Why Johnny Can't Use Secure Docker Images: Investigating the Usability Challenges in Using Docker Image Vulnerability Scanners through Heuristic Evaluation

This paper explores the usability of Docker Image Vulnerability Scanners (DIVSes) through heuristic evaluations. Docker simplifies the process of software development, distribution, deployment, and execution by providing a container-based execution environment. However, vulnerabilities in Docker images can pose security risks to containers. To mitigate this, DIVSes are crucial in helping developers identify and address these vulnerabilities in the software packages and libraries within Docker images. Despite their importance, research on the usability of DIVSes has been limited. To address this gap, we developed 11 customized heuristics and applied them to three widely-used DIVSes (Grype, Trivy, and Snyk). Our evaluations revealed 239 usability issues within the tools evaluated. Our findings highlight that the evaluated DIVSes do not provide sufficient information to comprehend the risks associated with identified vulnerabilities, prioritize them, or effectively fix them. Our study offers valuable insights and practical recommendations for enhancing the usability of DIVSes, making it easier for developers to identify and address vulnerabilities in Docker images.