1. CSN
  2. All Volumes and Issues
  3. Volume 7, Number 2, 2025
  4. Comparison of Vulnerability Scanners for Detecting Obfuscated Malware in Containers

Comparison of Vulnerability Scanners for Detecting Obfuscated Malware in Containers

CSN.
2025;
Volume 7, Number 2
: pp. 60 - 70
https://doi.org/10.23939/csn2025.02.060
Authors:
  1. Yu. Yu. Zhuravchak
  2. D. Yu. Zhuravchak
  3. A. Yu. Zhuravchak
1
Lviv Polytechnic National University, Department of Information Protection, Ukraine
2
Lviv Polytechnic National University, Department of Information Protection, Ukraine
3
Lviv Polytechnic National University, Department of Information Protection, Ukraine

The growing popularity of containerization in cloud environments is accompanied by an increasing number of attacks that leverage obfuscated malware designed to evade detection by static scanners. This paper presents an experimental comparison of two container security tools – Trivy (static analysis) and Tracee (dynamic observation based on eBPF) – in detecting malicious executables hidden in non-standard paths such as /tmp/.

A scenario was created to simulate the execution of an obfuscated binary file inside a container, mimicking typical attacker behavior. Trivy failed to detect any threat within the image, whereas Tracee successfully captured the actual execution of the malicious code at runtime. To visualize the results, a GitHub Actions workflow was implemented to automatically generate reports and metrics, including the Suspicious Exec Rate – the ratio of executions from non-standard paths to the total number of execve events.

The results highlight the limitations of signature-based SCA analysis and emphasize the importance of complementing static scanning with dynamic behavior analysis methods. The proposed approach enables the effective detection of threats that remain unnoticed in traditional CI/CD pipelines.

container security
obfuscated malware
Trivy
Tracee
eBPF
runtime analysis
static analysis
GitHub Actions
threat detection
/tmp paths
CI/CD security
suspicious execve
  1. Wist H., Helsem K., Gligoroski D. An Empirical Study on the Security of Official and Community Docker Hub Images. arXiv preprint, arXiv:2006.02932, 2020. URL: https://arxiv.org/abs/2006.02932.
  2. Haque M. N., Babar M. A. Well Begun is Half Done: Empirical Evidence on Security Hygiene Practices in Using Base Images for Dockerfiles. arXiv preprint, arXiv:2112.12597, 2021. URL: https://arxiv.org/abs/2112.12597.
  3. Sandhya G. Automated Vulnerability Scanning & Runtime Protection for DockerKubernetes: Integrating Trivy, Falco, and OPA. Journal of Scientific and Engineering Research. 2019. Vol. 6, no. 2. P. 216–220. DOI: https://doi.org/10.5281/zenodo.15234550.
  4. Kaur T., Dey S., Poenaru V., Prins J. To Use or Not to Use: An Empirical Study of Vulnerabilities in Scientific Container Images. arXiv preprint, arXiv:2010.13970, 2020. URL: https://arxiv.org/abs/2010.13970.
  5. Singh N. K., Arya S., Jain A. LEVERAGING eBPF FOR RUNTIME SECURITY. Journal of Analysis and Computations. 2024. Vol. XVIII, no. 1. P. 397–406. DOI: https://doi.org/10.30696/jac.xviii.1.2024.397-406.
  6. Радчук В., Шингера Н. Огляд матоди обфускації коду, як протидія дизасемблюванню. УДК 044.056.53, 2014. URL: https://elartu.tntu.edu.ua/bitstream/123456789/7413/2/ConfTNTU_2014_Radc... obfuscation_65-66.pdf.
  7. Chauhan K., Sharma R., Pateriya R. K. Container Runtime Security: Detection and Prevention Techniques. ResearchGate, 2023. URL: https://www.researchgate.net/publication/387746022.
  8. Liu H., Deng Y., Sun X. A Survey of Container Runtime Security: Status, Challenges, and Opportunities. Intelligent Automation & Soft Computing, vol. 37, no. 2, pp. 1837–1851, 2023. DOI: https://doi.org/10.32604/iasc.2023.053245.
  9. Kang M., Kim J. Runtime Security Framework for Container-Based Systems using eBPF. Electronics, vol. 14, no. 6, p. 1208, 2023. DOI: https://doi.org/10.3390/electronics14061208.
  10. He W., Zhao Z. Container Security and Detection of Privilege Escalation Using eBPF. In USENIX Security Symposium 2023. URL: https://www.usenix.org/system/files/usenixsecurity23-he.pdf.
  11. AccuKnox. Comparative Analysis of Container Runtime Security Tools. Technical Whitepaper. URL: https://accuknox.com/technical-papers/container-runtime-security-comparison.
  12. Aqua Security. Using eBPF Tracing for Container Security and Observability. Aqua Blog, 2023. URL: https://www.aquasec.com/blog/ebpf-tracing-containers/.
  13. Adel Mehraban Y. Overview of GitHub Actions. Introducing GitHub Actions. Berkeley, CA, 2023. DOI: https://doi.org/10.1007/978-1-4842-9482-6_1.
  14. Keploy. Executing eBPF in GitHub Actions. Keploy Blog, 2023. URL: https://keploy.io/blog/ community/executing-ebpf-in-github-actions.
  15. Bouquin D. R. GitHub. Journal of the Medical Library Association : JMLA. 2015. Vol. 103, no. 3. P. 166–167. DOI: https://doi.org/10.3163/1536-5050.103.3.019 (date of access: 11.09.2025).
  16. Aqua Security. 2022 Cloud Native Threat Report – Cyber Attacks in the Cloud. Aqua Blog, 2022. URL: https://www.aquasec.com/blog/2022-cloud-native-threat-report-cyber-attacks/.
  17. Wu Y., Wang K., Li H. Malware Detection in Docker Containers: An Image is Worth a Thousand Logs. arXiv preprint, arXiv:2504.03238, 2024. URL: https://arxiv.org/abs/2504.03238.
  18. TuxCare. eBPF for Advanced  Linux  Performance Monitoring and Security. TuxCare Blog, 2023. URL: https://tuxcare.com/blog/ebpf-for-advanced-linux-performance-monitoring-....
  19. Secure  Inter-Container Communications Using XDP/eBPF / J.  Nam et  al.  IEEE/ACM Transactions on Networking. 2022. P. 1–14. URL: https://doi.org/10.1109/tnet.2022.3206781.