Containerization technologies like Docker have transformed research software deployment by encapsulating applications and dependencies into portable, reproducible environments. However, research containers often include outdated or unnecessary packages, introducing significant security vulnerabilities that conflict with reproducibility requirements. In this paper, we present a novel reproducibility-aware DevSecOps framework that systematically addresses the tension between container security and scientific reproducibility. Our methodology integrates multiple vulnerability scanners (Trivy, Anchore, Clair) with automated remediation strategies and reproducibility testing protocols. We design comparative evaluation metrics that quantify the tradeoffs between security hardening approaches-from simple weekly package updates to comprehensive multi-scanner pipelines-and their impact on functional reproducibility. Through analysis of vulnerability detection overlap across scanning tools and costbenefit evaluation of remediation strategies, we demonstrate the framework's effectiveness on a curated dataset of 105 Docker images from neuroscience, finance, and machine learning domains. We conclude with actionable best practices for building secure, reproducible research containers and release our complete methodology as open-source resources for the RSE community.
Mittal et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: