Blog

Docker containers vulnerability scan with Clair

05 May, 2017

When you work with containers (Docker) you are not only packaging your application but also part of the OS. Therefore it is crucial to know what kind of libraries might be vulnerable in you container. One way to find this information is to use and look at the Docker Hub or Quay.io security scan. The problem whit these scans is that they are only showing you the information but are not part of your CI/CD that actually blocks your container when it contains vulnerabilities.

What you want is:

  1. Build and test your application
  2. Build the container
  3. Test the container for vulnerabilities
  4. Check the vulnerabilities against allowed ones, if everything is allowed pass, otherwise fail

This straight forward process is not that easy to achieve when using the services like Docker Hub or Quay.io. This is because they work asynchronously which makes it harder to do straight forward CI/CD pipeline.

Clair to the rescue

CoreOS has created an awesome container scan tool called “clair”. Clair is also used by Quay.io. What clair does not have is a simple tool that scans your image and compares the vulnerabilities against a whitelist to see if they are approved or not.
This is where clair-scanner comes in to place. The clair-scanner does the following:
* Scans an image against Clair server
* Compares the vulnerabilities against a whitelist
* Tells you if there are vulnerabilities that are not in the whitelist and fails
* If everything is fine it completes correctly

clair-scanner

See here the full documentation about the clair-scanner.
Here is a simpel example on how to scan a container and verify if it has vulnerabilities:
docker run -p 5432:5432 -d --name db arminc/clair-db:2017-05-05
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.0-rc.0

Now scan a container, that has a whitelisted CVE:
clair-scanner nginx:1.11.6-alpine example-nginx.yaml http://YOUR_LOCAL_IP:6060 YOUR_LOCAL_IP

guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
jocelyn
jocelyn
4 years ago

Hello, nice tool , why don’t you tag the db image “latest” daily with the last success build so that we could rely on it instead of having to compute the date.

Henry
Henry
4 years ago

Hi,
I did:
docker run -p 5432:5432 -d –name db arminc/clair-db:2017-05-05
docker run -p 6060:6060 –link db:postgres -d –name clair arminc/clair-local-scan:v2.0.0-rc.0
But when I go for:
clair-scanner nginx:1.11.6-alpine example-nginx.yaml
my machine does not know clair-scanner, I never installed such a thing !
clair-scanner: command not found
what is the issue?

Explore related posts