{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,14]],"date-time":"2025-11-14T07:37:16Z","timestamp":1763105836900,"version":"3.37.3"},"reference-count":27,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,11,23]],"date-time":"2021-11-23T00:00:00Z","timestamp":1637625600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,11,23]],"date-time":"2021-11-23T00:00:00Z","timestamp":1637625600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Universidad de Le\u00f3n-Instituto Nacional de Ciberseguridad"},{"name":"Universidad de Le\u00f3n"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"published-print":{"date-parts":[[2022,1]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Current Continuous Integration (CI) processes face significant intrinsic cybersecurity challenges. The idea is not only to solve and test formal or regulatory security requirements of source code but also to adhere to the same principles to the CI pipeline itself. This paper presents an overview of current security issues in CI workflow. It designs, develops, and deploys a new tool for the secure deployment of a container-based CI pipeline flow without slowing down release cycles. The tool, called <jats:italic>SecDocker<\/jats:italic> for its Docker-based approach, is publicly available in GitHub. It implements a transparent application firewall based on a configuration mechanism avoiding issues in the CI workflow associated with intended or unintended container configurations. Integrated with other DevOps Engineers tools, it provides feedback from only those scenarios that match specific patterns, addressing future container security issues.<\/jats:p>","DOI":"10.1007\/s42979-021-00939-4","type":"journal-article","created":{"date-parts":[[2021,11,23]],"date-time":"2021-11-23T14:02:45Z","timestamp":1637676165000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["SecDocker: Hardening the Continuous Integration Workflow"],"prefix":"10.1007","volume":"3","author":[{"given":"David","family":"Fern\u00e1ndez Gonz\u00e1lez","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8400-7079","authenticated-orcid":false,"given":"Francisco Javier","family":"Rodr\u00edguez Lera","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gonzalo","family":"Esteban","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Camino","family":"Fern\u00e1ndez Llamas","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,11,23]]},"reference":[{"key":"939_CR1","doi-asserted-by":"publisher","unstructured":"Bass L, Holz R, Rimba P, Tran AB, Zhu L. Securing a deployment pipeline. In: 2015 IEEE\/ACM 3rd International workshop on release engineering; 2015, pp. 4\u20137 https:\/\/doi.org\/10.1109\/RELENG.2015.11.","DOI":"10.1109\/RELENG.2015.11"},{"key":"939_CR2","unstructured":"Berkovich S, Kam J, Wurster G. UBCIS: Ultimate benchmark for container image scanning. In: 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20). USENIX Association (2020). https:\/\/www.usenix.org\/conference\/cset20\/presentation\/berkovich. Available online March, 2021."},{"issue":"3","key":"939_CR3","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1109\/MCC.2014.51","volume":"1","author":"D Bernstein","year":"2014","unstructured":"Bernstein D. Containers and cloud: from LXC to docker to kubernetes. IEEE Cloud Comput. 2014;1(3):81\u20134. https:\/\/doi.org\/10.1109\/MCC.2014.51.","journal-title":"IEEE Cloud Comput."},{"issue":"1","key":"939_CR4","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1145\/2723872.2723882","volume":"49","author":"C Boettiger","year":"2015","unstructured":"Boettiger C. An introduction to docker for reproducible research. ACM SIGOPS Oper Syst Rev. 2015;49(1):71\u20139. https:\/\/doi.org\/10.1145\/2723872.2723882.","journal-title":"ACM SIGOPS Oper Syst Rev."