Clair is an open-source container vulnerability scanner recently released by CoreOs. The tool cross-checks if a Docker image's operating system and any of its installed packages match any known insecure package versions. The vulnerabilities are fetched from OS-specific common vulnerabilities and exposures (CVE) databases. Currently supported are Red Hat, Ubuntu, and Debian.
By extracting static information from the image's filesystem and keeping a list of diffs between the different layers that the image is composed of, the analysis time is greatly reduced and does not require actually running the potentially vulnerable containers. All images that depend on a vulnerable lower level layer are immediately identified as vulnerable as well thanks to the use of a graph storage, without the need to re-analyze the image.
CoreOs uses Clair for analyzing Docker images uploaded by customers to Quay.io, a container registry similar to DockerHub. The majority of images in Quay.io were found vulnerable even to high profile exploits such as Heartbleed (80%) or Ghost (67%). Earlier this year a report on Docker Hub concluded at least 30% of official images and up to 40% of uploaded images contained high severity vulnerabilities. Docker has meanwhile announced Project Nautilus, their own image scanning and vulnerability detection, at DockerCon EU 2015, among other security-related features. Nautilus has not been open sourced and runs only in Docker Hub.
There are other container vulnerability scanners in the market, such as IBM's Vulnerability Advisor or FlawCheck. The main difference is that they are propietary and, in IBM's case, only applicable to images hosted on their Bluemix cloud offering. IBM's solution also supports basic security policies (e.g. "password expiration should be 90 days") which generate alerts in a similar fashion as a static code analysis tool.
Of course, these tools identify the presence of potentially exploitable packages, they do not validate that they are actually in use. Also they cannot detect dynamic behavior in running instances, such as installing vulnerable package versions at runtime.
Clair provides a JSON API and can be run locally to inspect container images, for example as part of continuous integration or a continuous delivery pipeline.
The following snippet initializes (default configuration) and starts Clair as a local service:
$ git clone https://github.com/coreos/clair.git
# clone the Clair repo from Github
$ cp clair/config.example.yaml clair/config/config.yaml
# create an initial config file with default settings
$ docker pull quay.io/coreos/clair:latest
# download a CoreOs container image with Clair installed
$ docker run -p 6060:6060 -p 6061:6061 -v clair:$PWD/clair/config:ro quay.io/coreos/clair:latest --config=/config/config.yaml
# start service - make sure to wait for the initial list
# of vulnerabilities to be fetched (message "updater: update finished")
If the pipeline generates immutable Docker images for deployment, then a vulnerability scan can be included as part of the security tests at some stage, possibly stopping the pipeline. For instance, to analyze a Docker image called "tmpimage":
$ go get -u github.com/coreos/clair/contrib/analyze-local-images
# you need to have go installed
$ $GOPATH/bin/analyze-local-images tmpimage
# analyze-local-images is a wrapper script that analyzes
# all layers in the image
The above snippet finds vulnerabilities of high or critical severity in any of the layers in the image. It is possible to specify other severity levels by extracting each layer and submitting them individually to Clair's API.
A full list of vulnerabilities (any severity, from Negligible to Critical) for a single layer could be produced for later analysis, for example by running:
$ curl -s -H "Content-Type: application/json" -X POST -d \
'{
"ID": "39bb80489af75406073b5364c9c326134015140e1f7976a370a8bd446889e6f8",
"Path": "/tmp/docker/layers/39bb80489af75406073b5364c9c326134015140e1f7976a370a8bd446889e6f8.tar"
}' \
127.0.0.1:6060/v1/layers
# submit layer for Clair to analyze and store in DB
$ curl -s "127.0.0.1:6060/v1/layers/39bb80489af75406073b5364c9c326134015140e1f7976a370a8bd446889e6f8/vulnerabilities?minimumPriority=Negligible" | python -m json.tool > all_vulnerabilities.json
# retrieve all vulnerabilities found in the layer
CoreOS also recently announced Distributed Trusted Computing (DTC) capabilities in Tectonic, their Container-as-a-Service offering. DTC establishes a cryptographic chain of trust on the full stack, from the application layer, to the container, operating system and down to the hardware.