<![CDATA[The adoption of Docker as the standard container platform poses new security challenges, particularly regarding vulnerabilities in public images. This study evaluates the effectiveness of three vulnerability scanning methods for Docker images: direct scanning, vendor-integrated SBOM scanning, and cross-vendor SBOM scanning, using Trivy and Grype on 36 images from three major registries (Docker Official, Bitnami, Chainguard). The results show that direct scanning and vendor-integrated SBOM scanning produce identical detections (12,023 vulnerabilities with Trivy; 8,950 with Grype), while cross-vendor SBOM scanning decreases dramatically by more than 90% (only 800–790 findings). Chainguard proved to be the most secure, while Docker Official was the most vulnerable (e.g., python:latest had 2,053 vulnerabilities). Programming language-based images (Rust: 3,825; Node.js: 3,816) were also riskier than specialized services (Redis: 341; MongoDB: 351). This research developed a framework for evaluating the effectiveness of cross-approach vulnerability scanning and strengthened the theory of software supply chain security through the concept of SBOM provenance dependency, which became the basis for the development of a multi-phase vulnerability scanning framework and recommendations for secure container implementation.]]>
Copyrights © 2025
