In addition to its primary function of storing Docker images, MSR offers a deeply integrated vulnerability scanner that analyzes container images, either by manual user request or automatically whenever an image is uploaded to the registry.
MSR image scanning occurs in a service known as the dtr-jobrunner container. To scan an image, MSR:
Extracts a copy of the image layers from backend storage.
Extracts the files from the layer into a working directory inside the dtr-jobrunner container.
Executes the scanner against the files in this working directory, collecting a series of scanning data. Once the scanning data is collected, the working directory for the layer is removed.
In scanning images for security vulnerabilities, MSR temporarily extracts
the contents of your images to disk. If malware is contained in these
images, external malware scanners may wrongly attribute that malware to MSR.
The key indication of this is the detection of malware in the dtr-jobrunner
/tmp/findlib-workdir-*. To prevent any recurrence of the
issue, Mirantis recommends configuring the run-time scanner to exclude files
found in the MSR dtr-jobrunner containers in
/tmp or more specifically,
if wildcards can be used,