Threat actors may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.