Scan Docker image vulnerabilities using Clair, Klar, Docker Registry and Traefik

Edgar Halbert
6 min readMay 6, 2020

Problem: Need to verify Docker image vulnerabilities

Solution: use the open source tool Clair (https://github.com/quay/clair)

Clair is an open source project for the static analysis of already known vulnerabilities in containers. It pulls the known vulnerabilities from various sources such as:

In addition I’ll use Klar (https://github.com/optiopay/klar). Klar serves as a client which coordinates the image checks between the Docker registry and Clair.

At this point we need :

  • Docker
  • Docker-compose
  • A Docker registry
  • Clair
  • Klar
  • Traefik v2

Fortunately for us, all of this can be dockerized.

First Step: Create a private Docker Registry

# workdir structure:…/workdir 
- acme.json
- traefik.yml
- docker-compose-traefik.yml

This step can be bypassed if you already have a Docker Registry or if you’re using Docker Hub to store your images.

If you’re like me and need a private Docker Registry, I’ll use traefik v2 as a reverse proxy to expose the Docker Registry container.

# traefik.yml
entryPoints:
web:
address: :80
websecure:
address: :443
certificatesResolvers:
letsencrypt:
acme:
email: your@email.com
storage: acme.json
httpChallenge:
entryPoint: web
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false

log:
level: DEBUG
api:
dashboard: true

This configuration of traefik is a simple one. Only thing that matters is the certificateResolvers letsencrypt. The actions needed to generate the acme.json file are quite easy: touch acme.json and then chmod 600 acme.json

Let’s take focus on the docker-compose.yml file for traefik v2.

# docker-compose-traefik.yml
version: "3.7"
services:
traefik:
image: traefik:latest
container_name: traefik…

Recommended from Medium

Lists

See more recommendations