Docker Security Scanning (DSS) with CoreOS’s — Clair

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.

Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.

Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.

When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.

Building

$ cat <<EOF > docker-clair/docker-compose.yml
version: "3.0"
services:
# POSTGRES
postgres:
container_name: clair_postgres
image: postgres:latest
user: "${UID}:${GID}"
restart: unless-stopped
environment:
POSTGRES_PASSWORD: changemeplease
volumes:
- ./data/postgres:/var/lib/postgresql/data
networks:
- clair
# CLAIR
clair:
container_name: clair_clair
image: quay.io/coreos/clair:latest
user: "${UID}:${GID}"
restart: unless-stopped
depends_on:
- postgres
volumes:
- ./data/clair/tmp:/tmp
- ./data/clair/config:/config
ports:
- 6060:6060
- 6061:6061
networks:
- clair
command: [--log-level=debug, --config, /config/config.yml]
networks:
clair:
driver: bridge
EOF
$ cat <<EOF > docker-clair/data/clair/config/config.yml
clair:
database:
type: pgsql
options:
source: host=postgres port=5432 user=postgres password=changemeplease sslmode=disable statement_timeout=60000
cachesize: 16384
api:
port: 6060
healthport: 6061
timeout: 900s
updater:
interval: 2h
notifier:
attempts: 3
renotifyinterval: 2h
EOF

Running

$ cd docker-clair
$ docker-compose up -d && docker-compose logs -f
$ docker-compose ps
WARNING: The UID variable is not set. Defaulting to a blank string.
WARNING: The GID variable is not set. Defaulting to a blank string.
Name Command State Ports
--------------------------------------------------------------------------------------------------------
clair_clair /clair --log-level=debug - ... Up 0.0.0.0:6060->6060/tcp, 0.0.0.0:6061->6061/tcp
clair_postgres docker-entrypoint.sh postgres Up 5432/tcp

Scanning

$ which klar
[...]/.go/bin//klar
# this works for Dockerhub:
export DOCKER_INSECURE=true
export REGISTRY_INSECURE=false
export CLAIR_ADDR=clair.example.org:6060
# Own registry with basic-auth
export DOCKER_USER=<Registry Username>
export DOCKER_PASSWORD=<Registry Password>
$ klar python:3.5
clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 9 layers
Got results from Clair API v1
Found 0 vulnerabilities

Conclusion

--

--

Working as a IT-Operations engineer at NeXenio, a spin-off by Hasso-Plattner-Institute for products around a digitial workspace.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store