We are happy to announce that Quay Security Scanner is now available in the latest release (v1.16.0) of Quay Enterprise, the on-premises version of the Quay container registry by CoreOS. This release marks the Quay Security Scanner feature as enterprise ready. When this feature is enabled in Quay Enterprise, all container images in the registry are indexed and cross-referenced against public vulnerability databases. Enterprises have long invested in their security auditing process in a pre-container world, and tools like Quay Security Scanner aim to extend that process into container cluster infrastructure.
Your build process: A ticking time bomb
With the popularity of large container base images, the majority of containers passively include an additional operating system full of software — and software vulnerabilities — along with their applications. Worse, this layer of system software is often cached when rebuilding a container, leaving new container images with an updated target application but old libraries and system utilities. As these base-images continue to stagnate, more and more vulnerabilities are discovered and until now developers have had no convenient tooling available to audit their containers.
Quay Security Scanner in a nutshell
Driven by the open source Clair container image scanning engine, Quay Security Scanner is the first vulnerability detection system to be fully integrated with an on-premises container registry. All container images stored in Quay have an associated Vulnerabilities page that shows developers the software installed in each container, the known vulnerabilities afflicting that software, and whatever fixes are available for those security issues. Unlike other solutions, images need only be scanned once, while the vulnerability data is always update to date. The Security Scanner is smart enough to update previously indexed packages when new vulnerabilities appear, without scanning the container image again.
Quay’s notification system includes an additional event type that users can configure to select what severity levels will trigger notifications of vulnerabilities that are initially detected in an image, as well as if vulnerabilities are later reclassified as more dangerous. Quay notifications can be sent to users via Quay itself, e-mail, webhook, Flowdock, HipChat, or Slack.
Improve your container security with Quay Enterprise
Current customers can enable Quay Security Scanner by following the instructions found in the Quay Enterprise documentation. More information on the latest release of Quay Enterprise can be found in the release notes. If you don’t already have Quay Enterprise, all plans start with a free trial.
Learn more and get any questions answered with our expert team at CoreOS Fest Berlin, May 9-10, and San Francisco, May 9.