clair-scanner

Vulnerability scanner tool designed to work alongside Clair.

When you work with containers you are not only packaging your application but also part of the OS. It is crucial to know what kind of libraries might be vulnerable in your container.

One way to find this information is to look at the Docker registry [Hub or Quay.io] security scan. This means your vulnerable image is already on the Docker registry. What you want is a scan as a part of CI/CD pipeline that stops the Docker image push on vulnerabilities:

Build and test your application.
Build the container.
Test the container for vulnerabilities.
Check the vulnerabilities against allowed ones, if everything is allowed, then pass, otherwise, fail

This straightforward process is not that easy to achieve when using services like Docker Hub or Quay.io. This is because they work asynchronously, which makes it harder to do a straightforward CI/CD pipeline.

See official git repo for more information

This image is built by IBM to run on the IBM Z architecture and is not affiliated with any other community that provides a version of this image.

License

View license information here

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

Versions

Use the pull string below for the version of this image you require.

13.0 docker pull icr.io/ibmz/clair-scanner@sha256:88a15a5ccee29c7c77b8ab13980a770e63fd1aba990ca5a88fff60cb467b7bf3 Vulnerability Report 10-26-2021

Version Pull String Security (IBM Cloud) Created

Version	Pull String	Security (IBM Cloud)	Created
13.0	docker pull icr.io/ibmz/clair-scanner@sha256:88a15a5ccee29c7c77b8ab13980a770e63fd1aba990ca5a88fff60cb467b7bf3	Vulnerability Report	10-26-2021

Usage Notes

Run Clair Scanner.

Note that docker.sock needs to be mounted to the container because this image runs Docker inside the container.

docker run --network container:clair --rm -v /var/run/docker.sock:/var/run/docker.sock:ro \
           quay.io/ibm/clair-scanner:13.0 --threshold="Negligible" --clair="http://localhost:6060" [local_image_to_scan]

Scan report will then be printed to the console.