Git Product home page Git Product logo

docker-clair-scanner's Introduction

docker-clair-scanner

Build Status

This is a docker container for clair-scanner https://github.com/arminc/clair-scanner.

Quick how-to

docker network create scanning
docker run -p 5432:5432 -d --net=scanning --name db arminc/clair-db:$(date -d "yesterday" '+%Y-%m-%d')
docker run -p 6060:6060  --net=scanning --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.6
docker run --net=scanning --rm --name=scanner --link=clair:clair -v '/var/run/docker.sock:/var/run/docker.sock'  objectiflibre/clair-scanner --clair="http://clair:6060" --ip="scanner" -t Medium <Image to scan>

Example with generated json report and date formated for Osx

docker network create scanning
docker run -p 5432:5432 -d --net=scanning --name db arminc/clair-db:$(date +%Y-%m-%d)
docker run -p 6060:6060  --net=scanning --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.6
docker run --net=scanning --name=scanner --link=clair:clair -v '/var/run/docker.sock:/var/run/docker.sock'  objectiflibre/clair-scanner --clair="http://clair:6060" --ip="scanner" -r report.json <Image to scan>
docker container cp scanner:report.json ./report.json
docker container rm scanner

docker-clair-scanner's People

Contributors

patazerty avatar saamorim avatar vhbfernandes avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

vhbfernandes saamorim maltejk moogyg digitalist-se davar-playgrounds

docker-clair-scanner's Issues

Executable file not found in $PATH

Hello,
Running a container with an image built from this Dockerfile generates an error:

Missing binary name when copy to /usr/local/bin/ folder
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "exec: "clair": executable file not found in $PATH": unknown.

I did a little investigation and found that on the Dockerfile, the binary name is missing in the destination folder, so the copy operation is overwriting the /usr/local/bin folder.

The correct copy line should be:
COPY --from=0 /gopath/src/clair/clair /usr/local/bin/clair

Below some evidence that the bin folder became the Clair binary:

~ # cd /usr/local/bin
/bin/sh: cd: can't cd to /usr/local/bin: Not a directory
~ #
~ #
~ #
~ # cd /usr/local
/usr/local #
/usr/local #
/usr/local #
/usr/local # ls
bin    lib    share
/usr/local #
/usr/local #
/usr/local #
/usr/local # ./bin
Error: incorrect usage

Usage: clair-scanner [OPTIONS] IMAGE

Scan local Docker images for vulnerabilities with Clair

Arguments:
  IMAGE=""     Name of the Docker image to scan

Options:
  -w, --whitelist=""                    Path to the whitelist file
  -t, --threshold="Unknown"             CVE severity threshold. Valid values; 'Defcon1', 'Critical', 'High', 'Medium', 'Low', 'Negligible', 'Unknown'
  -c, --clair="http://127.0.0.1:6060"   Clair URL
  --ip="localhost"                      IP address where clair-scanner is running on
  -l, --log=""                          Log to a file
  --all, --reportAll=true               Display all vulnerabilities, even if they are approved
  -r, --report=""                       Report output file, as JSON
  --exit-when-no-features=false         Exit with status code 5 when no features are found for a particular image

Unknown issues with debian buster

I'm running clair against an image built based on python:3.9-slim which in turn is based on debian buster. The issue is that clair is reporting a ton of vulns that are not there:

Digest: sha256:1b80f32abe0bd20d0b4fad943e84413f3a53f24eafcc12dc1d08e2367c7dd47a
Status: Downloaded newer image for objectiflibre/clair-scanner:latest
2021/05/03 00:52:03 [INFO] ▶ Start clair-scanner
2021/05/03 00:52:10 [INFO] ▶ Server listening on port 9279
2021/05/03 00:52:10 [INFO] ▶ Analyzing 88a5033f64e4b323c387d762ec17331f9ce8f501b4ad690dbd0776bd36ab04c8
2021/05/03 00:52:17 [INFO] ▶ Analyzing 240f33e375e6857121e6de2c39d59d48ea9ee38c83bd9194953c87359a114cc3
2021/05/03 00:52:18 [INFO] ▶ Analyzing a34d2b4f899901b24bac5e12edf9c017934e853fb0736438d0b599e1c01fc1db
2021/05/03 00:52:18 [INFO] ▶ Analyzing d634b671ceef7f6a52deac8e3ee1b0dc2851d7675481557b4652c8d806a50004
2021/05/03 00:52:18 [INFO] ▶ Analyzing 7c6d6709f625e00641902ead5f725a6ba176a3debc339900161180784bdaa14f
2021/05/03 00:52:18 [INFO] ▶ Analyzing 8fbdbe4e5eacb28bf4a924bc2fd557064b3d91a839f5137b0a5962be1e513cdd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 0571676387e8b74eedfe2d6af9c4ab795ffeb5790b573fa05b6c9e0b5fb4eafd
2021/05/03 00:52:19 [INFO] ▶ Analyzing 2565eda99944164ade39790f49df228d2fe748018e8592ceb5579bd95d1b83c7
2021/05/03 00:52:19 [INFO] ▶ Analyzing d99c63c4ba88b3b03367f41999d6e3f1b81bbe6d2447763e4df15dfdd5e8b66b
2021/05/03 00:52:19 [INFO] ▶ Analyzing b8183782c14f08e6ae295fab4b3f669e845ef066d09db4dc85ff99e39b932891
2021/05/03 00:52:19 [WARN] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 total vulnerabilities
2021/05/03 00:52:19 [ERRO] ▶ Image [registry.gitlab.com/nevrona/public/poetry-docker/feature-debian:0d02321d6751486a69ee7c37c6b1ddfba78b07e8] contains 224 unapproved vulnerabilities

You can see the whole output attached: job.log. The base image is: https://gitlab.com/nevrona/public/poetry-docker/-/blob/0d02321d6751486a69ee7c37c6b1ddfba78b07e8/Dockerfile

Currently I can only disable the scan to bypass it but this would defeat the entire purpose of scanning with clair. What should I do?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.