CoreOS Delivers on Security with v1.0 of Clair Container Image Analyzer

• By Quentin Machu

Four months ago, CoreOS launched an early version of Clair, an open source container image security analyzer. Today Clair is graduating to version 1.0 and is ready for production workloads.

As a part of the CoreOS mission to secure the world's infrastructure, CoreOS is today delivering a new version of the Clair container image security analyzer, a powerful and extensible tool that inspects container images for known security flaws. Clair enables developers to build services that scan containers for security threats and vulnerabilities.

Clair helps DevOps teams maintain security by delivering useful and actionable information about the vulnerabilities that threaten containers. Community feedback guided many of the latest Clair features, including the ability not only to reveal whether a vulnerability is present, but also offer the available patch or update to correct it. Additionally, the 1.0 release improves performance and extensibility, empowering developers and operations professionals to implement their own services around the Clair analyzer.

In our previous blog post, we discussed why we originally wrote Clair and why we believe it is important. After that initial announcement, users often indicated a desire to learn what they can do to improve container security. We are excited to encourage this practice and have added the capability to identify fixes along with vulnerabilities. Many common container images are based on some form of Debian or CentOS Linux distributions, and because of their age and size, these can provide a large attack surface with many potential vulnerabilities. These systems and their packages can be updated, and even more, we want to encourage users to take action and update their container images. A sample analysis powered by Clair and indexed by CoreOS's Quay container registry determined that:

More than 70% of detected vulnerabilities could be fixed simply by updating the installed packages in these container images.

More than 80% of vulnerabilities rated High and Critical have known fixes that can be applied with a simple update to packages in these images.

Updating to the latest versions of installed software improves overall infrastructure security, which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues that Clair uncovers. Container images are often infrequently updated, but with Clair security scanning, users can identify and update problematic images more easily.

What’s new in Clair 1.0

Since our initial announcement, we have focused primarily on improving performance and usability. We started with our largest bottleneck: interactions with the database. There’s now an interface to abstract database operations, beginning with an implementation for Postgres 9.4. By leveraging recursive queries, we’re able to emulate a graph-like structure while maintaining the performance characteristics of a traditional SQL database. This has improved some of our API responses in production by 3 orders of magnitude, from 30 seconds to 30 milliseconds.

In parallel with these performance improvements, we have also improved usability. The new RESTful JSON API has been generalized and is more useful to developers. The previous API was tightly coupled to integrating with container registries, so the new API should help the community better integrate Clair with other workflows and systems.

Additionally, in order to provide more useful data to Clair API clients, Clair 1.0 introduces new details for each detected vulnerability including:

Name and version of the source package of the vulnerability, called a Feature in Clair.

The feature version(s) that fix the vulnerability, if they exist.

Metadata such as the Common Vulnerability Scoring System (CVSS). When available, CVSS metadata provides the fundamental characteristics of the vulnerability such as means of access, whether authentication is required, and the impacts to confidentiality, integrity, or availability.

Flags the specific layer in the image that introduces the vulnerability to make applying patches even easier.

We’re looking forward to seeing the clever ways the Clair community will use and extend the new API.

Over the past few months Clair's foundation has proven stable for most general use cases. In order to allow anyone to implement custom behavior, we have increased its flexibility by making the subsystems extensible. These components include:

Fetchers - gather vulnerability data from public sources

Detectors - index container images by the Features they contain

Image Formats - Docker, ACI, and other container image formats known to Clair

Notification Hooks - how we notify users/machines that a new vulnerability has been discovered or that changes to an existing vulnerability have occurred

Databases - storage for the layers and vulnerabilities

Contributions to the core Clair repository continue to be welcome, but these extensible components mean any company can maintain their own extensions that enhance Clair. Huawei, for example, has already contributed an extension to support the ACI container image format.

Acknowledgements

CoreOS would like to thank all the Clair contributors who help make the Internet a safer place, and to offer a particular shout out to: Abhilash Raj, Andrew Lewis, Chenye Liang, David Xia, Jimmy Zelinskie, Jitang Lei, Joey Schorr, Jon Boulle, Masaya Yamauchi, Matthias Nüßler, Michael Stapelberg, Quentin Machu, Sergei Mamonov, Shukui Yang, and Stephane Jourdan.

Learn more about Clair

Visit the project page for more details on how you can use and get involved with Clair, and join us at an upcoming conference or meetup to learn more.

Also visit us at CoreOS Fest 2016 in Berlin, Germany where we will be discussing the deep technical details of Clair. We will also present Clair at OSCON 2016 this May in Austin, Texas.

Work with CoreOS!

Interested in helping CoreOS secure the Internet? Join us! We’re hiring engineers in New York, Berlin, and San Francisco.