Majumder, Shafayat Hossain
ORCID: https://orcid.org/0009-0008-0401-6014
(2025)
Vulnerability Management for Containers across Continuous Integration and Continuous Delivery (CI/CD) Pipelines.
Masters thesis, Concordia University.
Text (application/pdf)
11MBShafayat_Thesis_CU.pdf - Accepted Version Restricted to Repository staff only until 31 August 2026. Available under License Spectrum Terms of Access. |
Abstract
The rapid adoption of containerized workloads and Continuous Integration and Continuous Delivery (CI/CD) pipelines frequently reshapes the vulnerability landscape, adding newer challenges for vulnerability management. For instance, frequent version updates, short release cycles, and evolving dependency structures cause vulnerabilities to appear, change, or vanish across container versions, transforming vulnerability management from a static task into a dynamic process that must balance tight delivery constraints with continuously shifting security risks.
Despite existing progress in four stages of vulnerability management: detection, prioritization, planning and remediation, existing tools fall short in various aspects when applied end-to-end in fast-paced CI/CD settings: pre-deployment scanners trade coverage for speed; static severity scores overlook cross-version risk evolution; prioritization planners optimize each version independently; and post-deployment monitors struggle with multi-stage and chained exploits, often resulting in misprioritization, redundant effort, and avoidable exposure.
This thesis addresses these limitations by introducing two complementary frameworks that together provide an end-to-end, CI/CD-aware vulnerability management strategy for evolving containerized software, covering all four stages. First, to strengthen the decision stages of vulnerability management, prioritization and planning, we propose CHRONOS, a framework that is built on the observation that vulnerability risk evolves with container image versioning through package debloating, dependency drift, and CVE chaining, and treats vulnerability prioritization as a sequential decision-making problem rather than a per-version optimization task. Specifically, we first curate and analyze a longitudinal dataset of 259,532 container image versions across 10,146 repositories, spanning over 10 years and 16 software categories. From this dataset, we then empirically derive 12 evolutionary factors that capture CI/CD-specific requirements to vulnerability prioritization, covering both security and efficiency. Based on these factors, we finally build an evolution-aware prioritization method leveraging reinforcement learning to dynamically balance the tight delivery schedule and evolving security risks. The effectiveness of CHRONOS is evaluated on real-world images, showing that it reduces per-image exposed risk by up to 77% and remediation delay by 45% over the state-of-the-art tools.
Second, to strengthen the other two stages of vulnerability management, detection and remediation, we propose JANUS, a unified framework that integrates incremental, layer-aware vulnerability prevention with stateful, multi-source exploit-chain mitigation. The pre-deployment component identifies modified layers, reuses historical scan results to satisfy CI/CD time budgets, and applies conservative automated patching to address version-pinning and outdated-package issues. The post-deployment component constructs abstract signatures over system and network events to identify multi-stage attack progression with minimal performance overhead.
Our experimental evaluation on 346 container images (including all 146 official and 200 widely used community images) and 20 representative CVEs indicates that JANUS achieves 42.4% improved vulnerability coverage relative to widely used scanners while reducing analysis latency by 79.6%. Furthermore, JANUS successfully detects all tested exploit chains that elude single-source intrusion detection systems.
Together, CHRONOS and JANUS thus show that evolution-aware prioritization and proactive-to-runtime protection significantly enhance the security of containerized CI/CD pipelines while maintaining the operational velocity demanded in modern softwares.
| Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
|---|---|
| Item Type: | Thesis (Masters) |
| Authors: | Majumder, Shafayat Hossain |
| Institution: | Concordia University |
| Degree Name: | M.A. Sc. |
| Program: | Information Systems Security |
| Date: | 15 December 2025 |
| Thesis Supervisor(s): | Majumdar, Suryadipta |
| ID Code: | 996593 |
| Deposited By: | Shafayat Hossain Majumder |
| Deposited On: | 29 Jun 2026 14:44 |
| Last Modified: | 29 Jun 2026 14:44 |
Repository Staff Only: item control page


Download Statistics
Download Statistics