Containerized applications are becoming more popular with each passing year. A reason for this rise in popularity could be the pivotal role that they play in Continuous Delivery by enabling fast and automated deployment of software services. As the popularity of software containers increases, they are inspiring complementary technologies that automate other development tasks. One of these complementary technologies is Clair, which performs automatic vulnerability scanning on software containers.

What is Clair?

Clair identifies security issues that developers introduce in their container code. The vanilla process for using Clair is as follows:

1. A developer programmatically submits their container image to Clair
2. Clair analyzes the image, looking for security vulnerabilities
3. Clair returns a detailed report of security vulnerabilities present in the image
4. Developer acts based on the report

Clair becomes more interesting paired with a build server like Jenkins. Given proper configuration, Clair’s process becomes:

1. A developer submits application code to source control
2. Source control triggers a Jenkins build
3. Jenkins builds the software containers necessary for the application
4. Jenkins submits the container images to Clair
5. Clair identifies security vulnerabilities in the container
6. Jenkins receives the security report, identifies a high vulnerability in the report, and stops the build

A Case for Clair

Clair has a definite place on software projects that have a contractual need for security and a continuous delivery pipeline using software containers. Depending on security needs, Clair could replace, or at minimum augment, traditional vulnerability scanning. Given that Clair is free to use, Clair’s cost is set up and maintenance.

How to use Clair

Docker is required to follow along with this demonstration. Once Docker is installed, use the Dockerfile below to create an Ubuntu image that contains a version of SSL that is susceptible to Heartbleed attacks.

#Dockerfile
FROM ubuntu:precise-20160303

#Install WGet
RUN apt-get update
RUN apt-get -f install
RUN apt-get install -y wget

#Install an OpenSSL vulnerable to Heartbleed (CVE-2014-0160)
RUN wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436462/+files/openssl_1.0.1-4ubuntu5.11_amd64.deb –no-check-certificate
RUN dpkg -i openssl_1.0.1-4ubuntu5.11_amd64.deb

These are the steps to build the Dockerfile:

1. Create a folder called “vulnerable”
2. Create a file inside of that folder called “Dockerfile”
3. Put the code from above into the Dockerfile
4. Open Terminal on Mac/Linux or MinGW on Windows
5. Navigate to the folder where you created your Dockerfile
6. Type “docker build –t vulnerable .” and hit enter

After creating the insecure Docker image, the next step is to download and install Clair from here. The installation choice used for this demonstration was the Docker Compose solution. Once Clair is installed, it can be used via querying its API or through the analyze-local-images tool. Submit the insecure Docker image created above to Clair for analysis and it will catch the Heartbleed vulnerability.

Summary

There are several paid-subscription services like Docker Hub, Docker Cloud, and Quay Enterprise that incorporate security scans into their pipeline. This approach configures automatic security scanning without having to rely on a subscription service. Prior to completing this demonstration, remove the vulnerable Docker image. Open a Terminal on Mac/Linux or MinGW on Windows and type “docker rmi vulnerable” to remove the image.

Clair is just one of the technologies being generated to support containers and Continuous Delivery.  We work with organizations to help assess DevOps strategy, processes and tooling, as well as provide best practices to support the successful implementation of DevOps.  Read our recent DevOps assessment for a Transportation Data Company to learn more.