Skip to content

usr42/clair-container-scan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Clair container scan

Anchore Image Overview

Overview

Automatically scan a particular local docker image or all local docker containers with Clair Vulnerability Scanner using Clair-Scanner and clair-local-scan.

Prerequisites

  • docker (1.12 or newer)
  • docker-compose (1.9.0 or newer)

Quick start

Scan all local containers

To get json output of the clair scan of all running containers to standard out just run:

./clair-container-scan.sh -p

The output will be empty and the return code will be zero, if no CVE was found. If there are findings, the output will list details in json.

You should always add the -p flag to get the latest CVE database version. You can use the -v flag to add verbose output, in case of a problem.

Scan a particular local image

To scan one particular local image just specify the image name as parameter:

# To scan alpine:3.4 run:
./clair-container-scan.sh -p alpine:3.4

The output will be empty and the return code will be zero, if no CVE was found.

If there are findings, the output will list details in json.

Integration in CI/CD

The easiest (but not most secure way) of integrating into your CI/CD tool is to run following one-liner (replace alpine:3.4 with the image you want to scan):

# to scan alpine:3.4 again
curl -s https://raw.githubusercontent.com/usr42/clair-container-scan/master/clair-container-scan.sh | sh -s -- alpine:3.4

WARNING: You should never pipe a remote-script directly into a shell, unless you completely trust the source and integrity of the file to execute. Usually, it is better to download the file, validate its input, and run you local, validated version.

Credits

About

Automatically scan all local docker containers with Clair Vulnerability Scanner(https://github.com/coreos/clair) using Clair-Scanner(https://github.com/arminc/clair-scanner)

Resources

License

Stars

Watchers

Forks

Packages

No packages published