arminc / clair-local-scan

Run CoreOs Clair standalone
GNU Affero General Public License v3.0
254 stars 56 forks source link

Clair server or local

Build Status

CoreOs Clair https://github.com/coreos/clair

You can run a dedicated Clair server with a database and use that in your ci/cd pipeline but if you want to run Clair as part of your ci/cd pipeline then you are in a surprise:

To fix these problems I have created a Travis scheduled job that creates the database daily. This database can be used to run clair standalone in your build job. For this, to work you need Clair which can talk to a database and a database already filled with CVEs. This repository builds all of those:

Important: Keep in mind that you can use a new version of the database with updated vulnerabilities data. Just change the tag from '2017-03-15' to a today's date.

How to scan containers

Start the Clair database and Clair locally or while running your job

docker run -d --name clair-db arminc/clair-db:latest
docker run -p 6060:6060 --link clair-db:postgres -d --name clair arminc/clair-local-scan:v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1

Example of how to use today's date (for OSX)

docker run -d --name clair-db arminc/clair-db:$(date +%Y-%m-%d)

Having Clair locally working is nice but you need to do something with it. You can use it to scan your images for vulnerabilities using my clair-scanner https://github.com/arminc/clair-scanner. It verifies which vulnerabilities are accepted and which are not (using a whitelist).

Scan using clair-scanner

For more information see https://github.com/arminc/clair-scanner

clair-scanner --whitelist=example-nginx.yaml --clair=http://YOUR_LOCAL_IP:6060 --ip=YOUR_LOCAL_IP nginx:1.11.6-alpine