Research Information System
Journal of Information Science and Engineering, vol.42, no.1, pp.167-184, 2026 (SCI-Expanded, Scopus)
Docker, a widely used platform for containerization in software development, brings convenience but also introduces security concerns. Unresolved vulnerabilities within Docker images can result in substantial financial losses and compromise sensitive data. This study delves into the efficacy of vulnerability scanning tools within Docker environments, particularly focusing on Trivy, Grype, and Snyk. To assess the performance of scanning tools, 439 Docker images were analyzed. The scanning results were evaluated using the VSM and SVSM methods, which were proposed in this study alongside traditional metrics based on vulnerability counts commonly used in the literature. The proposed evaluation metrics take into account not only the number of vulnerabilities but also the severity levels of them. Our findings reveal that even the most effective scanning tool fails to detect a significant number of vulnerabilities in Docker images. Using multiple scanning tools together was found to be more effective in detecting vulnerabilities, even if the second scanning tool detected fewer.