Scan Docker image vulnerabilities using Clair, Klar, Docker Registry and Traefik

Problem: Need to verify Docker image vulnerabilities

Solution: use the open source tool Clair (https://github.com/quay/clair)

Clair is an open source project for the static analysis of already known vulnerabilities in containers. It pulls the known vulnerabilities from various sources such as:

• Debian Security Bug Tracker
• Red Hat Security Data
• Ubuntu CVE Tracker

In addition I’ll use Klar (https://github.com/optiopay/klar). Klar serves as a client which coordinates the image checks between the Docker registry and Clair.

At this point we need :

• Docker
• Docker-compose
• A Docker registry
• Clair
• Klar
• Traefik v2

Fortunately for us, all of this can be dockerized.

First Step: Create a private Docker Registry

# workdir structure:
…/workdir 
   - acme.json
   - traefik.yml
   - docker-compose-traefik.yml

This step can be bypassed if you already have a Docker Registry or if you’re using Docker Hub to store your images.

If you’re like me and need a private Docker Registry, I’ll use traefik v2 as a reverse proxy to expose the Docker Registry container.

# traefik.yml
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
certificatesResolvers:
  letsencrypt:
    acme:
      email: your@email.com
      storage: acme.json
      httpChallenge:
        entryPoint: web
providers:
  docker:
    endpoint: unix:///var/run/docker.sock
    exposedByDefault: false
        
log:
  level: DEBUG
api:
  dashboard: true

This configuration of traefik is a simple one. Only thing that matters is the certificateResolvers letsencrypt. The actions needed to generate the acme.json file are quite easy: touch acme.json and then chmod 600 acme.json

Let’s take focus on the docker-compose.yml file for traefik v2.

# docker-compose-traefik.yml
version: "3.7"
services:
  traefik:
    image: traefik:latest
    container_name: traefik…