},{"key":"939_CR5","unstructured":"Bou\u00a0Ghantous G, Gill A. Devops: concepts, practices, tools, benefits and challenges. In: Proceedings of the 21st Pacific-Asia conference on information systems (PACIS2017). AIS Electronic Library (AISeL) 2017"},{"key":"939_CR6","doi-asserted-by":"publisher","unstructured":"Chelladhurai J, Chelliah PR, Kumar SA. Securing Docker containers from Denial of Service (DoS) attacks. In: 2016 IEEE International Conference on Services Computing (SCC), pp. 856\u2013859. IEEE 2016. https:\/\/doi.org\/10.1109\/SCC.2016.123.","DOI":"10.1109\/SCC.2016.123"},{"issue":"5","key":"939_CR7","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1109\/MCC.2016.100","volume":"3","author":"T Combe","year":"2016","unstructured":"Combe T, Martin A, Di Pietro R. To docker or not to docker: a security perspective. IEEE Cloud Comput. 2016;3(5):54\u201362. https:\/\/doi.org\/10.1109\/MCC.2016.100.","journal-title":"IEEE Cloud Comput."},{"key":"939_CR8","doi-asserted-by":"publisher","first-page":"176","DOI":"10.1016\/j.jss.2015.06.063","volume":"123","author":"B Fitzgerald","year":"2017","unstructured":"Fitzgerald B, Stol KJ. Continuous software engineering: a roadmap and agenda. J Syst Softw. 2017;123:176\u201389. https:\/\/doi.org\/10.1016\/j.jss.2015.06.063.","journal-title":"J Syst Softw."},{"key":"939_CR9","unstructured":"Goyal P. CIS docker community edition benchmark. PDF. https:\/\/www.cisecurity.org\/benchmark\/docker. Available online March, 2021."},{"key":"939_CR10","doi-asserted-by":"publisher","unstructured":"Hilton M, Nelson N, Tunnell T, Marinov D, Dig D. Trade-offs in continuous integration: assurance, security, and flexibility. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, 2017;197\u2013207 https:\/\/doi.org\/10.1145\/3106237.3106270.","DOI":"10.1145\/3106237.3106270"},{"key":"939_CR11","volume-title":"Continuous delivery: reliable software releases through build, test, and deployment automation","author":"J Humble","year":"2010","unstructured":"Humble J, Farley D. Continuous delivery: reliable software releases through build, test, and deployment automation. London: Pearson Education; 2010."},{"key":"939_CR12","doi-asserted-by":"publisher","unstructured":"Jabbari R, bin Ali N, Petersen K, Tanveer B. What is DevOps? a systematic mapping study on definitions and practices. In: Proceedings of the Scientific Workshop Proceedings of XP2016, 2016;1\u201311 https:\/\/doi.org\/10.1145\/2962695.2962707.","DOI":"10.1145\/2962695.2962707"},{"key":"939_CR13","doi-asserted-by":"publisher","unstructured":"Kang H, Le M, Tao S. Container and microservice driven design for cloud infrastructure DevOps. In: 2016 IEEE International Conference on Cloud Engineering (IC2E), pp. 202\u2013211. IEEE 2016. https:\/\/doi.org\/10.1109\/IC2E.2016.26.","DOI":"10.1109\/IC2E.2016.26"},{"key":"939_CR14","doi-asserted-by":"publisher","unstructured":"Krueger T, Gehl C, Rieck K, Laskov P. Tokdoc: A self-healing web application firewall. In: Proceedings of the 2010 ACM symposium on applied computing, SAC \u201910, p. 1846\u20131853. Association for computing machinery, New York, NY, USA 2010. https:\/\/doi.org\/10.1145\/1774088.1774480.","DOI":"10.1145\/1774088.1774480"},{"key":"939_CR15","unstructured":"Lam T, Chaillan N, Ranks P. DoD enterprise DevSecOps reference design version 1.0. Tech. rep., Department of Defense, Chief information officer (2019). https:\/\/dodcio.defense.gov\/Portals\/0\/Documents\/DoDEnterprise DevSecOps Reference Design v1.0_Public Release.pdf. Accessed Mar 2021"},{"key":"939_CR16","doi-asserted-by":"publisher","DOI":"10.1145\/3359981","author":"L Leite","year":"2019","unstructured":"Leite L, Rocha C, Kon F, Milojicic D, Meirelles P. A survey of devops concepts and challenges. ACM Comput Surv. 2019. https:\/\/doi.org\/10.1145\/3359981.","journal-title":"ACM Comput Surv."},{"key":"939_CR17","unstructured":"MacDonald N, Head I. DevSecOps: how to seamlessly integrate security into DevOps. Tech rep Gartner Tech Rep 2016"},{"key":"939_CR18","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1016\/j.comcom.2018.03.011","volume":"122","author":"A Martin","year":"2018","unstructured":"Martin A, Raponi S, Combe TRD. Docker ecosystem-vulnerability analysis. Comput Commun. 