clair

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
Clients use the Clair API to index their container images; this parses a list of installed source packages and stores them in the database.
Clients use the Clair API to query the database; correlating data is done in real time, rather than a cached result that needs re-scanning.
When updates to vulnerability metadata occur, a webhook containg the affected images can be configured to page or block deployments. Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named `Clair` after the French term which translates to clear, bright, transparent.

See official git repo for more information

This image is built by IBM to run on the IBM Z architecture and is not affiliated with any other community that provides a version of this image.

License

View license information here

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.

Versions

Use the pull string below for the version of this image you require.

4.4.4 docker pull icr.io/ibmz/Clair@sha256:da62a4a88a9e468aaff4c553139e125d62f19b4a43cbfd5906f5e8293aec57ba Vulnerability Report 08-16-2022
4.4.2 docker pull icr.io/ibmz/Clair@sha256:16360dc8928864fda857aaff38ca994ce02166619f597bf482cb8e851b065809 Vulnerability Report 06-06-2022
4.4.1 docker pull icr.io/ibmz/Clair@sha256:0a944ef19fc1e14c752e6d078cce713d2d76796af9d3b048b8352d34ccfd3442 Vulnerability Report 05-19-2022

Version Pull String Security (IBM Cloud) Created

Version	Pull String	Security (IBM Cloud)	Created
4.4.4	docker pull icr.io/ibmz/Clair@sha256:da62a4a88a9e468aaff4c553139e125d62f19b4a43cbfd5906f5e8293aec57ba	Vulnerability Report	08-16-2022
4.4.2	docker pull icr.io/ibmz/Clair@sha256:16360dc8928864fda857aaff38ca994ce02166619f597bf482cb8e851b065809	Vulnerability Report	06-06-2022
4.4.1	docker pull icr.io/ibmz/Clair@sha256:0a944ef19fc1e14c752e6d078cce713d2d76796af9d3b048b8352d34ccfd3442	Vulnerability Report	05-19-2022

Usage Notes

Start a PostgreSQL database container. (Clair will need to use this database.)

docker run --name clair-db -p 5432:5432 -e POSTGRES_PASSWORD=[password] -d icr.io/ibmz/postgres:13

Copy the sample config.yaml file below and put it in the /config directory of a Docker volume. (Fill all [placeholders] in config.yaml.)

 clair:
database:
# Database driver
type: pgsql
options:
  # PostgreSQL Connection string
  # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
  source: postgresql://postgres:[password]@[host/ip address]:5432?sslmode=disable

  # Number of elements kept in the cache
  # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
  cachesize: 16384

api:
# API server port
port: 6060

# Health server port
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthport: 6061

# Deadline before an API request will respond with a 503
timeout: 900s

# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationkey:

# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:

updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: 2h

notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3

# Duration before a failed notification is retried
renotifyinterval: 2h

http:
  # Optional endpoint that will receive notifications via POST requests
  endpoint:

  # Optional PKI configuration
  # If you want to easily generate client certificates and CAs, try the following projects:
  # https://github.com/cloudflare/cfssl
  # https://github.com/coreos/etcd-ca
  servername:
  cafile:
  keyfile:
  certfile:

  # Optional HTTP Proxy: must be a valid URL (including the scheme).
  proxy:

Run the Clair image.

docker run --name clair -d -v clair-config-vol:/config -p 6060-6061:6060-6061 icr.io/ibmz/clair:[tag] -config=/config/config.yaml

Perform a health check.

curl -X GET -I http://[host/ip where clair container is running]:6061/health

Get an image's vulnerability report. (Note that you may need to wait several mintues for vulnerabilitiy reports to be ready)

curl -X GET http://[host/ip where clair container is running]:6060/v1/namespaces/debian:10/vulnerabilities?limit=2

See Clair Scanner for information on how to scan local images with Clair.