Locally Setup and Scan your Docker images via Clair

Locally Setup and Scan your Docker images via Clair

On24th Mar 2021, 2025-04-08T08:13:21+05:30 ByKarthik Kumar D K | 5 mins read
Listen

Docker Images contain not only application code, but a OS and additional utilities to make application run as expected. Images can also be vulnerable its better not have any CVE's in image. Running scans are one of the way to protect from CVE's. These container scanning tools scan for known vulnerabilities in the image.

In this article, We use Clair to scan a Docker image for vulnerabilities. Clair is an open source container scanning tool from Quay.io - a Red Hat acquisition. Clair is one container scanning tool among many. Most of them perform static analysis of the Docker image.

How to Setup?

You have to create a application which works as a scanner on your local, below are the steps which tell you how to setup the scanner.

Create a Project directory as clair_local_poc, within that create a docker-compose.yml file with the contents as shown below. File location clair_local_poc/docker-compose.yml

version: '2.1'
services:
postgres:
image: postgres:9.6
restart: unless-stopped
volumes:
- ./docker-utils/postgres-data/:/var/lib/postgresql/data:rw
environment:
- POSTGRES_PASSWORD=ChangeMe
- POSTGRES_USER=clair
- POSTGRES_DB=clair
clair:
image: quay.io/coreos/clair:v2.0.6
restart: unless-stopped
volumes:
- ./docker-utils/clair-config/:/config/:ro
- ./docker-utils/clair-tmp/:/tmp/:rw
depends_on:
postgres:
condition: service_started
command: [--log-level=debug, --config, /config/config.yml]
user: root
clairctl:
image: jgsqware/clairctl:latest
restart: unless-stopped
environment:
- DOCKER_API_VERSION=1.24
volumes:
- ./docker-utils/clairctl-reports/:/reports/:rw
- /var/run/docker.sock:/var/run/docker.sock:ro
depends_on:
clair:
condition: service_started
user: root

Create a docker-utils/clair-config directory and place config.yml file inside the directory. File Location: clair_local_poc/docker-utils/clair-config/config.yml

clair:
database:
type: pgsql
options:
source: postgresql://clair:ChangeMe@postgres:5432/clair?sslmode=disable
cachesize: 16384
api:
port: 6060
healthport: 6061
timeout: 900s
updater:
interval: 2h
notifier:
attempts: 3
renotifyinterval: 2h

Once you create the above files with the folder structure, you are good with the step and ready to use the scanner, which will scan for CVE Issues.

Scan Local Docker Image

Below are the steps to run the scan of local docker image

##### Put the scanner UP
$ docker-compose up -d
Creating network "clair_default" with the default driver
Creating clair_postgres_1 ... done
Creating clair_clair_1 ... done
Creating clair_clairctl_1 ... done
##### List the scanner status
$ docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------
clair_clair_1 /clair --log-level=debug - ... Up 6060/tcp, 6061/tcp
clair_clairctl_1 /usr/sbin/crond -f Up 44480/tcp
clair_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp
##### Run the Scan on your any local docker Image
$ docker-compose exec clairctl clairctl analyze -l <local-docker-image>
Image: <local-docker-image>
layers found
➜ Analysis [XXXX] found 0 vulnerabilities.
➜ Analysis [XXXXX] found 0 vulnerabilities.

This way, you can scan the Docker images for any CVE issues.

Related Articles

Recent Articles

Recent Quick Read

Recent Great People

Shop Smarter with Our Reviews!

Shop Smarter with Our Reviews!

We sift through the noise to bring you only the best products. Read our in-depth reviews and make your shopping experience seamless!

Read the Reviews

Discounts Just for You!

Don't miss out on our exclusive offers! Browse our collection of discounted products and find great deals before they are gone

Grab your Discount
X
We Need Your Consent
By clicking “Accept Cookies”, you agree to the storing of cookies on your device to enhance your site navigation experience.
I Accept Cookies