[coldtea]

>Then you still didn't audit anything. What you need to do is inspect the docker file, follow everything it pulls in and audit that

You don't need to audit anything it pulls in INSIDE the container. Who cares? Just what kind of access it gives the container to the host.

[stirfish]

This sounds like fine a way to mine Bitcoin for someone else

[coldtea]

The whole point is that you checked that the container gets no access to the network.

Not to mention why wouldn't you let a shell script container keep running?

[tomjakubowski]

You can use quotas to mitigate that risk, and monitoring to discover it. You'd be monitoring CPU usage anyway, whether or not you build your own images or write your own Dockerfiles.