Container image security detection method and system based on custom features

By constructing custom feature objects and using open-source scanners to parse image metadata, the problem of insufficient security protection for container images in existing technologies is solved, enabling real-time, diversified security detection and report generation for images.

CN116226845BActive Publication Date: 2026-06-05SHANDONG LANGCHAO YUNTOU INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHANDONG LANGCHAO YUNTOU INFORMATION TECH CO LTD
Filing Date
2022-12-21
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing container image security tools mainly focus on vulnerability scanning and cannot effectively prevent malicious programs and configuration file tampering in the image. Furthermore, hackers can inject malicious code through Dockerfiles, leading to security risks.

Method used

By constructing custom feature objects, parsing image metadata with a scanner and matching it with custom rules, security alerts are generated. Combined with the open-source Clamav scanner to detect malicious code, diversified security protection for images is achieved.

Benefits of technology

It enables targeted security protection for images, detects changes in image content in real time, generates custom feature scanning reports, and reduces the risk of security vulnerability exposure.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116226845B_ABST
    Figure CN116226845B_ABST
Patent Text Reader

Abstract

The application discloses a container image security detection method and system based on self-defined features, and belongs to the technical field of container image security detection, and aims to solve the technical problem of how to conduct targeted security protection on image security in a multi-element security scene mode. The method comprises the following steps: constructing an image feature object and storing the image feature object in a database in the form of a registry, wherein the image feature object is a set of self-defined rules, and the rules are used to define detection behaviors for security evaluation of image features; for an image package pulled from an image warehouse, a scanner is used to analyze the metadata of the image to obtain an analysis result, and the analysis result is stored in a feature database; and the analysis result is evaluated based on the self-defined rules in the image feature object, and a security alarm is generated if the analysis result matches unsafe behaviors defined in the rules.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of container image security detection technology, specifically to a container image security detection method and system based on custom features. Background Technology

[0002] With the rapid development of microservice architecture, containerized deployment has become the most popular production method, and more and more applications are adopting container technology for deployment. As container technology becomes more widely used, the security of container images has become a critical issue. Containers are built based on images; if an image contains serious vulnerabilities, malware, or Trojans, then containers deployed based on it will have serious security risks. Therefore, image security directly determines container security.

[0003] Due to the convenience of containerized deployment, most applications rely on image packaging. As applications become more complex and diverse, these images also become increasingly large and complex. Typically, a container image should only contain the application's binary files and their dependencies. However, in practice, container images are often quite large. Some widely used system-level base images already install many utility software tools. While some of these features do offer convenience during debugging and deployment, the combination of convenience and the diversity of tools the image depends on also introduces security vulnerabilities.

[0004] Most container image security tools on the market currently only support signature-based vulnerability scanning. As images become more complex, the vulnerabilities that hackers may exploit will also increase, including malicious modification of image configuration files and malicious implantation of viruses and Trojans. These attacks can be automated by exploiting security vulnerabilities in Dockerfiles and Docker Compose.

[0005] Traditional security scanning typically involves a one-way process: scanning and extracting vulnerabilities from the image and matching these vulnerabilities against CVE signature databases. If vulnerabilities are found, a notification is issued. Its primary function is to scan for CVE vulnerabilities in the system's underlying layers and application components within the image. However, simple vulnerability scanning cannot provide complete and effective protection for the security of image containers. For example, attackers may upload images containing viruses, Trojans, or other malicious programs to an image repository. These malicious Trojans can also run through backdoors within the container, posing a security risk.

[0006] Meanwhile, hackers can also inject malicious commands into Dockerfiles to launch container attacks. They can write malicious commands into Dockerfiles, add malicious users, or directly import vulnerable applications and links via remote commands like apt-get, yum, and curl. If these malicious scripts are injected into a Dockerfile, the resulting container may also be vulnerable or exploited. For example, hackers can modify a malicious Dockerfile with special privileges to execute a vulnerability during compilation and gain access to trigger code. If no user is specified in the Dockerfile, the image will start the container using the root user, potentially exposing the host machine's root access to attackers. This could allow attackers to obtain password information stored in the Dockerfile, leading to a risk of data leakage.

