MISP Object Proposal: container-image #493
Description
Introduce a new object container-image to represent container images across platforms (e.g., Docker, OCI).
Proposed Attributes:
- image-name (text) – Name of the image (e.g., nginx)
- tag (text) – Image tag (e.g., latest, 1.21-alpine)
- digest (sha256) – Image digest
- registry (text/url) – Registry URL (e.g., docker.io, ghcr.io)
- architecture (text) – CPU architecture (amd64, arm64)
- os (text) – Base OS (alpine, debian, etc.)
- created (datetime)
- size (integer) – Image size in bytes
- layers (text) – List or reference to layers
- labels (text) – Metadata labels
- signature (text) – Signing information (cosign, etc.)
Using generic file or software objects, but these lack container-specific context.
Container images are a key attack vector in supply chain attacks and should be first-class citizens in threat intelligence.
It also can be connected to a cve like the latest trivy supply chain attack.