As a part of the CoreOS mission to secure the world's infrastructure, CoreOS is today delivering a new version of the Clair container image security analyzer, a powerful and extensible tool that inspects container images for known security flaws. Clair enables developers to build services that scan containers for security threats and vulnerabilities.
Clair helps DevOps teams maintain security by delivering useful and actionable information about the vulnerabilities that threaten containers. Community feedback guided many of the latest Clair features, including the ability not only to reveal whether a vulnerability is present, but also offer the available patch or update to correct it. Additionally, the 1.0 release improves performance and extensibility, empowering developers and operations professionals to implement their own services around the Clair analyzer.
In our previous blog post, we discussed why we originally wrote Clair and why we believe it is important. After that initial announcement, users often indicated a desire to learn what they can do to improve container security. We are excited to encourage this practice and have added the capability to identify fixes along with vulnerabilities. Many common container images are based on some form of Debian or CentOS Linux distributions, and because of their age and size, these can provide a large attack surface with many potential vulnerabilities. These systems and their packages can be updated, and even more, we want to encourage users to take action and update their container images. A sample analysis powered by Clair and indexed by CoreOS's Quay container registry determined that:
Updating to the latest versions of installed software improves overall infrastructure security, which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues that Clair uncovers. Container images are often infrequently updated, but with Clair security scanning, users can identify and update problematic images more easily.
Since our initial announcement, we have focused primarily on improving performance and usability. We started with our largest bottleneck: interactions with the database. There’s now an interface to abstract database operations, beginning with an implementation for Postgres 9.4. By leveraging recursive queries, we’re able to emulate a graph-like structure while maintaining the performance characteristics of a traditional SQL database. This has improved some of our API responses in production by 3 orders of magnitude, from 30 seconds to 30 milliseconds.
In parallel with these performance improvements, we have also improved usability. The new RESTful JSON API has been generalized and is more useful to developers. The previous API was tightly coupled to integrating with container registries, so the new API should help the community better integrate Clair with other workflows and systems.
Additionally, in order to provide more useful data to Clair API clients, Clair 1.0 introduces new details for each detected vulnerability including:
We’re looking forward to seeing the clever ways the Clair community will use and extend the new API.
Over the past few months Clair's foundation has proven stable for most general use cases. In order to allow anyone to implement custom behavior, we have increased its flexibility by making the subsystems extensible. These components include:
Contributions to the core Clair repository continue to be welcome, but these extensible components mean any company can maintain their own extensions that enhance Clair. Huawei, for example, has already contributed an extension to support the ACI container image format.
CoreOS would like to thank all the Clair contributors who help make the Internet a safer place, and to offer a particular shout out to: Abhilash Raj, Andrew Lewis, Chenye Liang, David Xia, Jimmy Zelinskie, Jitang Lei, Joey Schorr, Jon Boulle, Masaya Yamauchi, Matthias Nüßler, Michael Stapelberg, Quentin Machu, Sergei Mamonov, Shukui Yang, and Stephane Jourdan.
Visit the project page for more details on how you can use and get involved with Clair, and join us at an upcoming conference or meetup to learn more.
Interested in helping CoreOS secure the Internet? Join us! We’re hiring engineers in New York, Berlin, and San Francisco.