[0007] In diverse security scenarios, how to implement targeted security measures for image security is a technical problem that needs to be solved. Summary of the Invention

[0008] The technical objective of this invention is to address the above-mentioned shortcomings by providing a container image security detection method and system based on custom features, thereby solving the technical problem of how to conduct targeted security protection for images in diverse security scenarios.

[0009] In a first aspect, the present invention provides a container image security detection method based on custom features, comprising the following steps:

[0010] A mirror feature object is constructed and stored in a database in the form of a registry. The mirror feature object is a set of custom rules, which are used to define the detection behavior for security assessment of the mirror feature.

[0011] For image packages pulled from the image repository, the scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database;

[0012] The parsing results are evaluated based on custom rules defined in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated.

[0013] Preferably, the mirror feature includes:

[0014] name, where name represents the feature name of the mirrored feature;

[0015] rules, where rules represent a set of rules used to detect and analyze results;

[0016] The action represents the evaluation result, including three states: go, stop, and warn.

[0017] params, where params represents a set of detection credentials describing the security characteristics of the image used for detection;

[0018] The gate refers to the detection resources that define image characteristics, including vulnerabilities and Dockerfiles.

[0019] Preferably, for image packages pulled from an image repository, the image's metadata is parsed using a scanner to obtain the parsing results, including the following steps:

[0020] Retrieve metadata about the image from the registry. If the retrieval is successful, pass the image parsing task to the message queue.

[0021] When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector. The obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layers, operating system package file data and NPM package file data. The operating system package includes RPM, DEB and APKG.

[0022] Even better, it also includes the following steps: detecting malicious code embedded in the image using the open-source clamav malware scanner.

[0023] Preferably, the method includes the following steps:

[0024] Monitor the image. When the content of the image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a detection notification is triggered. A trigger is then activated to issue the detection notification. Based on the detection notification, a new image package is pulled from the image repository. For the new image package, the following operations are performed:

[0025] The scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database;

[0026] The parsing results are evaluated based on custom rules in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated.

[0027] While pulling the image package from the image repository, the corresponding tag of the image package is also pulled. After importing the parsing result of the image package into the feature database, the update history log of the image is updated. By changing the history log, the image corresponding to the current tag is marked as updated.

[0028] In a second aspect, the present invention provides a container image security detection system based on custom features, used to perform security detection on a container image using a container image security detection method based on custom features as described in any one of the first aspects, the system comprising:

[0029] The feature management module calls the feature service engine to construct mirrored feature objects and build a registry based on the feature objects to record the feature objects in the form of a registry. The mirrored feature objects are a set of custom rules, which are used to define the detection behaviors for security assessment of the mirrored features.

[0030] The image monitoring module is used to monitor the image repository and pull image packages from the image repository.

[0031] The image analysis module calls a scanner to perform feature parsing on the image's metadata to obtain the parsing results, and then calls an analyzer to perform feature evaluation on the parsing results based on custom rules in the image's feature objects. If the parsing results match the insecure behaviors defined in the rules, a security alarm is generated.

[0032] A feature database, which stores the parsing results sent by the scanner;

[0033] A database for storing the registry entries sent by the feature service engine.

[0034] Preferably, the mirror feature includes:

[0035] name, where name represents the feature name of the mirrored feature;

[0036] rules, where rules represent a set of rules used to detect and analyze results;

[0037] The action represents the evaluation result, including three states: go, stop, and warn.

[0038] params, where params represents a set of detection credentials describing the security characteristics of the image used for detection;

[0039] The gate refers to the detection resources that define image characteristics, including vulnerabilities and Dockerfiles.

[0040] Preferably, for image packages pulled from an image repository, the scanner is used to parse the image's metadata and obtain the parsing results through the following steps:

[0041] Retrieve metadata about the image from the registry. If the retrieval is successful, pass the image parsing task to the message queue.

[0042] When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector. The obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layers, operating system package file data and NPM package file data. The operating system package includes RPM, DEB and APKG.

[0043] Preferably, the system also includes a malicious code detection module, which is used to call the open-source Clamav malware scanner to detect malicious code embedded in the image. If malicious code is found in the image, a security warning is generated.

[0044] Preferably, the image monitoring module is used to monitor images. When the content of an image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a trigger is activated to issue a detection notification. Based on the detection notification, the image monitoring module is used to pull a new image package from the image repository. For the new image package, the image analysis module is used to perform the following operations:

[0045] The scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database;

[0046] The parsing results are evaluated based on custom rules in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated.

[0047] The image monitoring module is used to pull image packages from the image library and simultaneously pull the corresponding tags of the image packages. The image analysis module is used to import the parsing results corresponding to the image packages into the feature database, update the update history log corresponding to the image, and mark the image corresponding to the current tag as updated by changing the history log.

[0048] The container image security detection method and system based on custom features of the present invention have the following advantages:

[0049] 1. Targeted protection of image security through custom features: Pre-released images can be imported into storage in advance. The image can be analyzed and detected in a variety of ways by combining a feature analyzer with custom features. This includes evaluating and collecting commonly used attack features of hackers. The feature evaluation results and vulnerability matching reports are notified to users in real time, realizing the container image detection service.

[0050] 2. Monitor the image and repeatedly execute the detection service at regular intervals to ensure real-time detection of the changed image;

[0051] 3. When pulling the image package, obtain the tag corresponding to the image. After performing metadata analysis on the current image, update the update history log corresponding to the image. By changing the history log, mark the image corresponding to the current tag as updated, thus realizing real-time detection and recording of images under version updates. Attached Figure Description

[0052] To more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0053] The invention will be further described below with reference to the accompanying drawings.

[0054] Figure 1 This is a flowchart of a container image security detection method based on custom features, as described in Example 1. Detailed Implementation

[0055] The present invention will be further described below with reference to the accompanying drawings and specific embodiments, so that those skilled in the art can better understand and implement the present invention. However, the embodiments are not intended to limit the present invention. In the absence of conflict, the embodiments of the present invention and the technical features in the embodiments can be combined with each other.

[0056] This invention provides a container image security detection method and system based on custom features, which addresses the technical problem of how to conduct targeted security protection for images in diverse security scenarios.

[0057] Example 1:

[0058] The present invention provides a container image security detection method based on custom features, comprising the following steps:

[0059] S100. Construct a mirror feature object and store the mirror feature object in the database in the form of a registry. The mirror feature object is a set of custom rules, which are used to define the detection behavior for security assessment of mirror features.

[0060] S200. For image packages pulled from the image repository, the image metadata is analyzed by a scanner to obtain the analysis results, and the analysis results are stored in the feature database.

[0061] S300. Based on the custom rules in the mirror feature object, perform feature evaluation on the parsing result. If the parsing result matches the insecure behavior defined in the rules, generate a security alarm.

[0062] Step S100 involves defining a custom mirror feature object using the feature engine. This mirror feature object is a set of rules encapsulated in JSON format, with each rule defining the check behavior to be performed. Specifically, the mirror feature object consists of name, rules, action, and gate, as follows:

[0063] name: Feature name;

[0064] rules: A set of rule definitions used to detect matching results;

[0065] action: Evaluation result, including three states: go, stop, and warn;

[0066] params: A set of detection credentials describing the security characteristics of the image used for detection;

[0067] gate: Defines the resources for detecting image characteristics, including vulnerabilities and dockerfiles.

