Login | Register

Vulnerability Management for Containers across Continuous Integration and Continuous Delivery (CI/CD) Pipelines

Title:

Vulnerability Management for Containers across Continuous Integration and Continuous Delivery (CI/CD) Pipelines

Majumder, Shafayat Hossain ORCID: https://orcid.org/0009-0008-0401-6014 (2025) Vulnerability Management for Containers across Continuous Integration and Continuous Delivery (CI/CD) Pipelines. Masters thesis, Concordia University.

[thumbnail of Shafayat_Thesis_CU.pdf]
Text (application/pdf)
Shafayat_Thesis_CU.pdf - Accepted Version
Restricted to Repository staff only until 31 August 2026.
Available under License Spectrum Terms of Access.
11MB

Abstract

The rapid adoption of containerized workloads and Continuous Integration and Continuous Delivery (CI/CD) pipelines frequently reshapes the vulnerability landscape, adding newer challenges for vulnerability management. For instance, frequent version updates, short release cycles, and evolving dependency structures cause vulnerabilities to appear, change, or vanish across container versions, transforming vulnerability management from a static task into a dynamic process that must balance tight delivery constraints with continuously shifting security risks.
Despite existing progress in four stages of vulnerability management: detection, prioritization, planning and remediation, existing tools fall short in various aspects when applied end-to-end in fast-paced CI/CD settings: pre-deployment scanners trade coverage for speed; static severity scores overlook cross-version risk evolution; prioritization planners optimize each version independently; and post-deployment monitors struggle with multi-stage and chained exploits, often resulting in misprioritization, redundant effort, and avoidable exposure.

This thesis addresses these limitations by introducing two complementary frameworks that together provide an end-to-end, CI/CD-aware vulnerability management strategy for evolving containerized software, covering all four stages. First, to strengthen the decision stages of vulnerability management, prioritization and planning, we propose CHRONOS, a framework that is built on the observation that vulnerability risk evolves with container image versioning through package debloating, dependency drift, and CVE chaining, and treats vulnerability prioritization as a sequential decision-making problem rather than a per-version optimization task. Specifically, we first curate and analyze a longitudinal dataset of 259,532 container image versions across 10,146 repositories, spanning over 10 years and 16 software categories. From this dataset, we then empirically derive 12 evolutionary factors that capture CI/CD-specific requirements to vulnerability prioritization, covering both security and efficiency. Based on these factors, we finally build an evolution-aware prioritization method leveraging reinforcement learning to dynamically balance the tight delivery schedule and evolving security risks. The effectiveness of CHRONOS is evaluated on real-world images, showing that it reduces per-image exposed risk by up to 77% and remediation delay by 45% over the state-of-the-art tools.


Second, to strengthen the other two stages of vulnerability management, detection and remediation, we propose JANUS, a unified framework that integrates incremental, layer-aware vulnerability prevention with stateful, multi-source exploit-chain mitigation. The pre-deployment component identifies modified layers, reuses historical scan results to satisfy CI/CD time budgets, and applies conservative automated patching to address version-pinning and outdated-package issues. The post-deployment component constructs abstract signatures over system and network events to identify multi-stage attack progression with minimal performance overhead.
Our experimental evaluation on 346 container images (including all 146 official and 200 widely used community images) and 20 representative CVEs indicates that JANUS achieves 42.4% improved vulnerability coverage relative to widely used scanners while reducing analysis latency by 79.6%. Furthermore, JANUS successfully detects all tested exploit chains that elude single-source intrusion detection systems.

Together, CHRONOS and JANUS thus show that evolution-aware prioritization and proactive-to-runtime protection significantly enhance the security of containerized CI/CD pipelines while maintaining the operational velocity demanded in modern softwares.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Majumder, Shafayat Hossain
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:15 December 2025
Thesis Supervisor(s):Majumdar, Suryadipta
ID Code:996593
Deposited By: Shafayat Hossain Majumder
Deposited On:29 Jun 2026 14:44
Last Modified:29 Jun 2026 14:44
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top