Malicious Compliance: Reflections on Trusting Container Scanners

This talk explores the effectiveness and trustworthiness of container image scanners. The presenters, Ian Coldwater, Duffie Cooley, Brad Geesaman, and Rory McCune, demonstrate how certain image building techniques can be used to intentionally bypass these scanning tools. They break down the various methods container scanners use to identify vulnerabilities, such as analyzing OS metadata, package databases, and embedded binary information. The presentation highlights the discrepancies in results between different scanners and even between direct image scans and scans of Software Bill of Materials (SBOMs). Ultimately, the talk emphasizes the importance of understanding the limitations of these tools, the potential for "malicious compliance" where an image appears compliant but is not truly secure, and the need for better security policies and adversarial thinking in tool development.