2016-02-18 21:49:10 +00:00
# Clair
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[![Build Status ](https://api.travis-ci.org/coreos/clair.svg?branch=master "Build Status" )](https://travis-ci.org/coreos/clair)
2015-11-13 19:29:01 +00:00
[![Docker Repository on Quay ](https://quay.io/repository/coreos/clair/status "Docker Repository on Quay" )](https://quay.io/repository/coreos/clair)
2016-02-20 21:48:48 +00:00
[![Go Report Card ](https://goreportcard.com/badge/coreos/clair "Go Report Card" )](https://goreportcard.com/report/coreos/clair)
2016-02-24 23:08:16 +00:00
[![GoDoc ](https://godoc.org/github.com/coreos/clair?status.svg "GoDoc" )](https://godoc.org/github.com/coreos/clair)
2016-02-18 21:49:10 +00:00
[![IRC Channel ](https://img.shields.io/badge/freenode-%23clair-blue.svg "IRC Channel" )](http://webchat.freenode.net/?channels=clair)
2015-11-13 19:29:01 +00:00
2016-02-24 00:52:10 +00:00
Clair is an open source project for the static analysis of vulnerabilities in [appc] and [docker] containers.
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container.
When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint.
2016-02-27 20:02:52 +00:00
All major components can be [customized programmatically] at compile-time without forking the project.
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
Our goal is to enable a more transparent view of the security of container-based infrastructure.
2016-02-18 21:49:10 +00:00
Thus, the project was named `Clair` after the French term which translates to *clear* , *bright* , *transparent* .
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
[appc]: https://github.com/appc/spec
[docker]: https://github.com/docker/docker/blob/master/image/spec/v1.md
2016-02-27 20:02:52 +00:00
[added programmatically]: #customization
2016-02-24 00:52:10 +00:00
2016-02-18 21:49:10 +00:00
## Common Use Cases
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
### Manual Auditing
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
You're building an application and want to depend on a third-party container image that you found by searching the internet.
To make sure that you do not knowingly introduce a new vulnerability into your production service, you decide to scan the container for vulnerabilities.
You `docker pull` the container to your development machine and start an instance of Clair.
2016-02-24 00:52:10 +00:00
Once it finishes updating, you use the [local image analysis tool] to analyze the container.
2016-02-18 21:49:10 +00:00
You realize this container is vulnerable to many critical CVEs, so you decide to use another one.
2016-02-15 05:00:22 +00:00
2016-02-24 00:52:10 +00:00
[local image analysis tool]: https://github.com/coreos/clair/tree/master/contrib/analyze-local-images
2016-02-18 21:49:10 +00:00
### Container Registry Integration
2016-02-15 05:00:22 +00:00
2016-02-18 21:49:10 +00:00
Your company has a continuous-integration pipeline and you want to stop deployments if they introduce a dangerous vulnerability.
A developer merges some code into the master branch of your codebase.
The first step of your continuous-integration pipeline automates the testing and building of your container and pushes a new container to your container registry.
2016-02-24 00:52:10 +00:00
Your container registry notifies Clair which causes the download and indexing of the images for the new container.
2016-02-18 21:49:10 +00:00
Clair detects some vulnerabilities and sends a webhook to your continuous deployment tool to prevent this vulnerable build from seeing the light of day.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
## Hello Heartbleed
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
### Requirements
2015-11-13 19:11:28 +00:00
2016-02-24 00:52:10 +00:00
An instance of [PostgreSQL] 9.4+ is required.
2016-02-18 21:49:10 +00:00
All instructions assume the user has already setup this instance.
During the first run, Clair will bootstrap its database with vulnerability data from its data sources.
This can take several minutes.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[PostgreSQL]: http://postgresql.org
2016-02-15 05:00:22 +00:00
2016-02-18 21:49:10 +00:00
### Docker
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
The easiest way to get an instance of Clair running is to simply pull down the latest copy from Quay.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
```sh
$ mkdir $HOME/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/config.example.yaml -o $HOME/clair_config/config.yaml
$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
2016-02-27 08:49:41 +00:00
$ docker run -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair -config=/config/config.yaml
2015-11-13 19:11:28 +00:00
```
2016-02-18 21:49:10 +00:00
### Source
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
To build Clair, you need to latest stable version of [Go] and a working [Go environment].
