Deployment-ready docker configuration and instructions to use Quay Clair on your infrastructure and CIs
🌟 If this repo helped you please leave a star !
😃 Suggestions and feedbacks are highly appreciated
Run the following command, then wait about 5 minutes the time Clair indexes all CVEs.
docker-compose up -dUse the utility container I've provided to easily scan an image, including one from a private registry.
-
Check the env variables of scan.docker-compose.yml
-
Run the scan !
docker-compose -f scan.docker-compose.yml up
You can try this vulnerable image :
quay.io/noseka1/deep-dive-into-clair
-
Build the scan image and tag it
docker build ./scan -t ghcr.io/flavienbwk/clair-docker/quay-clair-scan:v4.3.0
-
Push the image to your registry
-
Adapt the following command to your CI
docker run --rm -e IMAGE_NAME="node:10-alpine" -e CLAIR_ENDPOINT="http://172.17.0.1:6060" -e REGISTRY_ENDPOINT="" -e REGISTRY_USERNAME="" -e REGISTRY_PASSWORD="" --privileged --network="host" -it ghcr.io/flavienbwk/clair-docker/quay-clair-scan:v4.3.0 echo "Exit code : $?"
You must first have a connected Clair cluster initialized to perform the following actions
-
On internet-connected machine :
clairctl --config clair_config/config.yml export-updaters updates.json gzip updates.json
ℹ️ The gz file will be ~8.5Gb
-
Move the
updates.json.gzarchive in theclair_config/directory and run update :mv updates.json.gz clair_config/ docker exec -it $(docker-compose ps -q | head -1) bash # Inside the `clair` container cd /config && clairctl import-updaters updates.json.gz
-
Matcher processes should have the disable_updaters key set to disable automatic updaters running.
matcher: disable_updaters: true
To learn more about Quay Clair, I recommend you :
- The official Clair documentation
- Ales Nosek's video "Deeping Dive into Image Vulnerabillity"
Warning : GitLab 14+ deprecated Clair in favor of Trivy