Skip to content

Container Scanning

Jump to bottom
aaronreed708 edited this page Sep 27, 2023 · 1 revision

Container Scanning

Options

There are many options for container scanning. Some provided by container registries, some open source.

DockerHub container scanning

DockerHub provides container scanning, but only for paid accounts. More info: https://docs.docker.com/docker-hub/vulnerability-scanning/#scan-images-with-basic-vulnerability-scanning

Red Hat Quay container scanning

Red Hat Quay is Red Hat's container registry. They have instructions for integrating container scanning with Quay using Clair. Here is some information about how this can be use with Open Shift. Maybe what IBM used? Certainly the scanner used on the base images that IBM used from Quay.

Open Source options

https://techbeacon.com/security/17-open-source-container-security-tools

RedHat Quay bases its scanning on Clair. FINOS uses Trivy.

Clair Information

Clair is an open source container scanner that can be used to identify possible vulnerabilities. Can be used with Red Hat Quay. Here is some information about how this can be use with Open Shift. Maybe what IBM used?

More background information about Clair: https://www.nearform.com/blog/static-analysis-of-docker-image-vulnerabilities-with-clair/

Clair repo: https://github.com/quay/clair

Latest stable release: https://github.com/quay/clair/releases/tag/v4.7.1

Clair documentation: https://quay.github.io/clair/

Submitting a manifest to scan: https://quay.github.io/clair/howto/getting_started.html?highlight=clairctl#submitting-a-manifest. Includes installing clairctl command line using golang.

Instructions for installing golang on MacOS: https://www.scaler.com/topics/golang/install-golang/. Using "export GOPATH=$HOME/Projects/Proj1" didn't work for me, but using "export GOPATH=$HOME/go" did work.

Clairctl is the command line utility that interfaces with a running Clair server. There are many others like claircli and Klar, however most are old and won't work with Clair v4. In the instructions above it asks you to install clairctl using go install github.com/quay/clair/v4/cmd/clairctl@latest You can see that this is pulling clairctl from github.com/quay/clair/v4/cmd/clairctl. So it will work with Clair v4 but doesn't have the nice report mechanisms that the other CLI's had.

An article on how to install and use Clair: https://medium.com/paloit/coreos-clair-part-2-installation-integration-558ec664cece

An issue that gives information on why clair-indexer container is returning a 401 when trying to run a report on our container: https://github.com/quay/clair/issues/1569. Clairctl needs to be using the same configuration as Clair when authentication is configured. So I needed to run export CLAIR_CONF=/Users/aaron/git-quay/clair/local-dev/clair/config.yaml

Docker registry

In order to use Clair to scan local images, you need to run a local version of a container registry. Here are instructions for doing so with a Docker registry container: https://www.allisonthackston.com/articles/local-docker-registry.html

Testing

Note: These containers use a lot of docker resources. I have to prune frequently and bumped up my docker resources (currently at: 12 GB memory, 2 GB swap)

In one terminal window setup Clair:

# pull latest stable version of clair
mkdir /Users/aaron/git-quay
cd /Users/aaron/git-quay
git clone git@github.com:quay/clair.git
cd clair
git fetch
git checkout release-4.7

# free up as much resources as we can
docker system prune
docker volume prune

# start the clair containers
#   clair-database, clair-matcher, clair-indexer, clair-traefik
docker-compose up -D

# to clean up after using
docker-compose down

In another terminal window setup the local Docker container registry:

# pull and run registry container image from Docker Hub
docker run -d -p 5001:5000 --restart always --name registry registry:2

# Let Docker know that this registry is insecure so that authentication isn't required.
#  Can change Docker daemon in Docker Desktop by:
#    open Docker Desktop->open settings->Docker Engine tab
edit /etc/docker/daemon.json and add

  { "insecure-registries": ["localhost:5001"] }

# find local IP address
ifconfig

# Tag and push the container that you want to scan
#  Using local IP address instead of "localhost" because Clair needs to
#  use that to interact with the registry.  "localhost" didn't work, got
#  404 errors
docker tag a11y-theme-builder <local_ip_address>:5001/a11y-theme-builder
docker push <local_ip_address>:5001/a11y-theme-builder

# to pull the image to test that the registry is working:
docker pull <local_ip_address>:5001/a11y-theme-builder

In this same window we can install and start clairctl, the CLI that will interact with Clair services.

# install latest stable golang on MacOS
# download package to current directory
curl -o golang.pkg https://dl.google.com/go/go1.21.darwin-amd64.pkg 

# open package
sudo open golang.pkg

# setup golang environment, add env vars to bash profile
nano ~/.bash-profile
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH

# install clairctl
go install github.com/quay/clair/v4/cmd/clairctl@latest

# set CLAIR_CONF to make sure clairctl using same clair config as
#  the running containers
export CLAIR_CONF=/Users/aaron/git-quay/clair/local-dev/clair/config.yaml

# run Clair report against a known, vulnerable container to make sure
#  everything is running correctly
clairctl -D report ubuntu:focal

# run Clair report against our image
clairctl -D report <local_ip_address>:5001/a11y-theme-builder

# run Clair report against our image, output JSON, XML or text
clairctl -D report -o json <local_ip_address>:5001/a11y-theme-builder

A11y Theme Builder

Clone this wiki locally