Docker Images contain not only application code, but a OS and additional utilities to make application run as expected. Images can also be vulnerable its better not have any CVE's in image. Running scans are one of the way to protect from CVE's. These container scanning tools scan for known vulnerabilities in the image.
In this article, We use Clair to scan a Docker image for vulnerabilities. Clair is an open source container scanning tool from Quay.io - a Red Hat acquisition. Clair is one container scanning tool among many. Most of them perform static analysis of the Docker image.
How to Setup?
You have to create a application which works as a scanner on your local, below are the steps which tell you how to setup the scanner.
Create a Project directory as clair_local_poc, within that create a docker-compose.yml file with the contents as shown below. File location clair_local_poc/docker-compose.yml
| version: '2.1' | |
| services: | |
| postgres: | |
| image: postgres:9.6 | |
| restart: unless-stopped | |
| volumes: | |
| - ./docker-utils/postgres-data/:/var/lib/postgresql/data:rw | |
| environment: | |
| - POSTGRES_PASSWORD=ChangeMe | |
| - POSTGRES_USER=clair | |
| - POSTGRES_DB=clair | |
| clair: | |
| image: quay.io/coreos/clair:v2.0.6 | |
| restart: unless-stopped | |
| volumes: | |
| - ./docker-utils/clair-config/:/config/:ro | |
| - ./docker-utils/clair-tmp/:/tmp/:rw | |
| depends_on: | |
| postgres: | |
| condition: service_started | |
| command: [--log-level=debug, --config, /config/config.yml] | |
| user: root | |
| clairctl: | |
| image: jgsqware/clairctl:latest | |
| restart: unless-stopped | |
| environment: | |
| - DOCKER_API_VERSION=1.24 | |
| volumes: | |
| - ./docker-utils/clairctl-reports/:/reports/:rw | |
| - /var/run/docker.sock:/var/run/docker.sock:ro | |
| depends_on: | |
| clair: | |
| condition: service_started | |
| user: root |
Create a docker-utils/clair-config directory and place config.yml file inside the directory. File Location: clair_local_poc/docker-utils/clair-config/config.yml
| clair: | |
| database: | |
| type: pgsql | |
| options: | |
| source: postgresql://clair:ChangeMe@postgres:5432/clair?sslmode=disable | |
| cachesize: 16384 | |
| api: | |
| port: 6060 | |
| healthport: 6061 | |
| timeout: 900s | |
| updater: | |
| interval: 2h | |
| notifier: | |
| attempts: 3 | |
| renotifyinterval: 2h |
Once you create the above files with the folder structure, you are good with the step and ready to use the scanner, which will scan for CVE Issues.
Scan Local Docker Image
Below are the steps to run the scan of local docker image
| ##### Put the scanner UP | |
| $ docker-compose up -d | |
| Creating network "clair_default" with the default driver | |
| Creating clair_postgres_1 ... done | |
| Creating clair_clair_1 ... done | |
| Creating clair_clairctl_1 ... done | |
| ##### List the scanner status | |
| $ docker-compose ps | |
| Name Command State Ports | |
| ------------------------------------------------------------------------------ | |
| clair_clair_1 /clair --log-level=debug - ... Up 6060/tcp, 6061/tcp | |
| clair_clairctl_1 /usr/sbin/crond -f Up 44480/tcp | |
| clair_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp | |
| ##### Run the Scan on your any local docker Image | |
| $ docker-compose exec clairctl clairctl analyze -l <local-docker-image> | |
| Image: <local-docker-image> | |
| layers found | |
| ➜ Analysis [XXXX] found 0 vulnerabilities. | |
| ➜ Analysis [XXXXX] found 0 vulnerabilities. |
This way, you can scan the Docker images for any CVE issues.
