Schedule a FREE onboarding and start making pipelines fast.

Clair Vulnerability Scans

Security-Testing | December 7, 2018

 

Editors note: We based a webinar on this blog post. Skip to the end of this post to watch!

 

At Codefresh, with the help of author/contributors of the project paclair, we’ve created a custom step to allow you to scan you Docker images for vulnerabilities against the popular open source project Clair.

In today’s word, security is absolutely critical to your applications. Why not inject a step that can do a quick vulnerability scan of your Docker image in just a few minutes, create a report of your vulnerabilities, and determine whether or not to pass or fail your build based on a vulnerability level threshold you’ve configured?

Wouldn’t you sleep better at night knowing you haven’t shipped out the latest zero-day to your Docker registry?

All that’s required is a running instance of Clair to get started.

Let’s start with what you’re getting…

Regardless of your Docker registry the step will output a report and determine whether the scan results are in breach of your threshold:

Click for full report example
Example Clair Report

By using the Codefresh Docker registry provided free with every account, you also get enriched metadata on your Docker image with all the vulnerability levels and a count of vulnerabilities for each level.

If you decide to upload a report to storage you can also enrich the metadata of the Docker image in the Codefresh registry with a link to the HTML report. (How to connect your storage account )

If you have Clair running, great!

These 6 lines are the only thing separating you from your security report:

Did you run it yet?

If you have, then you’ll have a report available in the pipeline and annotations on your Docker image.

The report is in your pipeline you just need to decide where to put it.

The location and name of the report is formatted as such:
./reports/clair-scan--.html
Any / in the image name will be replaced with -

You can upload these reports using built-in reporting.
(Here is a blog post on using this in your pipeline: https://codefresh.io/codefresh-news/test-reporting/ )

Here is an example step to create a quick index page to integrate with our Cloud Storage integration if you’re doing more than one report:

The steps README.md has more information on how to use this with other Docker registries and specifics on other settings like SEVERITY_THRESHOLD.

https://github.com/codefresh-contrib/cfstep-paclair

Do you need some help getting Clair up and running on Kubernetes?

The CoreOS Team has written up a Helm Chart to help with that:
https://github.com/coreos/clair/tree/master/contrib/helm/clair

They’re shipping it with 3.0.0-pre which is a pre-release and not yet supported by our build step.

Please replace the following values or override them during the Helm install:

Want to see this in action? We filmed a Codefresh Live webinar to show you. Watch it here:

You can find the slide deck used in the webinar at  Codefresh Slide Share.

About Dustin Van Buskirk

A Senior Solution Architect at Codefresh

Reader Interactions

Enjoy this article? Don't forget to share.

Comments

Your email address will not be published. Required fields are marked *

Follow me on Twitter