Use Clair to scan Docker images for vulnerabilities

Why do I need to scan

Docker provides a docker hub that allows users to upload the created images for other users to download and quickly build the environment. But it also brings some security issues. The downloaded image is maliciously implanted into the backdoor, the image is tampered with during transmission, whether the environment built by the image contains loopholes, etc., etc., and so on. Mainly introduce the following three:

1. Hackers upload malicious images: If hackers implant Trojan horses, backdoors and other malicious software in the created images, the environment will be insecure from the beginning, and there will be no security in the future.
2. Mirroring uses vulnerable software: According to some reports, 75% of the mirrors that can be downloaded on the hub have vulnerable software installed, so after downloading the mirror, you need to check the software version information and the corresponding version. Whether there are vulnerabilities, and timely update and patch
3. Man-in-the-middle attack to tamper with the image: The image may be tampered with during transmission. The new version of docker has provided a corresponding verification mechanism to prevent this problem.

How to scan

1. Get the clair-scanner vulnerability scanning tool

curl -L https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64 -o /usr/bin/clair-scanner

chmod +x /usr/bin/clair-scanner

2. Start Clair

docker run -p 5432:5432 -d --name db arminc/clair-db:latest
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest

3. Test scan php:7.2 mirror

docker pull php:7.2

clair-scanner -r php-report.json --ip 172.17.0.1 php:7.2