Container Vulnerability Analysis & Reporting
An end-to-end vulnerability assessment of a containerized application using Docker and Trivy. This project proves the ability to identify known vulnerabilities (CVEs), analyze their business impact, and produce a professional report with actionable remediation advice.
Objective
This project demonstrates the process of scanning a container image for known vulnerabilities (CVEs) using Trivy and communicating the findings in a professional assessment report.
Tools Used
- Docker
- Trivy
- OWASP Juice Shop (as the target application)
- Markdown
Scanning Process
The following section provides visual evidence of the key steps taken during the analysis.
1. Pulling the Docker Image
The target application, bkimminich/juice-shop, was pulled from Docker Hub to the local machine for analysis.

2. Executing the Vulnerability Scan
The Trivy scanner was executed against the container image, and the results were saved to a text file for detailed analysis.

Executive Summary
A vulnerability scan was performed on the bkimminich/juice-shop container image. The scan revealed a total of 53 vulnerabilities, including 8 rated as CRITICAL. The most significant risks are related to outdated OS packages and application libraries, which could allow an attacker to achieve remote code execution or privilege escalation on the container. Immediate remediation by updating the base image and dependencies is recommended.
Detailed Findings
Below is an analysis of the top critical vulnerabilities and secrets discovered during the scan.
Finding 1: Sandbox Escape in vm2
- CVE-ID:
CVE-2023-32314 - Severity: CRITICAL
- Vulnerable Package:
vm2version3.9.17 - Business Impact: This is a critical sandbox escape vulnerability. An attacker could exploit this flaw to bypass the sandboxed environment and gain remote code execution on the host machine. This could lead to a full compromise of the application server, allowing for data theft, further attacks on internal systems, or complete service disruption.
- Recommended Remediation: The
vm2package must be updated to a patched version,3.e9.18or later, which resolves this vulnerability.
Finding 2: Prototype Pollution in lodash
- CVE-ID:
CVE-2019-10744 - Severity: CRITICAL
- Vulnerable Package:
lodashversion2.4.2 - Business Impact: This vulnerability allows an attacker to manipulate the prototype of base objects in JavaScript. This can lead to a variety of attacks, including application crashes (Denial of Service), cross-site scripting (XSS), and potentially remote code execution by altering the logic of the application at runtime.
- Recommended Remediation: The
lodashpackage is severely outdated and should be updated to a patched version,>=4.17.12, and have its usage audited to ensure secure practices.
Finding 3: Hardcoded Asymmetric Private Key
- Secret Type:
AsymmetricPrivateKey - Severity: HIGH
- Location:
/juice-shop/build/lib/insecurity.js - Business Impact: A private RSA key is hardcoded directly into the application’s source code. An attacker who gains access to the container image can extract this key. With this key, they could potentially decrypt sensitive information, impersonate the server to intercept user data, or forge digital signatures and tokens (like JWTs), leading to a complete compromise of user accounts and data integrity.
- Recommended Remediation: All hardcoded secrets must be removed from the source code. The key should be revoked and replaced. The new key should be stored securely using a secrets management service like AWS Secrets Manager or HashiCorp Vault, and dynamically injected into the application at runtime.
Conclusion
This project demonstrates a fundamental component of a DevSecOps workflow: static analysis of container images to identify security risks before they are deployed to production.