Clair for container security
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project. Clair supports container security by:
- Updating vulnerability data from a set of sources you define and storing this data in its database
- Allowing clients to query this database for vulnerabilities within specific images through the use of an API
- Indexing container images with a list of features present in the image through the use of an API
How Clair works
Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat ®, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.
Clair has also introduced support for programming language package managers, starting with Python, and a new image-oriented API.
Automatic detection of vulnerabilities will help increase awareness and best security practices across development and operations teams, and encourage action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.
For example, CVE-2014-0160, aka "Heartbleed" has been known for some time, yet Red Hat Quay security scanning found it is still a potential threat to a high percent of the container images users have stored on Quay.
Take note that vulnerabilities often rely on particular conditions in order to be exploited. For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undertake deeper analysis as required.
Clair and Kubernetes
Clair is part of the open source Project Quay. The Kubernetes platform Red Hat OpenShift® can utilize Clair for container security through a Kubernetes Operator called the Container Security Operator which is itself a component of Red Hat Quay. Red Hat Quay is an open source container image registry platform which enables you to build, distribute, and deploy containers across global datacenters, focusing on cloud-native and DevSecOps development models and environments.
The Quay Container Security Operator—which integrates with Red Hat OpenShift—allows you to increase the security of your image repositories with automation, authentication, and authorization systems. Red Hat Quay is available with Red Hat OpenShift or as a standalone component.
Our consultants can help
How does Red Hat help?
As part of Red Hat’s commitment to open source communities Red Hat will continue participating in the development of Project Quay as a member of the Cloud Native Computing Foundation.
Red Hat makes significant contributions to the engineering of new features for Clair and Project Quay. Red Hat also runs one of the key databases of vulnerabilities used by Clair. In addition, Red Hat runs the largest installation of Clair via quay.io which serves as a real-world load testing environment.