2016-02-18 21:49:10 +00:00
# Clair
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[![Build Status ](https://api.travis-ci.org/coreos/clair.svg?branch=master "Build Status" )](https://travis-ci.org/coreos/clair)
2015-11-13 19:29:01 +00:00
[![Docker Repository on Quay ](https://quay.io/repository/coreos/clair/status "Docker Repository on Quay" )](https://quay.io/repository/coreos/clair)
2016-02-20 21:48:48 +00:00
[![Go Report Card ](https://goreportcard.com/badge/coreos/clair "Go Report Card" )](https://goreportcard.com/report/coreos/clair)
2016-02-24 23:08:16 +00:00
[![GoDoc ](https://godoc.org/github.com/coreos/clair?status.svg "GoDoc" )](https://godoc.org/github.com/coreos/clair)
2016-02-18 21:49:10 +00:00
[![IRC Channel ](https://img.shields.io/badge/freenode-%23clair-blue.svg "IRC Channel" )](http://webchat.freenode.net/?channels=clair)
2015-11-13 19:29:01 +00:00
2016-04-20 17:17:44 +00:00
**Note**: The `master` branch may be in an *unstable or even broken state* during development.
Please use [releases] instead of the `master` branch in order to get stable binaries.
2017-01-04 03:22:41 +00:00
![Clair Logo ](https://cloud.githubusercontent.com/assets/343539/21630811/c5081e5c-d202-11e6-92eb-919d5999c77a.png )
2016-03-18 15:48:55 +00:00
2016-02-24 00:52:10 +00:00
Clair is an open source project for the static analysis of vulnerabilities in [appc] and [docker] containers.
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container.
2017-01-04 03:09:17 +00:00
When vulnerability data changes upstream, a notification can be delivered, and the API queried to provide the previous state and new state of the vulnerability along with the images affected by both.
All major components can be [extended programmatically] at compile-time without forking the project.
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
Our goal is to enable a more transparent view of the security of container-based infrastructure.
2016-02-18 21:49:10 +00:00
Thus, the project was named `Clair` after the French term which translates to *clear* , *bright* , *transparent* .
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
[appc]: https://github.com/appc/spec
[docker]: https://github.com/docker/docker/blob/master/image/spec/v1.md
2017-01-04 03:09:17 +00:00
[extended programmatically]: #customization
2016-04-20 17:17:44 +00:00
[releases]: https://github.com/coreos/clair/releases
2016-02-24 00:52:10 +00:00
2016-02-18 21:49:10 +00:00
## Common Use Cases
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
### Manual Auditing
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
You're building an application and want to depend on a third-party container image that you found by searching the internet.
To make sure that you do not knowingly introduce a new vulnerability into your production service, you decide to scan the container for vulnerabilities.
You `docker pull` the container to your development machine and start an instance of Clair.
2016-02-24 00:52:10 +00:00
Once it finishes updating, you use the [local image analysis tool] to analyze the container.
2016-02-18 21:49:10 +00:00
You realize this container is vulnerable to many critical CVEs, so you decide to use another one.
2016-02-15 05:00:22 +00:00
2016-02-24 00:52:10 +00:00
[local image analysis tool]: https://github.com/coreos/clair/tree/master/contrib/analyze-local-images
2016-02-18 21:49:10 +00:00
### Container Registry Integration
2016-02-15 05:00:22 +00:00
2016-02-18 21:49:10 +00:00
Your company has a continuous-integration pipeline and you want to stop deployments if they introduce a dangerous vulnerability.
A developer merges some code into the master branch of your codebase.
The first step of your continuous-integration pipeline automates the testing and building of your container and pushes a new container to your container registry.
2016-02-24 00:52:10 +00:00
Your container registry notifies Clair which causes the download and indexing of the images for the new container.
2016-02-18 21:49:10 +00:00
Clair detects some vulnerabilities and sends a webhook to your continuous deployment tool to prevent this vulnerable build from seeing the light of day.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
## Hello Heartbleed
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
During the first run, Clair will bootstrap its database with vulnerability data from its data sources.
2016-03-03 20:44:49 +00:00
It can take several minutes before the database has been fully populated.
