Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

Clair

What is Clair?

Clair is a popular open source security tool for parsing container image contents and reporting vulnerabilities affecting the contents. This is done via static analysis and not at runtime.

Security Stage SCA (Source Composition Analysis)
Type OpenSource
Frameworks Containers
Site https://quay.github.io/clair/

 

Pre-requisite

1 You'll need a Git address to scan

How do I set it up?

Adding Clair to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

Clair supports two types of configuration to facilitate the scanning docker images to find vulnerabilities.

  1. Passing a code repository containing a Dockerfile for the container.
  2. Pointing to an artefact repository containing the container.

The first way is to have a code repository where a Dockerfile https://docs.docker.com/engine/reference/builder/ is located in the root directory of the git repo.
  • To do this simply configure the relevant version (stage) with the git repo URL containing the Dockerfile.

Untitled (6)

 

The second way is to scan an existing image from a private repository, such as Nexus or Jfrog.

  • To do this first make a new "Generic APi Connection" with a URL, Username and Password.
  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'Generic APi Connection'
  • Add a descriptive label for this connection (e.g. Nexus)
  • Add the URL of your repository manager.
  • Add the username for your repo manager.
  • Add the password for your repo manager.
  • Click 'Save'

Untitled (7)

Now that the Uleska system is configured to pick up your container Dockerfile or access the image from your repository, you can configure the testing toolkit to include Clair.

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'Clair' tool.

ClairSetup

  • If you are connecting to a built image on a repository, click on the blue cog icon to set the connection for the tool.
    • Enter the relevant image name and tag for the image to be tested. Note this can be updated using the Uleska API or CLI during pipeline builds.

Untitled (8)

    • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the Clair tool will be included to test your container in the test run and any results added to your vulnerabilities list.

Notes

None