Docker Image Security Scan with Clair

Introduction

There are many opensource and proprietary container image scanning tools. These container scanning tools first performs a binary scan on each layer of the image. In this step, these scanning tools identify the software components in each layer and indexes the SHA of each component. The scan then compares the SHA of each component against command CVE data sources. US National Vulnerability Database, Red Hat Security Data, and Ubuntu CVE Tracker. You can view the list of vulnerability data sources used by the Clair docker image scanning tool.

List of Docker Image Scanning tools

Docker Trusted Registry

Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker. In order to use DTR, you need to have Docker Enterprise License. Docker Trusted Registry has its own build-in image scanner. You can read more about Docker Trusted Registry from here.

Anchore

Anchore has an opensource and enterprise version of its container image scanning tool. You can get a clear understanding of the differences between opensource and enterprise versions from here. Anchore is also available as a Jenkins plugin, allowing you to integrate container image scanning as part of the CI/CD workflow.

Clair

An open-source vulnerability scanner and static analysis tool for container images by CoreOS. Clair is only a back-end service. Clair updates its database from various data sources and exposes an API for clients to invoke and perform scans. To initiate scans, users have to use 3rd party client tools. A list of scanning client tools with other projects can be found here.

OpenSCAP

Security Content Automation Protocol (SCAP) enables automated vulnerability management, measurement, and policy compliance evaluation using a specific set of standards. OpenSCAP is an example of SCAP implementation. OpenSCAP provides a set of tools for scanning and compliance management, including scap-workbench, which can scan a container image.

Clair Architecture

Deploy Clair on k8s

1. Clone the Resources from the Git repository.

git clone https://github.com/Chathuru/clair-scanner.git

2. Deploy Helm chart

helm install <RELEASE_NAME> clair

Now Clair starts to update its vulnerability database. This may take around 30 min to 1 hour.

Now we need to set up a 3rd party Clair scanner client. In this article, I am using arminc/clair-scanner. Download the binary version of clair-scanner.

wget https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64
 
mv clair-scanner_linux_amd64 clair-scanner
 chmod +x clair-scanner

Now its time to scan some images.

Find the Clair node port assign by the k8s cluster kubectl get service

NAME               TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                         AGE
 clair-clair        NodePort    10.96.213.45            6060:32159/TCP,6061:30273/TCP   11m
 clair-postgresql   ClusterIP   10.97.231.158           5432/TCP                        11m
 kubernetes         ClusterIP   10.96.0.1               443/TCP                         30d
 registry-service   ClusterIP   10.98.219.218           5000/TCP                        112m

Scan docker images

./clair-scanner --ip <IP_OF_THE_CLIENT_NODE> -c "http://<K8S_CLUSTER_IP>:<NODE_PORT>" <DOCKER_IMAGE_NAME>
ubuntu@jenkins-master:~$ ./clair-scanner --ip 192.168.118.13 -c "http://192.168.118.18:32159" centos:7
2020/03/28 19:05:45 [INFO] ▶ Start clair-scanner
2020/03/28 19:05:51 [INFO] ▶ Server listening on port 9279
2020/03/28 19:05:51 [INFO] ▶ Analyzing f0c106d95b03624fa2b31013f3fe2897281c71d9504cd41a450c27086f7111b3
2020/03/28 19:05:51 [INFO] ▶ Image [centos:7] contains NO unapproved vulnerabilities