2018;122:30\u201343. https:\/\/doi.org\/10.1016\/j.comcom.2018.03.011.","journal-title":"Comput Commun."},{"issue":"239","key":"939_CR19","first-page":"2","volume":"2014","author":"D Merkel","year":"2014","unstructured":"Merkel D. Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014;2014(239):2.","journal-title":"Linux J."},{"issue":"3","key":"939_CR20","doi-asserted-by":"publisher","first-page":"24","DOI":"10.1109\/MCC.2015.51","volume":"2","author":"C Pahl","year":"2015","unstructured":"Pahl C. Containerization and the PaaS cloud. IEEE Cloud Comput. 2015;2(3):24\u201331. https:\/\/doi.org\/10.1109\/MCC.2015.51.","journal-title":"IEEE Cloud Comput."},{"key":"939_CR21","doi-asserted-by":"publisher","first-page":"501","DOI":"10.1007\/978-3-319-26961-0_29","volume-title":"Information systems security","author":"S Prandl","year":"2015","unstructured":"Prandl S, Lazarescu M, Pham DS. A study of web application firewall solutions. In: Jajoda S, Mazumdar C, editors. Information systems security. Cham: Springer; 2015. p. 501\u201310."},{"key":"939_CR22","doi-asserted-by":"publisher","first-page":"3909","DOI":"10.1109\/ACCESS.2017.2685629","volume":"5","author":"M Shahin","year":"2017","unstructured":"Shahin M, Babar MA, Zhu L. Continuous integration, delivery and deployment: a systematic review on approaches, tools, challenges and practices. IEEE Access. 2017;5:3909\u201343. https:\/\/doi.org\/10.1109\/ACCESS.2017.2685629.","journal-title":"IEEE Access."},{"key":"939_CR23","doi-asserted-by":"publisher","unstructured":"Smeds J, Nybom K, Porres I. DevOps: A definition and perceived adoption impediments. In: International conference on agile software development. Springer; 2015. pp 166\u2013177 https:\/\/doi.org\/10.1007\/978-3-319-18612-2_14.","DOI":"10.1007\/978-3-319-18612-2_14"},{"key":"939_CR24","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-190","volume-title":"Application container security guide","author":"M Souppaya","year":"2017","unstructured":"Souppaya M, Morello J, Scarfone K. Application container security guide. National Institute of Standards and Technology: Tech Rep; 2017."},{"key":"939_CR25","doi-asserted-by":"crossref","unstructured":"Tesfatsion SK, Klein C, Tordsson J. Virtualization techniques compared: performance, resource, and power usage overheads in clouds. In: Proceedings of the 2018 ACM\/SPEC international conference on performance engineering; 2018. pp. 145\u2013156","DOI":"10.1145\/3184407.3184414"},{"key":"939_CR26","unstructured":"Turnbull J. The Docker book: containerization is the new virtualization. James Turnbull 2014"},{"key":"939_CR27","unstructured":"Vase T. Integrating Docker to a Continuous Delivery pipeline: a pragmatic approach. Master\u2019s thesis, University of Jyv\u00e4skyl\u00e4n (2016). https:\/\/jyx.jyu.fi\/handle\/123456789\/52756. Accessed Mar 2021"}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-021-00939-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-021-00939-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-021-00939-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,10]],"date-time":"2022-01-10T18:46:40Z","timestamp":1641840400000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-021-00939-4"}},"subtitle":["Wrapping the container layer"],"short-title":[],"issued":{"date-parts":[[2021,11,23]]},"references-count":27,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1]]}},"alternative-id":["939"],"URL":"https:\/\/doi.org\/10.1007\/s42979-021-00939-4","relation":{},"ISSN":["2662-995X","2661-8907"],"issn-type":[{"type":"print","value":"2662-995X"},{"type":"electronic","value":"2661-8907"}],"subject":[],"published":{"date-parts":[[2021,11,23]]},"assertion":[{"value":"31 March 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 October 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 November 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"80"}}