[0068] Step S200 involves monitoring the image. The user manually or periodically triggers a trigger, which sends a detection notification. Based on this notification, the image package is pulled from the image repository, and a scanner performs feature parsing on the image's metadata to obtain the parsing results, which are then stored in the feature database. Specifically, this process includes the following steps:

[0069] The system retrieves metadata about the image from the registry. If the retrieval is successful, the image parsing task is passed to the message queue. By caching the parsing task in the message queue, multiple tasks can be started to process the image simultaneously, which can reduce service pressure and avoid the abnormal suspension of the detection service due to task blocking and backlog.

[0070] When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector. The obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layers, operating system package file data and NPM package file data. The operating system includes RPM, DEB and APKG.

[0071] Based on the above analysis results, feature evaluation is performed on the analysis results based on the custom rules in the mirror feature object. If the analysis results match the unsafe behaviors defined in the rules, a security alert is generated.

[0072] As an improvement to this embodiment, the method monitors the image. When the content in the image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a trigger is activated to issue a detection notification. Based on the detection notification, a new image package is pulled from the image repository. For the new image package, the following operations are performed:

[0073] (1) The metadata of the image is parsed by the scanner to obtain the parsing result, and the parsing result is stored in the feature database;

[0074] (2) Based on the custom rules in the mirror feature object, perform feature evaluation on the parsing result. If the parsing result matches the unsafe behavior defined in the rules, generate a security alarm.

[0075] In the above improved embodiment, the image is monitored, and after a change in the image content is detected, a notification trigger is issued to send a detection notification. Based on the detection notification, steps S200 and S300 are executed to perform feature parsing on the image's metadata, and the parsing result is evaluated using custom rules in the image feature object to achieve security detection of the image.

[0076] Considering that the image version is updated at any time, in this embodiment, the image package is pulled from the image library along with the corresponding tag. After the parsing result of the image package is imported into the feature database, the update history log of the image is updated. By changing the history log, the image corresponding to the current tag is marked as updated.

[0077] When a change in an image's tag is detected, a notification trigger sends a detection notification. Based on this notification, the system retrieves a new image package from the image repository, performs feature parsing on the image's metadata using a scanner, stores the parsing results in a feature database, and then updates the corresponding update history log. By updating the change history log, the image corresponding to the current tag is marked as updated, indicating that the image of the current version or status has undergone metadata analysis. Subsequently, the parsing results are evaluated based on custom rules defined in the image feature object. If the parsing results match the insecure behaviors defined in the rules, a security alert is generated.

[0078] As an improvement, the method in this embodiment detects malicious code embedded in the image using the open-source clamav malware scanner.

[0079] The method provided in this embodiment scans for Trojans and executable malicious commands installed in backdoors through feature evaluation, and performs image inspection and analysis platform, supports analysis, inspection, and security scanning, and provides scan reports with custom features for container images, such as blacklists, whitelists, and custom rules.

[0080] Example 2:

[0081] This invention discloses a container image security detection system based on custom features, comprising a feature management module, an image monitoring module, an image analysis module, a feature database, and a database. This system is used to perform security detection on container images using a container image security detection method based on custom features disclosed in Embodiment 1.

[0082] The feature management module calls the feature service engine, constructs a mirror feature object through the feature service engine, and builds a registry based on the feature object to record the feature object in the form of a registry. The mirror feature object is a set of custom rules, which are used to define the detection behavior for security assessment of the mirror feature.

[0083] The mirror feature object is a set of rules encapsulated in JSON format. Each rule defines the check behavior to be performed. Specifically, the mirror feature object consists of name, rules, action, and gate, as follows:

[0084] name: Feature name;

[0085] rules: A set of rule definitions used to detect matching results;

[0086] action: Evaluation result, including three states: go, stop, and warn;

[0087] params: A set of detection credentials describing the security characteristics of the image used for detection;

[0088] gate: Defines the resources for detecting image characteristics, including vulnerabilities and dockerfiles.

