员.主要研究方向为网络安全、云计算安全、安全测评和认证. 271608809@qq.com
  • 作者简介:陈妍 博士,副研究员.主要研究方向为网络安全、云计算安全、安全测评和认证. 271608809@qq.com 张福 正高级工程师.主要研究方向为网络攻防、数据安全、云计算安全、主机安全. zhangfu@qingteng.cn 胡俊 主要研究方向为云原生安全、数据安全、主机安全. jun.hu@qingteng.cn

Research on Security Risks and Protection of Container Images

  • Online:2023-08-01 Published:2023-09-05

摘要: 在企业加快数字化转型的过程中,为持续深化产业数字化转型进程,越来越多企业采用容器技术提高业务生产效率和扩展性.容器镜像包含打包的应用程序及其依赖关系,以及启动时的进程信息,是容器运行的基础.但容器镜像也存在诸多不安全因素.为了从源头上解决问题,减少容器运行后面临的各类安全风险与威胁,需要实现对容器镜像的全生命周期管理.首先调研了容器镜像给应用程序开发、部署带来的优势,分析了容器镜像所面临的安全风险,在此基础上,提出了从构建、分发、运行3阶段的容器镜像安全防护关键技术,并研发了容器镜像安全扫描工具,能够对采用容器技术的应用程序和底层基础设施进行容器镜像扫描,具有良好的实践效果,能够帮助企业实现全生命周期的镜像安全防护.

关键词: 容器镜像, 镜像仓库, 镜像扫描, 镜像安全, 全生命周期

Abstract: As the digital transformation speeds up, more and more enterprises shift to adopt container technology to improve business productivity and scalability in order to deepen the process of industrial digital transformation. As the basis for container operation, container images contain packaged applications and their dependencies, as well as process information for container instantiation. However, container images also have various insecure factors. In order to solve the problem from the source and reduce the various security risks and threats faced by containers after they are instantiated, the fulllifecycle management of container images should be implemented. In this paper, the advantages that container images bring to the application development and deployment were investigatesd, the security risks faced by container images were analyzed. Key technologies for container mirroring security protection from the three stages of construction, distribution, and operation were proposed, and then a container image security scanning tool was developed, which can scan container images for applications and underlying infrastructure that use container technology. It was proved to have good practical effects, which can help enterprises achieve fulllifecycle image security protection.

Key words: container image, image registry, image scanning, image security, full lifecycle