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Go]: https://github.com/golang/go/releases
[Go environment]: https://golang.org/doc/code.html
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
```sh
2016-02-24 00:52:10 +00:00
$ go get github.com/coreos/clair
$ go install github.com/coreos/clair/cmd/clair
2016-02-18 21:49:10 +00:00
$ $EDITOR config.yaml # Add the URI for your postgres database
$ ./$GOBIN/clair -config=config.yaml
```
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
## Documentation
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
Documentation can be found in a `README.md` file located in the directory of the component.
2016-02-19 21:27:07 +00:00
2016-02-27 20:02:52 +00:00
- [Notifier ](https://github.com/coreos/clair/blob/master/notifier/README.md )
- [v1 API ](https://github.com/coreos/clair/blob/master/api/v1/README.md )
2016-02-19 21:27:07 +00:00
2016-02-27 20:02:52 +00:00
### Architecture at a Glance
2016-02-24 21:24:44 +00:00
2016-02-27 20:02:52 +00:00
![Simple Clair Diagram ](img/simple_diagram.png )
2016-02-24 21:24:44 +00:00
2016-02-27 20:02:52 +00:00
### Terminology
- *Detector* - a Go package that identifies *features* from an *layer* .
- *Image* - a tarball of the contents of a container.
- *Feature* - anything that when present could be an indication of a vulnerability (e.g. the presence of a file or an installed software package).
- *Fetcher* - a Go package that tracks an upstream vulnerability database and imports them into Clair.
- *Layer* - an appc or docker *image* that may or maybe not be dependent on another image.
2016-02-24 21:24:44 +00:00
2016-02-18 21:49:10 +00:00
### Vulnerability Analysis
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
There are two major ways to perform analysis of programs: [Static Analysis] and [Dynamic Analysis].
2016-02-24 00:52:10 +00:00
Clair has been designed to perform *static analysis* ; containers never need to be executed.
Rather, the filesystem of the container image is inspected and *features* are indexed into a database.
2016-02-27 20:02:52 +00:00
By indexing the features of an image into the database, images only need to be rescanned when new *detectors* are added.
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Static Analysis]: https://en.wikipedia.org/wiki/Static_program_analysis
2016-02-23 00:28:04 +00:00
[Dynamic Analysis]: https://en.wikipedia.org/wiki/Dynamic_program_analysis
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
### Default Data Sources
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
| Data Source | Versions | Format |
|-------------------------------|--------------------------------------------------------|--------|
| [Debian Security Bug Tracker] | 6, 7, 8, unstable | [dpkg] |
| [Ubuntu CVE Tracker] | 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04 | [dpkg] |
| [Red Hat Security Data] | 5, 6, 7 | [rpm] |
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
[Debian Security Bug Tracker]: https://security-tracker.debian.org/tracker
[Ubuntu CVE Tracker]: https://launchpad.net/ubuntu-cve-tracker
[Red Hat Security Data]: https://www.redhat.com/security/data/metrics
[dpkg]: https://en.wikipedia.org/wiki/dpkg
[rpm]: http://www.rpm.org
2015-11-13 19:11:28 +00:00
2016-02-27 20:02:52 +00:00
### Customization
The major components of Clair are all programmatically extensible in the same way Go's standard [database/sql] package is extensible.
Custom behavior can be accomplished by creating a package that contains a type that implements an interface declared in Clair and registering that interface in [init()].
To expose the new behavior, unqualified imports to the package must be added in `main.go` :
```go
import (
...
_ "github.com/my/custom/behavior"
)
```
The following interfaces can have custom implementations registered via [init()] at compile time:
2016-02-19 21:23:59 +00:00
2016-02-27 20:02:52 +00:00
- `Datastore` - the backing storage
- `Notifier` - the means by which endpoints are notified of vulnerability changes
- `Fetcher` - the sources of vulnerability data that is automatically imported
- `MetadataFetcher` - the sources of vulnerability metadata that is automatically imported
- `DataDetector` - the means by which features are identified from a layer
2016-02-19 21:23:59 +00:00
[init()]: https://golang.org/doc/effective_go.html#init
[database/sql]: https://godoc.org/database/sql
2016-02-18 21:49:10 +00:00
## Related Links
2015-11-13 19:11:28 +00:00
2016-02-18 21:49:10 +00:00
- [Talk ](https://www.youtube.com/watch?v=PA3oBAgjnkU ) and [Slides ](https://docs.google.com/presentation/d/1toUKgqLyy1b-pZlDgxONLduiLmt2yaLR0GliBB7b3L0/pub?start=false&loop=false&slide=id.p ) @ ContainerDays NYC 2015
- [Quay ](https://quay.io ): the first container registry to integrate with Clair
- [Dockyard ](https://github.com/containerops/dockyard ): an open source container registry with Clair integration