2015-11-13 19:11:28 +00:00
2016-03-18 17:05:17 +00:00
**NOTE:** These setups are not meant for production workloads, but as a quick way to get started.
### Kubernetes
2016-04-11 17:51:20 +00:00
An easy way to run Clair is with Kubernetes 1.2+.
If you are using the [CoreOS Kubernetes single-node instructions][single-node] for Vagrant you will be able to access the Clair's API at http://172.17.4.99:30060/ after following these instructions.
2016-03-18 17:05:17 +00:00
```
git clone https://github.com/coreos/clair
cd clair/contrib/k8s
kubectl create secret generic clairsecret --from-file=./config.yaml
2016-04-11 17:51:20 +00:00
kubectl create -f clair-kubernetes.yaml
2016-03-18 17:05:17 +00:00
```
[single-node]: https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html
2016-03-09 17:20:20 +00:00
### Docker Compose
2015-11-13 19:11:28 +00:00
2016-03-18 17:05:17 +00:00
Another easy way to get an instance of Clair running is to use Docker Compose to run everything locally.
2016-03-09 17:20:20 +00:00
This runs a PostgreSQL database insecurely and locally in a container.
This method should only be used for testing.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
```sh
2016-10-24 16:42:22 +00:00
$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/docker-compose.yml -o $HOME/docker-compose.yml
2016-02-18 21:49:10 +00:00
$ mkdir $HOME/clair_config
2016-10-24 16:42:22 +00:00
$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/config.example.yaml -o $HOME/clair_config/config.yaml
2016-03-09 17:20:20 +00:00
$ $EDITOR $HOME/clair_config/config.yaml # Edit database source to be postgresql://postgres:password@postgres:5432?sslmode=disable
$ docker-compose -f $HOME/docker-compose.yml up -d
2015-11-13 19:11:28 +00:00
```
2016-03-09 17:20:20 +00:00
Docker Compose may start Clair before Postgres which will raise an error.
2017-01-02 13:21:36 +00:00
If this error is raised, manually execute `docker-compose start clair` .
2016-03-09 17:20:20 +00:00
### Docker
This method assumes you already have a [PostgreSQL 9.4+] database running.
This is the recommended method for production deployments.
2016-03-09 07:45:47 +00:00
2016-03-09 17:20:20 +00:00
[PostgreSQL 9.4+]: http://postgresql.org
2016-03-09 07:45:47 +00:00
```sh
$ mkdir $HOME/clair_config
2016-10-24 16:42:22 +00:00
$ curl -L https://raw.githubusercontent.com/coreos/clair/v1.2.4/config.example.yaml -o $HOME/clair_config/config.yaml
2016-03-09 17:20:20 +00:00
$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
2016-10-24 16:42:22 +00:00
$ docker run -d -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair:v1.2. -config=/config/config.yaml
2016-03-09 07:45:47 +00:00
```
2016-02-18 21:49:10 +00:00
### Source
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
To build Clair, you need to latest stable version of [Go] and a working [Go environment].
2017-01-03 18:25:15 +00:00
In addition, Clair requires that [git], [bzr], [rpm], and [xz] be available on the system [$PATH].
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Go]: https://github.com/golang/go/releases
[Go environment]: https://golang.org/doc/code.html
2017-01-03 18:25:15 +00:00
[git]: https://git-scm.com
2016-03-03 20:44:49 +00:00
[bzr]: http://bazaar.canonical.com/en
[rpm]: http://www.rpm.org
[xz]: http://tukaani.org/xz
[$PATH]: https://en.wikipedia.org/wiki/PATH_(variable)
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
```sh
2016-02-24 00:52:10 +00:00
$ go get github.com/coreos/clair
$ go install github.com/coreos/clair/cmd/clair
2016-02-18 21:49:10 +00:00
$ $EDITOR config.yaml # Add the URI for your postgres database
$ ./$GOBIN/clair -config=config.yaml
```
2015-11-13 19:11:28 +00:00
2016-06-14 20:15:55 +00:00
### Container images
While container images for every releases are available at [quay.io/repository/coreos/clair], container images built on the latest available source code are available at [quay.io/repository/coreos/clair-git].
