You may have heard that the open source project Clair by CoreOS recently released version 1.0. If you’ve been following along, you may also know that Quay’s Security Scanner, a container registry feature that analyzes container images for known vulnerabilities, is based on Clair. Quay Security Scanner now has an entirely new interface atop the Clair 1.0 APIs and PostgreSQL backend. In this post, we discuss some of the details of the new Quay user experience that make essential security information more accessible, reliable, and actionable.
We welcome you to try out Quay with Security Scanning to examine your container images and take action to repair discovered vulnerabilities.
Clair 1.0 delivers improved performance in the Quay Security Scanner
When we launched the early preview of the Quay Security Scanner, we received two consistent patterns of feedback:
- Provide guidance to take action: Scanning results should offer more guidance on corrective actions. When users received the bad news that their container images were plagued with vulnerabilities, they needed to figure out the fixes for themselves. Where were the vulnerabilities coming from? What could be done to mediate them?
- Improve performance: Users asked for better performance from the analyzer to provide results faster for larger numbers of more complex container images.
The latest update to Quay improves and expands the remediation information presented to administrators when vulnerabilities are detected, and includes the locations of upstream fixes and updates. Clair now uses a well-typed SQL database structure that allows it to comprehensively track the packages that introduce or fix a vulnerability. This empowers container image developers to take action to repair the detected security issues.
To improve performance, we leveraged PostgreSQL recursive queries to collate all of this information directly within the database, without any round trips between the data store and the application logic. The overall performance improvement in Quay Security Scanning amounts to a measured reduction of 99.9% in the time required to scan and report on deeply layered container images with large numbers of packages.
With a significantly quicker and richer data model, the Clair API and the Quay Security Scanning GUI built atop it have matured to expose scan information more easily and completely. Check out the Clair 1.0 release announcement for more background on the API changes supporting these dashboard improvements.
Distilling Clair data into compelling insights
New Quay Security Scanning sports a remodeled dashboard for vulnerability data. It has new high-level views to visually summarize security status across your entire container repository, as well as presents analysis detail and suggested fixes and updates through a series of powerful drill-downs.
The high-level CVE view now summarizes vulnerability data in a glanceable, prioritized way. It breaks down the total set of vulnerabilities to which an image is susceptible — and what patches are ready to be applied to affected packages within the container image.
Each discovered vulnerability is now described in greater detail on the vulnerability drill-down pages. These panels enumerate the components that determine the severity of a vulnerability according to the Common Vulnerability Scoring System (CVSS). The screenshot below shows the categories on which an example vulnerability is scored, allowing administrators to prioritize remediation actions for the most significant threats.
Even the best analysis of individual vulnerabilities can be of limited utility. For example, you may manually check an image for famous vulnerabilities such as Heartbleed, Shellshock, and GHOST. These are only three of the more than 18,000 vulnerabilities tracked in the Clair database today.
Less notorious vulnerabilities are just as damaging to security. Regular tracking and updating of these issues is essential. To assist developers in this process, the latest Quay Security Scanner introduces a new package view, which summarizes critical flaws and maps them to the packages they affect.
With great data comes great responsibility
A major added value in the new Quay Security Scanner dashboard is the ability to take action on vulnerability data in an obvious way. The common way to resolve a vulnerability is to either upgrade or remove an affected package. Therefore it is very important to know how changing or removing a package affects the total attack surface of all identified vulnerabilities.
An analysis of the entire Quay dataset indicated that 80% of all high- or critical-level vulnerabilities can be fixed through a simple upgrade. In order to encourage developers to upgrade these packages, we’ve begun to measure the “upgrade impact” and use that weighted score to provide customizable sorting of the packages in container images. In the example shown below, we could eliminate 11 out of 23 vulnerabilities just by upgrading four packages to their latest versions.
Quay also shows the original command that introduced the package to the container image, helping developers immediately identify exactly where in the build process a package upgrade is needed.
When looking for candidates for removal, users can sort by vulnerability count to quickly identify those with a very low upgrade impact score. In this way you have the largest impact on your vulnerability surface for items that don’t currently have patches or fixes available. In the screenshot below, by removing
libv8, we could remove 32 vulnerabilities that were otherwise unfixable. If this dependency was introduced by a build or test tool, this is a very worthwhile removal to consider.
Polish throughout the Quay UI makes it as easy as possible to take action to repair problems found by Security Scanning, such as adding a toggle to show only fixable vulnerabilities in the vulnerability view. Combining this actionable information with the existing vulnerability notification system, we and the developer community can dramatically reduce the number of fixable vulnerabilities in container images stored on Quay.
Greater security through continuous improvement
All of these great features are ready to use today in the hosted version of Quay. We welcome you to try it out for free. We are also committed to shipping these features for on-premises use in Quay Enterprise, and Security Scanning will be available in the next release.
We encourage you to check your container images hosted on Quay for vulnerabilities, and use the detailed action information in the new Security Scanner dashboard to eliminate them. Together, we can get the fixable vulnerability number down to zero! CoreOS is on a mission to secure the infrastructure that powers the Internet, and Quay and Clair help drive that goal forward with tools to address in-container vulnerabilities.