When you work with containers (Docker) you are not only packaging your application but also part of the OS. Therefore it is crucial to know what kind of libraries might be vulnerable in you container. One way to find this information is to use and look at the Docker Hub or Quay.io security scan. The problem whit these scans is that they are only showing you the information but are not part of your CI/CD that actually blocks your container when it contains vulnerabilities.
What you want is:
- Build and test your application
- Build the container
- Test the container for vulnerabilities
- Check the vulnerabilities against allowed ones, if everything is allowed pass, otherwise fail
This straight forward process is not that easy to achieve when using the services like Docker Hub or Quay.io. This is because they work asynchronously which makes it harder to do straight forward CI/CD pipeline.
Clair to the rescue
CoreOS has created an awesome container scan tool called “clair”. Clair is also used by Quay.io. What clair does not have is a simple tool that scans your image and compares the vulnerabilities against a whitelist to see if they are approved or not.
This is where clair-scanner comes in to place. The clair-scanner does the following:
* Scans an image against Clair server
* Compares the vulnerabilities against a whitelist
* Tells you if there are vulnerabilities that are not in the whitelist and fails
* If everything is fine it completes correctly
See here the full documentation about the clair-scanner.
Here is a simpel example on how to scan a container and verify if it has vulnerabilities:
docker run -p 5432:5432 -d --name db arminc/clair-db:2017-05-05
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.0-rc.0
Now scan a container, that has a whitelisted CVE:
clair-scanner nginx:1.11.6-alpine example-nginx.yaml https://YOUR_LOCAL_IP:6060 YOUR_LOCAL_IP