Introduction to Clair, a container static security vulnerability scanning tool

According to the Green Alliance 2018 year 3 A study in June showed that , at present Docker Hub Image on 76% There are loopholes , The researchers pulled Docker Hub Open the top ten images in the popular images on , Use it Docker Image security scan tool Clair the CVE Scan statistics . The results are displayed in more than a hundred images , Those without loopholes only occupy 24%, Those with high-risk vulnerabilities account for 67%. Many of the images we often use are included in it , Such as ：Httpd,Nginx,Mysql wait .

This article will introduce the CoreOS The official container static security vulnerability scanning tool Clair, The tool is also used by many docker registry Integrate , such as VMware Open source in China Harbor（CNCF Member project ）、Quary as well as Dockyard etc. .

The following will start from the system architecture 、 Processing flow 、 The landing method and usage suggestions are introduced to you clair, It is hoped to provide an option for the safe landing of containers .

System architecture

Clair It mainly includes the following modules ：

• Catcher （Fetcher）- Collect vulnerability data from public sources
• detector （Detector）- Point out the... Contained in the container image Feature
• Container formatter （Image Format）- Clair Known container image formats , Include Docker,ACI
• Notification hook （Notification Hook）- Notify the user when a new vulnerability is discovered or an existing vulnerability is changed / machine
• database （Databases）- Layers and vulnerabilities in the storage container
• Worker - Every Post Layer Will start a worker Conduct Layer Detect

Workflow

The overall process flow is as follows ：

• Clair Periodically obtain vulnerability metadata from the configured source and store it in the database .
• Client side usage Clair API Dealing with images , Get the characteristics of the image and put them into the database .
• Client side usage Clair API Query the vulnerability of a specific image from the database , Associate vulnerabilities and characteristics for each request , Avoid the need to rescan the image .
• When updating vulnerability metadata , There will be a system notification . in addition , also webhook It is used to configure to record the affected images or intercept their deployment .

Landing mode

Clair It can be directly integrated into the container warehouse , So that the warehouse is responsible for representing the user and Clair Interact . This type of setup avoids manual scanning , And create a reasonable receiver to Clair Vulnerability notification in place . The warehouse can also be used to authorize , To avoid revealing the image vulnerability information that users should not access .Clair Can be integrated into CI/CD In the pipeline , So when the mirror is generated , Triggered after the image is pushed to the warehouse Clair Request to scan the image . The integration idea is as follows ：

• Users push images to the container warehouse , The warehouse selects whether to call... According to the set black-and-white list Clair scan
• Once triggered Clair scanning , Wait for the scanning result to return , Then notify the user
• If a vulnerability is found , be CI It also prevents CD Process start , otherwise CD Process start

Deployment way

There are mainly kubernetes And local deployment .

Server side

• k8s cluster

git clone https://github.com/coreos/clair
cd clair/contrib/helm
cp clair/values.yaml ~/my_custom_values.yaml
vi ~/my_custom_values.yaml
helm dependency update clair
helm install clair -f ~/my_custom_values.yaml

• local

$ mkdir $PWD/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml
$ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
$ docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair-git:latest -config=/config/config.yaml

client

It's just Clair The service side , Additional clients are required for application . Currently listed from the official Derivative development tools in , There are already many options .

• Official client clairctl The test results are as follows ：

clairctl analyze -l cve-2017-11610_web

Image: /cve-2017-11610_web:latest
 
 Unknown: 80
 Negligible: 235
 Low: 195
 Medium: 418
 High: 161
 Critical: 0
 Defcon1: 0

• clair api 3.0 Not very clear , At present, it can still be in coreos Found on the official website api v1 Version of the document , But it doesn't make sense to use the new version , Because the change is too big .
• klar, Only support the following registry Integrate .
• yair, Only support the following registry Integrate ,yair Yes, it is python Written , You can modify it yourself .
• analyze-local-images: Command line , But was abandoned , Only support clair v1/v2.

Taken together ,clairctl It has rich functions , And the community is more active , Can keep up with clair Timely update of , Therefore, it is recommended to choose clairctl, Because of its own use golang Development , Therefore, you can also according to your own CI/CD Secondary development of scenarios .

Such as below ：

Here is a brief introduction to clairctl Installation method of , For specific usage, please refer to the official wiki.

• Main branch version

curl -L https://raw.githubusercontent.com/jgsqware/clairctl/master/install.sh | sh

• Docker-compose

$ git clone [email protected]:jgsqware/clairctl.git $GOPATH/src/github.com/jgsqware/clairctl
$ cd $GOPATH/src/github.com/jgsqware/clairctl
$ docker-compose up -d postgres

Use advice

1. master Less stable , Not suitable for production environment , It is recommended to use release edition , The latest version is https://github.com/coreos/clair/tree/release-2.0
2. because Clair Will be based on CVE Kusu yes Docker The kernel used by the image , But the container actually uses the host's kernel , This may lead to a large number of useless vulnerabilities or false positives , But according to Clair What the development team means , They leave the decision to the user , By default, no white list mechanism is provided , There is no distinction between them .
3. The first time you start, you need to download data to the database , The download time depends on the quality of the network . It can be used https://github.com/arminc/clair-local-scan Replace clair official db Mirror image .
4. Many kernel vulnerabilities have been detected , But in fact, it can not be handled . however clair Decide not to filter anything , It is up to the user to decide , thus , User secondary development , It is inevitable to add a black-and-white list mechanism .

Reference material

Docker Safety first -- Image security - CSDN Blog

coreos/clair

jgsqware/clairctl