Options
DockerCleaner: Automatic repair of security smells in dockerfiles
Publikationstyp
Conference Paper
Publikationsdatum
2023-10
Sprache
English
Author
Start Page
160
End Page
170
Article Number
195314
Citation
39th IEEE International Conference on Software Maintenance and Evolution (ICSME 2023)
Contribution to Conference
Publisher DOI
Scopus ID
Publisher
Institute of Electrical and Electronics Engineers Inc.
Docker is a widely adopted platform that enables developers to create lightweight and isolated containers for deploying applications. These containers can be replicated from a single blueprint specified by a text file known as a Dockefile. The Dockerfile smells might not only hinder the performance of containers but also potentially introduce security risks. State-of-The-Art scanning tools, such as Hadolint and KICS, are available to efficiently detect Dockerfile smells. Still, there is a lack of approaches focusing on resolving these issues. Therefore, we present DockerCleaner, an automated repair tool that suggests fixes for eleven Dockerfile security smell types. Our tool employs the repair actions inspired by the best security practices for writing Dockerfiles. The evaluation results show that DockerCleaner can remove the artificially injected security smells from 92.67% of the Dockerfiles and guarantee the buildability for 99.33% of them. Specifically for security smells in real Dockerfiles, DockerCleaner outperforms the state-of-The-Art repair tool by a wide margin. Finally, we leveraged the fixes generated by DockerCleaner to propose improvements to twelve official Docker images. Eight pull requests have been accepted and merged by the developers.
Schlagworte
Automatic Repair
Docker
Security Smells
DDC Class
620: Engineering