Your Privacy

This site uses cookies to enhance your browsing experience and deliver personalized content. By continuing to use this site, you consent to our use of cookies.
COOKIE POLICY

Skip to main content

Continuous Delivery Powered by Containers

By Cody Halbleib

Continuous Delivery Powered by Containers
Back to insights

Containerized applications are becoming more popular with each passing year. A reason for this rise in popularity could be the pivotal role that they play in Continuous Delivery by enabling fast and automated deployment of software services. As the popularity of software containers increases, they are inspiring complementary technologies that automate other development tasks. One of these complementary technologies is Clair, which performs automatic vulnerability scanning on software containers.

What is Clair?

Clair identifies security issues that developers introduce in their container code. The vanilla process for using Clair is as follows:

  1. A developer programmatically submits their container image to Clair
  2. Clair analyzes the image, looking for security vulnerabilities
  3. Clair returns a detailed report of security vulnerabilities present in the image
  4. Developer acts based on the report

Clair becomes more interesting paired with a build server like Jenkins. Given proper configuration, Clair’s process becomes:

  1. A developer submits application code to source control
  2. Source control triggers a Jenkins build
  3. Jenkins builds the software containers necessary for the application
  4. Jenkins submits the container images to Clair
  5. Clair identifies security vulnerabilities in the container
  6. Jenkins receives the security report, identifies a high vulnerability in the report, and stops the build

A Case for Clair

Clair has a definite place on software projects that have a contractual need for security and a continuous delivery pipeline using software containers. Depending on security needs, Clair could replace, or at minimum augment, traditional vulnerability scanning. Given that Clair is free to use, Clair’s cost is set up and maintenance.

How to use Clair

Docker is required to follow along with this demonstration. Once Docker is installed, use the Dockerfile below to create an Ubuntu image that contains a version of SSL that is susceptible to Heartbleed attacks.

#Dockerfile

FROM ubuntu:precise-20160303

#Install WGet

RUN apt-get update

RUN apt-get -f install

RUN apt-get install -y wget

#Install an OpenSSL vulnerable to Heartbleed (CVE-2014-0160)

RUN wget https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/5436462/+files/openssl_1.0.1-4ubuntu5.11_amd64.deb –no-check-certificate

RUN dpkg -i openssl_1.0.1-4ubuntu5.11_amd64.deb

These are the steps to build the Dockerfile:

  1. Create a folder called “vulnerable”
  2. Create a file inside of that folder called “Dockerfile”
  3. Put the code from above into the Dockerfile
  4. Open Terminal on Mac/Linux or MinGW on Windows
  5. Navigate to the folder where you created your Dockerfile
  6. Type “docker build –t vulnerable .” and hit enter

After creating the insecure Docker image, the next step is to download and install Clair from here. The installation choice used for this demonstration was the Docker Compose solution. Once Clair is installed, it can be used via querying its API or through the analyze-local-images tool. Submit the insecure Docker image created above to Clair for analysis and it will catch the Heartbleed vulnerability.

Summary

There are several paid-subscription services like Docker Hub, Docker Cloud, and Quay Enterprise that incorporate security scans into their pipeline. This approach configures automatic security scanning without having to rely on a subscription service. Prior to completing this demonstration, remove the vulnerable Docker image. Open a Terminal on Mac/Linux or MinGW on Windows and type “docker rmi vulnerable” to remove the image.

Clair is just one of the technologies being generated to support containers and Continuous Delivery.  We work with organizations to help assess DevOps strategy, processes and tooling, as well as provide best practices to support the successful implementation of DevOps.  Read our recent DevOps assessment for a Transportation Data Company to learn more.

About Cody Halbleib

Cody Halbleib is a Senior Consultant on the Software team. His family is his partner, Jamie, and his Border Collie mix, Walter.

Digging In

  • Digital Products

    Designing For Play and Friction in a Fast-Paced World

    At UDig, play is an integral part of our philosophy. “Having fun” is embedded in our culture, and we always find opportunities to use play to encourage collaboration, ignite creativity, and make room for bold experimentation to build stronger teams and solve problems ranging from the seemingly simple to the most complex. I always have […]

  • Digital Products

    Config 2025 Day Two Recap

    It felt as though Config 2025 ended as soon as it began, and I believe those of us that attended are all the better for it. By the end of the day, various inspirational and informative talks had been given by thought leaders and innovators in the product space. Between sessions, we had the opportunity […]

  • Digital Products

    Inside Config 2025: What’s New in Figma

    Config 2025 kicked off with a bang on Day 1. Figma’s annual conference brings together designers, developers, and all those involved in the making of a product. The 2-day event has a stacked lineup of accomplished speakers ready to share their insights on the world of product building. At today’s opening keynote, the Figma team, […]

  • Digital Products

    Choosing the Right Modernization Approach

    When organizations decide it’s time to modernize their technology infrastructure, choosing the right approach is crucial. Modernization isn’t merely a technical upgrade; it’s a strategic business move that significantly impacts growth, agility, and long-term success. Here’s how your company can effectively begin to select the best modernization strategy tailored to your goals and challenges. In […]

  • Digital Products

    TAG Panel: Differentiate Your Customer Experience

    Join the CX and Product Management Societies to hear from our panel of Human-Centered Design experts on the business value of Agentic AI.

  • Digital Products

    The Bloated SaaS Era: Paying More for Less While Businesses Wait

    SaaS was supposed to make business faster, smarter, and more efficient. Instead, it’s become bloated, expensive, and painfully slow to change. The platforms we rely on—Salesforce, Workday, SAP, and others—haven’t truly innovated in years. Yet, they demand massive investments in re-implementation, process re-engineering, and data migration just to keep up. It’s time to ask: Are […]