Resources
Resources

Clair

What is Clair?

Clair is a popular open source security tool for parsing container image contents and reporting vulnerabilities affecting the contents. This is done via static analysis and not at runtime.

Security Stage SCA (Source Composition Analysis)
Type OpenSource
Frameworks Containers
Site https://quay.github.io/clair/

 

Pre-requisite

1 You'll need a Container image to scan
2 You'll need to setup a Clair connection (your own or the Uleska Cloud version)

How do I set it up?

Adding Clair to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

The Uleska Clair tool makes use of the Container Configuration applied to a version, so make sure that's set for the version you're looking to test.

There are two options when it comes to using the Clair security scanner:

  1. You can use the Uleska Cloud in-built Clair instance to check a container.  You will find this at http://uleska-clair:6060 (this is only accessible from the Uleska Cloud platform).
  2. If you wish to use your own, instance of Clair, you will need to install Clair on a server you control and obtain the host/IP from it.  create a new Generic API Connection, and select it when configuring the Clair tool.  See the Clair deployment instructions at https://quay.github.io/clair/howto/deployment.html 

Creating a connection configuration in the Uleska Platform to Clair

You can tell the Uleska Platform which Clair instance to use by creating a connection configuration.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'Generic Api Connection'
  • Add the URL of your Clair
    • If you wish to use the Uleska Cloud instance, enter http://uleska-clair:6060
    • If you wish to use your own instance, enter the URL and port of your instance.
  • No further details are required.
  • Click 'Save'

ClairConnection

Setting your application and version (stage) to run Clair Container testing

Once you have added your Container Configuration to your version:

  • Click the "Test tools" tab to open it
  • Find the Clair tool
ClairSetup
  • Click the blue cog and select your Clair connection.
  • Click 'Save'
  • Click "Add tool"
  • Click "Save" at the bottom of the page

Now any time you click 'Test Now' for that version, or make a request over the Uleska API or CLI for that stage, the Clair tool will be included to test your container in the test run and any results added to your vulnerabilities list.