Docker Security Scanning (DSS) with CoreOS’s — Clair
Recently we descovered a CVE within one of our development images. Therfore we wanted to not happen this again. So we got going with docker security scanning. Quick we found Clair by CoreOS wich seams to be reasonable for our purposes.
In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.
So what do you need to get started with CoreOS — Clair?
- clair config
For ease we are putting it all together in a docker-compose.yml.
All our files will be placed under
docker-clair and all written files by the containers are placed in
First off, creating the directory structure:
mkdir -p docker-clair/data/clair/config
$ cat <<EOF > docker-clair/docker-compose.yml
- clair# CLAIR
command: [--log-level=debug, --config, /config/config.yml]networks:
You can either use mine or just fetch the original one here: config.yaml.sample
$ cat <<EOF > docker-clair/data/clair/config/config.yml
source: host=postgres port=5432 user=postgres password=changemeplease sslmode=disable statement_timeout=60000
- Please edit the PGSQL Password from changemeplease to anything you prefer as a password!
- Do not quote the PGSQL password in
config.ymlit will not work.
To start the docker-clair you can simple run the following:
$ cd docker-clair
$ docker-compose up -d && docker-compose logs -f
Now you can see by typing
docker-compose ps that you have clair up and running under port 6060.
$ docker-compose ps
WARNING: The UID variable is not set. Defaulting to a blank string.
WARNING: The GID variable is not set. Defaulting to a blank string.
Name Command State Ports
clair_clair /clair --log-level=debug - ... Up 0.0.0.0:6060->6060/tcp, 0.0.0.0:6061->6061/tcp
clair_postgres docker-entrypoint.sh postgres Up 5432/tcp
There are several tools to actually use clair available here.
I personally use klar at the moment so I will put how I use it currently.
You can get it by using:
go get github.com/optiopay/klar . Verify installation by using
$ which klar
We need some ENVs specified first, depending on your registry.
See the README.md on Github to find the fits most for your needs.
I use the following:
# this works for Dockerhub:
export CLAIR_ADDR=clair.example.org:6060# Own registry with basic-auth
export DOCKER_USER=<Registry Username>
export DOCKER_PASSWORD=<Registry Password>
If the ENVs are set-up you can use
clair by simple typing
klar followed by the image, in my case I fetch the
python:3.5 image directly from DockerHub.
$ klar python:3.5
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 9 layers
Got results from Clair API v1
Found 0 vulnerabilities
Basic security scanning with docker is not to hard at all.
There are several other tools like
docker-bench-security etc. in place.
See the article by Sysdig here to may find a better solution for your needs.
Thats all I have/know about this topic so far, if you have any further questions or comments, please use the section below.
Thanks for reading,