2016-08-16 18:22:22 +00:00
[quay.io/repository/coreos/clair]: https://quay.io/repository/coreos/clair
[quay.io/repository/coreos/clair-git]: https://quay.io/repository/coreos/clair-git
2016-06-14 20:15:55 +00:00
2016-02-27 20:02:52 +00:00
## Documentation
2015-11-13 19:11:28 +00:00
2017-01-04 03:09:17 +00:00
The latest stable documentation can be found [on the CoreOS website].
Documentation for the current branch can be found [inside the Documentation directory][docs-dir] at the root of the project's source code.
2016-02-19 21:27:07 +00:00
2016-08-24 16:11:15 +00:00
[on the CoreOS website]: https://coreos.com/clair/docs/latest/
2016-08-24 18:03:50 +00:00
[docs-dir]: /Documentation
2016-02-19 21:27:07 +00:00
2016-02-27 20:02:52 +00:00
### Architecture at a Glance
2016-02-24 21:24:44 +00:00
2017-01-04 03:22:41 +00:00
![Simple Clair Diagram ](https://cloud.githubusercontent.com/assets/343539/21630809/c1adfbd2-d202-11e6-9dfe-9024139d0a28.png )
2016-02-24 21:24:44 +00:00
2016-02-27 20:02:52 +00:00
### Terminology
2016-02-28 02:19:36 +00:00
- *Image* - a tarball of the contents of a container
- *Layer* - an *appc* or *Docker* image that may or maybe not be dependent on another image
- *Detector* - a Go package that identifies the content, *namespaces* and *features* from a *layer*
- *Namespace* - a context around *features* and *vulnerabilities* (e.g. an operating system)
- *Feature* - anything that when present could be an indication of a *vulnerability* (e.g. the presence of a file or an installed software package)
2017-01-04 03:09:17 +00:00
- *Vulnerability Updater* - a Go package that tracks upstream vulnerability data and imports them into Clair
- *Vulnerability Metadata Appender* - a Go package that tracks upstream vulnerability metadata and appends them into vulnerabilities managed by Clair
2016-02-24 21:24:44 +00:00
2016-02-18 21:49:10 +00:00
### Vulnerability Analysis
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
There are two major ways to perform analysis of programs: [Static Analysis] and [Dynamic Analysis].
2016-02-24 00:52:10 +00:00
Clair has been designed to perform *static analysis* ; containers never need to be executed.
Rather, the filesystem of the container image is inspected and *features* are indexed into a database.
2016-02-27 20:02:52 +00:00
By indexing the features of an image into the database, images only need to be rescanned when new *detectors* are added.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Static Analysis]: https://en.wikipedia.org/wiki/Static_program_analysis
2016-02-23 00:28:04 +00:00
[Dynamic Analysis]: https://en.wikipedia.org/wiki/Dynamic_program_analysis
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
### Default Data Sources
2015-11-13 19:11:28 +00:00
2016-07-21 14:31:46 +00:00
| Data Source | Data Collected | Format | License |
|-------------------------------|--------------------------------------------------------------------------|--------|-----------------|
| [Debian Security Bug Tracker] | Debian 6, 7, 8, unstable namespaces | [dpkg] | [Debian] |
| [Ubuntu CVE Tracker] | Ubuntu 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 namespaces | [dpkg] | [GPLv2] |
| [Red Hat Security Data] | CentOS 5, 6, 7 namespaces | [rpm] | [CVRF] |
2016-12-20 00:48:37 +00:00
| [Oracle Linux Security Data] | Oracle Linux 5, 6, 7 namespaces | [rpm] | [CVRF] |
2016-11-29 20:15:26 +00:00
| [Alpine SecDB] | Alpine 3.3, Alpine 3.4 namespaces | [apk] | [MIT] |
2017-01-04 03:09:17 +00:00
| [NIST NVD] | Generic Vulnerability Metadata | N/A | [Public Domain] |
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Debian Security Bug Tracker]: https://security-tracker.debian.org/tracker
[Ubuntu CVE Tracker]: https://launchpad.net/ubuntu-cve-tracker
[Red Hat Security Data]: https://www.redhat.com/security/data/metrics
2016-12-20 00:48:37 +00:00
[Oracle Linux Security Data]: https://linux.oracle.com/security/
2017-01-04 03:09:17 +00:00
[NIST NVD]: https://nvd.nist.gov
2016-02-18 21:49:10 +00:00
[dpkg]: https://en.wikipedia.org/wiki/dpkg
[rpm]: http://www.rpm.org
2016-07-21 14:31:46 +00:00
[Debian]: https://www.debian.org/license
[GPLv2]: https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
[CVRF]: http://www.icasi.org/cvrf-licensing/
[Public Domain]: https://nvd.nist.gov/faq
2016-11-29 20:15:26 +00:00
[Alpine SecDB]: http://git.alpinelinux.org/cgit/alpine-secdb/
[apk]: http://git.alpinelinux.org/cgit/apk-tools/
[MIT]: https://gist.github.com/jzelinskie/6da1e2da728424d88518be2adbd76979
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
### Customization
The major components of Clair are all programmatically extensible in the same way Go's standard [database/sql] package is extensible.