[0089] The image monitoring module is used to monitor the image repository and pull image packages from it. The module monitors images, and users can manually or periodically trigger triggers. After the trigger issues a detection notification, the image monitoring module pulls image packages from the image repository based on that notification.

[0090] The image analysis module calls the scanner to perform feature parsing on the image's metadata to obtain the parsing results. Then, it calls the analyzer to evaluate the parsing results based on the custom rules in the image's feature objects. If the parsing results match the insecure behaviors defined in the rules, a security alert is generated.

[0091] In a specific implementation, the image analysis module obtains the analysis results by performing feature parsing on the image's metadata through a scanner using the following steps:

[0092] (1) Retrieve metadata about the image from the registry. If the retrieval is successful, pass the parsing task of the image to the message queue. By caching the parsing task in the message queue, multiple tasks can be started to process the image at the same time, which can reduce service pressure and avoid the abnormal suspension of the detection service due to task blocking and accumulation.

[0093] (2) When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector, and the obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layer, operating system package file data and NPM package file data. The operating system includes RPM, DEB and APKG.

[0094] Based on the above analysis results, the mirror analysis module is used to evaluate the features of the analysis results based on the custom rules in the mirror feature object. If the analysis results match the unsafe behaviors defined in the rules, a security alarm is generated.

[0095] The feature database is used to store the parsing results sent by the scanner.

[0096] The database is used to store the registry entries sent by the feature service engine.

[0097] As an improvement to this embodiment, the image monitoring module is used to monitor images. When the content in the image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a trigger is activated to issue a detection notification. Based on the detection notification, the image monitoring module is used to pull a new image package from the image repository. For the new image package, the image analysis module is used to perform the following operations:

[0098] (1) The metadata of the image is parsed by the scanner to obtain the parsing result, and the parsing result is stored in the feature database;

[0099] (2) Based on the custom rules in the mirror feature object, perform feature evaluation on the parsing result. If the parsing result matches the unsafe behavior defined in the rules, generate a security alarm.

[0100] Considering that the image version is updated at any time, in this embodiment, the image monitoring module is used to pull the image package from the image library and simultaneously pull the tag corresponding to the image package. The image analysis module is used to import the parsing result corresponding to the image package into the feature database, update the update history log corresponding to the image, and mark the image corresponding to the current tag as updated by changing the history log.

[0101] When a change in an image's tag is detected, a notification trigger sends a detection notification. Based on this notification, the system retrieves a new image package from the image repository, performs feature parsing on the image's metadata using a scanner, stores the parsing results in a feature database, and then updates the corresponding update history log. By updating the change history log, the image corresponding to the current tag is marked as updated, indicating that the image of the current version or status has undergone metadata analysis. Subsequently, the parsing results are evaluated based on custom rules defined in the image feature object. If the parsing results match the insecure behaviors defined in the rules, a security alert is generated.

[0102] As an improvement to this embodiment, the system also includes the open-source clamav malware scanner, which detects malicious code embedded in the image.

[0103] The system can execute the method disclosed in Embodiment 1, scan for Trojans installed in backdoors and executable malicious commands through feature evaluation, and perform image inspection and analysis platform, supporting analysis, inspection, and security scanning, and providing scan reports with custom features for container images, such as blacklists, whitelists, and custom rules.

[0104] The present invention has been shown and described in detail above with reference to the accompanying drawings and preferred embodiments. However, the present invention is not limited to these disclosed embodiments. Based on the above embodiments, those skilled in the art will know that more embodiments of the present invention can be obtained by combining the code review methods in the different embodiments. These embodiments are also within the protection scope of the present invention.

