Your Privacy

This site uses cookies to enhance your browsing experience and deliver personalized content. By continuing to use this site, you consent to our use of cookies.
COOKIE POLICY

Continuous Delivery Powered by Containers

By Cody Halbleib

Continuous Delivery Powered by Containers
Back to insights

Containerized applications are becoming more popular with each passing year. A reason for this rise in popularity could be the pivotal role that they play in Continuous Delivery by enabling fast and automated deployment of software services. As the popularity of software containers increases, they are inspiring complementary technologies that automate other development tasks. One of these complementary technologies is Clair, which performs automatic vulnerability scanning on software containers.

What is Clair?

Clair identifies security issues that developers introduce in their container code. The vanilla process for using Clair is as follows:

  1. A developer programmatically submits their container image to Clair
  2. Clair analyzes the image, looking for security vulnerabilities
  3. Clair returns a detailed report of security vulnerabilities present in the image
  4. Developer acts based on the report

Clair becomes more interesting paired with a build server like Jenkins. Given proper configuration, Clair’s process becomes:

  1. A developer submits application code to source control
  2. Source control triggers a Jenkins build
  3. Jenkins builds the software containers necessary for the application
  4. Jenkins submits the container images to Clair
  5. Clair identifies security vulnerabilities in the container
  6. Jenkins receives the security report, identifies a high vulnerability in the report, and stops the build

A Case for Clair

Clair has a definite place on software projects that have a contractual need for security and a continuous delivery pipeline using software containers. Depending on security needs, Clair could replace, or at minimum augment, traditional vulnerability scanning. Given that Clair is free to use, Clair’s cost is set up and maintenance.

How to use Clair

Docker is required to follow along with this demonstration. Once Docker is installed, use the Dockerfile below to create an Ubuntu image that contains a version of SSL that is susceptible to Heartbleed attacks.

#Dockerfile

FROM ubuntu:precise-20160303

#Install WGet

RUN apt-get update

RUN apt-get -f install

RUN apt-get install -y wget

#Install an OpenSSL vulnerable to Heartbleed (CVE-2014-0160)

RUN wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436462/+files/openssl_1.0.1-4ubuntu5.11_amd64.deb –no-check-certificate

RUN dpkg -i openssl_1.0.1-4ubuntu5.11_amd64.deb

These are the steps to build the Dockerfile:

  1. Create a folder called “vulnerable”
  2. Create a file inside of that folder called “Dockerfile”
  3. Put the code from above into the Dockerfile
  4. Open Terminal on Mac/Linux or MinGW on Windows
  5. Navigate to the folder where you created your Dockerfile
  6. Type “docker build –t vulnerable .” and hit enter

After creating the insecure Docker image, the next step is to download and install Clair from here. The installation choice used for this demonstration was the Docker Compose solution. Once Clair is installed, it can be used via querying its API or through the analyze-local-images tool. Submit the insecure Docker image created above to Clair for analysis and it will catch the Heartbleed vulnerability.

Summary

There are several paid-subscription services like Docker Hub, Docker Cloud, and Quay Enterprise that incorporate security scans into their pipeline. This approach configures automatic security scanning without having to rely on a subscription service. Prior to completing this demonstration, remove the vulnerable Docker image. Open a Terminal on Mac/Linux or MinGW on Windows and type “docker rmi vulnerable” to remove the image.

Clair is just one of the technologies being generated to support containers and Continuous Delivery.  We work with organizations to help assess DevOps strategy, processes and tooling, as well as provide best practices to support the successful implementation of DevOps.  Read our recent DevOps assessment for a Transportation Data Company to learn more.

About The Author

Cody Halbleib is a Senior Consultant on the Software team. His family is his partner, Jamie, and his Border Collie mix, Walter.

Digging In

  • Digital Products

    Unlocking Business Potential: The Power of Custom Application Development

    Like any savvy business leader, you’re likely always on the lookout for tools to give your company a competitive edge. And in doing so, you’ve undoubtedly considered investing in custom application development. But the question is, how do you ensure that such a major investment in a custom web application development provides a strong return on […]

  • Digital Products

    Mastering Legacy Application Modernization: Strategies for Success

    The ironic truth of the business world is that change is the only constant. But this means that failing to keep pace with the competition and its technologies will only end with you falling behind. That’s where legacy application modernization enters the fold. When you modernize legacy applications, your team gains access to new features […]

  • Digital Products

    CTO Confessions Podcast

    In this episode of CTO Confessions, Rob Phillips, the Vice President of Software Engineering at UDig, digs into his journey from a passionate technologist in his youth to a seasoned leader in the tech industry. He shares valuable lessons on transitioning to senior leadership, the importance of understanding and articulating company problems, and the art of empowering teams for high performance.

  • Digital Products

    Navigating the Challenges of On Premise to Cloud Migration

    In today’s rapidly evolving technological landscape, the shift from on premise solutions to cloud-based infrastructure has become a pivotal transformation for organizations seeking to modernize their IT operations. This transition holds the promise of increased agility, cost savings, and enhanced scalability. However, it is not without its set of formidable challenges that organizations must navigate. […]

  • Digital Products

    The Power of Transferrable Skills in Tech Projects

    Every project has its own unique elements that require flexibility to be effective and achieve success. This often requires picking up new pieces of a tech stack, learning a new programming language, or a new project methodology. Fortunately, there are also many transferrable skills that carry over from one project to the next. In my […]

  • Digital Products

    The Four Pillars of Effective Digital Product Development

    In 2020 alone, approximately two billion consumers purchased at least one digital product. From software licenses to mobile apps and tech tools, consumers are becoming increasingly active in the digital product market, a trend that has naturally spurred brands across a wide range of industries to reevaluate their digital product design and development process workflows. […]