Today we are open sourcing a new project called Clair, a tool to monitor the security of your containers. Clair is an API-driven analysis engine that inspects containers layer-by-layer for known security flaws. Using Clair, you can easily build services that provide continuous monitoring for container vulnerabilities. CoreOS believes tools that improve the security of the world's infrastructure should be available for all users and vendors, so we made the project open source. With that same purpose, we welcome your feedback and contributions to the Clair project.
Clair is the foundation of the beta version of Quay Security Scanning, a new feature running now on Quay to examine the millions of containers stored there for security vulnerabilities. Quay users can log in today to see Security Scanning information in their dashboard, including a list of potentially vulnerable containers in their repositories. The Quay Security Scanning beta announcement has more details for Quay users.
Why Create Clair: For Improved Security
Vulnerabilities will always exist in the world of software. Good security practice means being prepared for the mishaps – to identify insecure packages and be prepared to update them quickly. Clair is designed to help you identify insecure packages that may exist in your containers.
Understanding how systems are vulnerable is a laborious task, especially when dealing with heterogenous and dynamic setups. The goal is to empower any developer to gain intelligence about their container infrastructure. Even more, teams are empowered to seek action and apply a fix to vulnerabilities as they arise.
How Clair Works
Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.
Automatic detection of vulnerabilities will help increase awareness and best security practices across developer and operations teams, and encourage action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.
For example, CVE-2014-0160, aka "Heartbleed" has been known for over 18 months, yet Quay Scanning found it is still a potential threat to 80 percent of the Docker images users have stored on Quay. Just like CoreOS Linux contains an auto-update tool which patched Heartbleed at the OS layer, we hope this tool will improve the security of the container layer, and help make CoreOS the most secure place to run containers.
Take note that vulnerabilities often rely on particular conditions in order to be exploited. For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undertake deeper analysis as required.
To learn more, watch this talk presented by Joey Schorr and Quentin Machu about Clair. And, here are the slides from the talk.
This is only the beginning and we expect more and more development. Contributions and support from the community is welcomed – try it out in Quay or enable it in your container environment and let us know what you think.
The team behind Clair will be at DockerCon EU in Barcelona, November 16-17. Please stop by the Quay booth to learn more or see a demo of Clair or Quay Security Scanning.