Claims

1. A container image security detection method based on custom features, characterized in that... Includes the following steps: A mirror feature object is constructed and stored in a database in the form of a registry. The mirror feature object is a set of custom rules, which are used to define the detection behavior for security assessment of the mirror feature. For image packages pulled from the image repository, the scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database; The parsing results are evaluated based on custom rules in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated. The mirror features include: name, where name represents the feature name of the mirrored feature; rules, where rules represent a set of rules used to detect and analyze results; The action represents the evaluation result, including three states: go, stop, and warn. params, where params represents a set of detection credentials describing the security characteristics of the image used for detection; The gate refers to the detection resources that define image characteristics, including vulnerabilities and Dockerfiles; Specifically, for image packages pulled from the image repository, the image's metadata is parsed using a scanner to obtain the parsing results, including the following steps: Retrieve metadata about the image from the registry. If the retrieval is successful, pass the image parsing task to the message queue. When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector. The obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layers, operating system package file data and NPM package file data. The operating system includes RPM, DEB and APKG. The method includes the following steps: Monitor the image. When the content of the image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a trigger is activated to issue a detection notification. Based on the detection notification, a new image package is pulled from the image repository. For the new image package, the following operations are performed: The scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database; The parsing results are evaluated based on custom rules in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated. While pulling the image package from the image repository, the corresponding tag of the image package is also pulled. After importing the parsing result of the image package into the feature database, the update history log of the image is updated. By changing the history log, the image corresponding to the current tag is marked as updated.

2. The container image security detection method based on custom features according to claim 1, characterized in that... It also includes the following steps: detecting malicious code embedded in the image using the open-source Clamav malware scanner.

3. A container image security detection system based on custom features, characterized in that, The system includes: The feature management module calls the feature service engine to construct mirrored feature objects and build a registry based on the feature objects to record the feature objects in the form of a registry. The mirrored feature objects are a set of custom rules, which are used to define the detection behaviors for security assessment of the mirrored features. The image monitoring module is used to monitor the image repository and pull image packages from the image repository. The image analysis module calls a scanner to perform feature parsing on the image's metadata to obtain the parsing results, and then calls an analyzer to perform feature evaluation on the parsing results based on custom rules in the image's feature objects. If the parsing results match the insecure behaviors defined in the rules, a security alarm is generated. A feature database, which stores the parsing results sent by the scanner; A database for storing the registry sent by the feature service engine; The mirror features include: name, where name represents the feature name of the mirrored feature; rules, where rules represent a set of rules used to detect and analyze results; The action represents the evaluation result, including three states: go, stop, and warn. params, where params represents a set of detection credentials describing the security characteristics of the image used for detection; The gate refers to the detection resources that define image characteristics, including vulnerabilities and Dockerfiles; Specifically, for image packages pulled from the image repository, the scanner is used to parse the image's metadata and obtain the parsing results through the following steps: Retrieve metadata about the image from the registry. If the retrieval is successful, pass the image parsing task to the message queue. When performing the parsing task, the software packages, software libraries and configuration files of each layer of the image are checked by the feature detector. The obtained feature data is stored in the feature database as the parsing result. The feature data includes metadata, image layers, operating system package file data and NPM package file data. The operating system package includes RPM, DEB and APKG. The image monitoring module is used to monitor images. When the content of an image changes, the CVE or security vulnerability in the image changes, or the policy assessment status of the image's corresponding tag changes, a trigger is issued to send a detection notification. Based on the detection notification, the image monitoring module is used to pull a new image package from the image repository. For the new image package, the image analysis module is used to perform the following operations: The scanner performs feature parsing on the image's metadata to obtain the parsing results, and stores the parsing results in the feature database; The parsing results are evaluated based on custom rules in the mirror feature object. If the parsing results match the unsafe behaviors defined in the rules, a security alert is generated. The image monitoring module is used to pull image packages from the image library and simultaneously pull the corresponding tags of the image packages. The image analysis module is used to import the parsing results corresponding to the image packages into the feature database, update the update history log corresponding to the image, and mark the image corresponding to the current tag as updated by changing the history log.

4. The container image security detection system based on custom features according to claim 3, characterized in that... The system also includes a malicious code detection module, which calls the open-source Clamav malware scanner to detect malicious code embedded in the image. If malicious code is found in the image, a security warning is generated.