Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers.
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project.
# Copyright 2015 clair authors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined. clair: database: # Database driver type: pgsql options: # PostgreSQL Connection string # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING source: postgresql://postgres:password@postgres:5432?sslmode=disable # Number of elements kept in the cache # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. cachesize: 16384 api: # API server port port: 6060 # Health server port # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. healthport: 6061 # Deadline before an API request will respond with a 503 timeout: 900s # 32-bit URL-safe base64 key used to encrypt pagination tokens # If one is not provided, it will be generated. # Multiple clair instances in the same cluster need the same value. paginationkey: # Optional PKI configuration # If you want to easily generate client certificates and CAs, try the following projects: # https://github.com/coreos/etcd-ca # https://github.com/cloudflare/cfssl servername: cafile: keyfile: certfile: updater: # Frequency the database will be updated with vulnerabilities from the default data sources # The value 0 disables the updater entirely. interval: 2h notifier: # Number of attempts before the notification is marked as failed to be sent attempts: 3 # Duration before a failed notification is retried renotifyinterval: 2h http: # Optional endpoint that will receive notifications via POST requests endpoint: # Optional PKI configuration # If you want to easily generate client certificates and CAs, try the following projects: # https://github.com/cloudflare/cfssl # https://github.com/coreos/etcd-ca servername: cafile: keyfile: certfile: # Optional HTTP Proxy: must be a valid URL (including the scheme). proxy:
version: '2' services: postgres: container_name: clair_postgres image: postgres:latest restart: unless-stopped environment: POSTGRES_PASSWORD: password volumes: - ./data:/var/lib/postgresql/data clair: container_name: clair_clair image: quay.io/coreos/clair:latest restart: unless-stopped depends_on: - postgres ports: - "6060-6061:6060-6061" links: - postgres volumes: - /tmp:/tmp - ./clair_config:/config command: [-config, /config/config.yaml]
docker-compose up -d
./analyze-local-images -endpoint "http://192.168.42.42:6060" -my-address "192.168.42.42" aimuz/alpine:latest
Clair report for image aimuz/alpine (2019-09-18 02:34:53.451491 +0000 UTC) Success! No vulnerabilities were detected in your image