Vulnerability scanner tool designed to work alongside Clair.
When you work with containers you are not only packaging your application but also part of the OS. It is crucial to know what kind of libraries might be vulnerable in your container.
One way to find this information is to look at the Docker registry [Hub or Quay.io] security scan. This means your vulnerable image is already on the Docker registry. What you want is a scan as a part of CI/CD pipeline that stops the Docker image push on vulnerabilities:
This straightforward process is not that easy to achieve when using services like Docker Hub or Quay.io. This is because they work asynchronously, which makes it harder to do a straightforward CI/CD pipeline.
See official git repo for more information This image is built by IBM to run on the IBM Z architecture and is not affiliated with any other community that provides a version of this image.13.0 | docker pull icr.io/ibmz/clair-scanner@sha256:88a15a5ccee29c7c77b8ab13980a770e63fd1aba990ca5a88fff60cb467b7bf3 | Vulnerability Report | 10-26-2021 |
Version | Pull String | Security (IBM Cloud) | Created |
---|---|---|---|
Run Clair Scanner.
Note that docker.sock needs to be mounted to the container because this image runs Docker inside the container.
docker run --network container:clair --rm -v /var/run/docker.sock:/var/run/docker.sock:ro \
quay.io/ibm/clair-scanner:13.0 --threshold="Negligible" --clair="http://localhost:6060" [local_image_to_scan]
Scan report will then be printed to the console.