2017-01-04 03:09:17 +00:00
Everything extendable is located in the `ext` directory.
2016-02-27 20:02:52 +00:00
2017-01-04 03:09:17 +00:00
Custom behavior can be accomplished by creating a package that contains a type that implements an interface declared in Clair and registering that interface in [init()].
To expose the new behavior, unqualified imports to the package must be added in your own custom [main.go], which should then start Clair using `Boot(*config.Config)` .
2016-02-27 20:02:52 +00:00
2016-02-19 21:23:59 +00:00
[database/sql]: https://godoc.org/database/sql
2017-01-04 03:09:17 +00:00
[init()]: https://golang.org/doc/effective_go.html#init
2016-02-28 02:19:36 +00:00
[main.go]: https://github.com/coreos/clair/blob/master/cmd/clair/main.go
2016-02-19 21:23:59 +00:00
2016-02-18 21:49:10 +00:00
## Related Links
2015-11-13 19:11:28 +00:00
2016-05-19 14:10:46 +00:00
### Talks & Slides
2016-06-14 20:17:11 +00:00
- _Clair: The Container Image Security Analyzer @ ContainerDays Boston 2016_ - [Event ](http://dynamicinfradays.org/events/2016-boston/ ) [Video ](https://www.youtube.com/watch?v=Kri67PtPv6s ) [Slides ](https://docs.google.com/presentation/d/1ExQGZs-pQ56TpW_ifcUl2l_ml87fpCMY6-wdug87OFU )
- _Identifying Common Vulnerabilities and Exposures in Containers with Clair @ CoreOS Fest 2016_ - [Event ](https://coreos.com/fest/ ) [Video ](https://www.youtube.com/watch?v=YDCa51BK2q0 ) [Slides ](https://docs.google.com/presentation/d/1pHSI_5LcjnZzZBPiL1cFTZ4LvhzKtzh86eE010XWNLY )
- _Clair: A Container Image Security Analyzer @ Microservices NYC_ - [Event ](https://www.meetup.com/Microservices-NYC/events/230023492/ ) [Video ](https://www.youtube.com/watch?v=ynwKi2yhIX4 ) [Slides ](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc )
- _Clair: A Container Image Security Analyzer @ Container Orchestration NYC_ - [Event ](https://www.meetup.com/Container-Orchestration-NYC/events/229779466/ ) [Video ](https://www.youtube.com/watch?v=wTfCOUDNV_M ) [Slides ](https://docs.google.com/presentation/d/1ly9wQKQIlI7rlb0JNU1_P-rPDHU4xdRCCM3rxOdjcgc )
2016-05-19 14:10:46 +00:00
### Projects Integrating with Clair
2016-02-18 21:49:10 +00:00
- [Quay ](https://quay.io ): the first container registry to integrate with Clair
- [Dockyard ](https://github.com/containerops/dockyard ): an open source container registry with Clair integration
2016-05-19 14:10:46 +00:00
- [Hyperclair ](https://github.com/wemanity-belgium/hyperclair ): a lightweight command-line tool for working locally with Clair
- [Clair w/ SQS ](https://github.com/zalando/clair-sqs ): a container containing Clair and additional processes that integrate Clair with [Amazon SQS ](https://aws.amazon.com/sqs )
2016-07-15 06:56:01 +00:00
- [Klar ](https://github.com/optiopay/klar ): a simple command-line integration of Clair and Docker registry, designed to be used in scripts and CI