appc
and docker
).
4.4.4 | docker pull icr.io/ibmz/Clair@sha256:da62a4a88a9e468aaff4c553139e125d62f19b4a43cbfd5906f5e8293aec57ba | Vulnerability Report | 08-16-2022 | 4.4.2 | docker pull icr.io/ibmz/Clair@sha256:16360dc8928864fda857aaff38ca994ce02166619f597bf482cb8e851b065809 | Vulnerability Report | 06-06-2022 | 4.4.1 | docker pull icr.io/ibmz/Clair@sha256:0a944ef19fc1e14c752e6d078cce713d2d76796af9d3b048b8352d34ccfd3442 | Vulnerability Report | 05-19-2022 |
Version | Pull String | Security (IBM Cloud) | Created |
---|---|---|---|
docker run --name clair-db -p 5432:5432 -e POSTGRES_PASSWORD=[password] -d icr.io/ibmz/postgres:13
Copy the sample config.yaml file below and put it in the /config directory of a Docker volume. (Fill all [placeholders] in config.yaml.)
clair:
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: postgresql://postgres:[password]@[host/ip address]:5432?sslmode=disable
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384
api:
# API server port
port: 6060
# Health server port
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthport: 6061
# Deadline before an API request will respond with a 503
timeout: 900s
# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationkey:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:
updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: 2h
notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3
# Duration before a failed notification is retried
renotifyinterval: 2h
http:
# Optional endpoint that will receive notifications via POST requests
endpoint:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/cloudflare/cfssl
# https://github.com/coreos/etcd-ca
servername:
cafile:
keyfile:
certfile:
# Optional HTTP Proxy: must be a valid URL (including the scheme).
proxy:
Run the Clair image.
docker run --name clair -d -v clair-config-vol:/config -p 6060-6061:6060-6061 icr.io/ibmz/clair:[tag] -config=/config/config.yaml
Perform a health check.
curl -X GET -I http://[host/ip where clair container is running]:6061/health
Get an image's vulnerability report. (Note that you may need to wait several mintues for vulnerabilitiy reports to be ready)
curl -X GET http://[host/ip where clair container is running]:6060/v1/namespaces/debian:10/vulnerabilities?limit=2
See Clair Scanner for information on how to scan local images with Clair.