clair
Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).
- In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
- Clients use the Clair API to index their container images; this parses a list of installed source packages and stores them in the database.
- Clients use the Clair API to query the database; correlating data is done in real time, rather than a cached result that needs re-scanning.
- When updates to vulnerability metadata occur, a webhook containg the affected images can be configured to page or block deployments. Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named `Clair` after the French term which translates to clear, bright, transparent.
See official git repo for more information
This image is built by IBM to run on the IBM Z architecture and is not affiliated with any other community that provides a version of this image.
License
View license information
here
As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
Versions
Use the pull string below for the version of this image you require.
| 4.4.4 |
docker pull icr.io/ibmz/Clair@sha256:da62a4a88a9e468aaff4c553139e125d62f19b4a43cbfd5906f5e8293aec57ba |
Vulnerability Report | 08-16-2022 | 4.4.2 |
docker pull icr.io/ibmz/Clair@sha256:16360dc8928864fda857aaff38ca994ce02166619f597bf482cb8e851b065809 |
Vulnerability Report | 06-06-2022 | 4.4.1 |
docker pull icr.io/ibmz/Clair@sha256:0a944ef19fc1e14c752e6d078cce713d2d76796af9d3b048b8352d34ccfd3442 |
Vulnerability Report | 05-19-2022 | 4.4.0 |
docker pull icr.io/ibmz/Clair@sha256:da637ca5b14f837c271fa18e9be751ee33c98ec7908ac6fd5b375e24063bde86 |
Vulnerability Report | 03-16-2022 | 4.3.6 |
docker pull icr.io/ibmz/Clair@sha256:40c16bdf895099bfac12a2fb8f2180d4597dcd76f715e213cb047492735aaf18 |
Vulnerability Report | 02-17-2022 | 4.3.0 |
docker pull icr.io/ibmz/Clair@sha256:2e057ef169b7ac0a2d499172c911a13a0cc5b6436273c767a5e7f917636d5aa3 |
Vulnerability Report | 10-20-2021 | 2.0 |
docker pull icr.io/ibmz/Clair@sha256:9255255f70ef18f638dd7ee39abc61a3a6a34efc49dcc53c5acc1cab77d30591 |
Vulnerability Report | 12-08-2020 |
| Version |
Pull String |
Security (IBM Cloud) |
Created |
Usage Notes
Start a PostgreSQL database container. (Clair will need to use this database.)
docker run --name clair-db -p 5432:5432 -e POSTGRES_PASSWORD=[password] -d icr.io/ibmz/postgres:13
Copy the sample config.yaml file below and put it in the /config directory of a Docker volume. (Fill all [placeholders] in config.yaml.)
clair:
database:
# Database driver
type: pgsql
options:
# PostgreSQL Connection string
# https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
source: postgresql://postgres:[password]@[host/ip address]:5432?sslmode=disable
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cachesize: 16384
api:
# API server port
port: 6060
# Health server port
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthport: 6061
# Deadline before an API request will respond with a 503
timeout: 900s
# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationkey:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:
updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: 2h
notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3
# Duration before a failed notification is retried
renotifyinterval: 2h
http:
# Optional endpoint that will receive notifications via POST requests
endpoint:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/cloudflare/cfssl
# https://github.com/coreos/etcd-ca
servername:
cafile:
keyfile:
certfile:
# Optional HTTP Proxy: must be a valid URL (including the scheme).
proxy:
Run the Clair image.
docker run --name clair -d -v clair-config-vol:/config -p 6060-6061:6060-6061 icr.io/ibmz/clair:[tag] -config=/config/config.yaml
Perform a health check.
curl -X GET -I http://[host/ip where clair container is running]:6061/health
Get an image's vulnerability report. (Note that you may need to wait several mintues for vulnerabilitiy reports to be ready)
curl -X GET http://[host/ip where clair container is running]:6060/v1/namespaces/debian:10/vulnerabilities?limit=2
See
Clair Scanner for information on how to scan local images with Clair.