A Systematic Mapping Study on Risks and Vulnerabilities in Software Containers

Software containers are widely adopted for developing and deploying software applications. Despite their popularity, major security concerns arise during container development and deployment. Software Engineering (SE) research literature reveals a lack of reviewed, aggregated, and organized knowledge of risks, vulnerabilities, security practices, and tools in container-based systems development and deployment. Therefore, we conducted a Systematic Mapping Study (SMS) based on 129 selected primary studies to explore and organize existing knowledge on security issues in software container systems. Data from the primary studies enabled us to identify critical risks and vulnerabilities across the container life-cycle and categorize them using a novel taxonomy. Additionally, the findings highlight the causes and implications and provide a list of mitigation techniques to overcome these risks and vulnerabilities. Furthermore, we provide an aggregation of security practices and tools that can help support and improve the overall security of container systems. This study offers critical insights into the current landscape of security issues within software container systems. Our analysis highlights the need for future SE research to focus on security enhancement practices that strengthen container systems and develop effective mitigation strategies to comprehensively address existing risks and vulnerabilities.

💡 Research Summary

This paper presents a comprehensive systematic mapping study (SMS) of security risks and vulnerabilities in software container systems. By applying a rigorous SMS protocol, the authors searched five major scholarly databases (IEEE Xplore, ACM Digital Library, Scopus, Web of Science, and Science Direct) using the query “software AND container* AND risk* OR vulnerabilit*”. After duplicate removal, title/abstract screening, full‑text assessment, and backward snowballing, 129 primary studies were selected for analysis.

The study is driven by six sub‑research questions (RQ1–RQ6) that explore (1) the specific risks and vulnerabilities across the container life‑cycle, (2) security practices that mitigate these issues, (3) tools that support container security, (4) publication trends over time, (5) venues of dissemination, and (6) research methodologies employed.

A novel taxonomy is introduced that maps identified risks and vulnerabilities to the five canonical phases of the container life‑cycle: image selection, host configuration, container implementation, network/orchestration configuration, and runtime. For each phase, the authors classify items into a four‑layer structure—risk/vulnerability, root cause, impact, and mitigation technique. Key findings include:

• Image Phase – image tampering, lack of registry authentication, outdated packages, and insecure base layers.
• Host Phase – kernel‑level CVEs, excessive privileges, misconfigured security modules (AppArmor, SELinux).
• Implementation Phase – hard‑coded secrets, filesystem isolation failures, namespace bypasses.
• Network/Orchestration Phase – insufficient network policies, weak RBAC configurations, insecure service‑mesh settings.
• Runtime Phase – container escape attacks, malicious code injection, resource‑limit evasion.

Root causes are traced to default‑configuration reliance, delayed patching, inadequate image provenance, complex orchestration tooling, and gaps in security awareness between development and operations teams. Impacts range from denial‑of‑service and data leakage to full system compromise and lateral movement within multi‑tenant environments.

The authors synthesize twelve mitigation strategies, including image signing and scanning (Notary, Trivy, Clair), continuous patch management, principle‑of‑least‑privilege execution, enforced security profiles (AppArmor, Seccomp), hardened network policies (Kubernetes NetworkPolicy), robust RBAC and OPA policies, secret management (Vault, Sealed Secrets), comprehensive logging and audit, runtime protection (Falco, Sysdig), orchestration hardening tools (Kube‑Bench, Kube‑Hunter), and integration of security checks into CI/CD pipelines.

Security practices distilled from the literature amount to eleven categories: secure configuration management, regular image scanning, timely patching, minimal privilege assignment, network segmentation, secret handling, audit/log monitoring, threat‑intelligence integration, security training, Infrastructure‑as‑Code validation, and disaster‑recovery planning.

Tool analysis enumerates image scanners, runtime monitors, orchestration security plugins, secret vaults, and policy engines, detailing their functionalities, strengths, and typical deployment scenarios.

Meta‑analysis of the selected studies reveals a sharp increase in publications after 2017, peaking between 2020 and 2022. The majority appear in peer‑reviewed venues such as IEEE Transactions on Dependable and Secure Computing, ACM CCS, and Elsevier’s Journal of Systems and Software. Methodologically, the field is balanced among experiments (≈45 %), case studies (≈30 %), surveys/interviews (≈15 %), and literature reviews (≈10 %).

In the discussion, the authors note that existing research predominantly focuses on risk identification rather than on systematic mitigation, automation, or real‑time threat detection. They call for future work on quantitative risk‑mitigation models, security in multi‑cloud and edge deployments, AI‑driven anomaly detection, and the integration of security controls throughout DevSecOps pipelines.

Overall, this study provides a structured, taxonomy‑driven overview of container security, aggregates practical practices and tooling, highlights research gaps, and offers a roadmap for both practitioners and scholars aiming to strengthen the security posture of container‑based software systems.