Scan Docker image vulnerabilities using Clair, Klar, Docker Registry and Traefik
--
Problem: Need to verify Docker image vulnerabilities
Solution: use the open source tool Clair (https://github.com/quay/clair)
Clair is an open source project for the static analysis of already known vulnerabilities in containers. It pulls the known vulnerabilities from various sources such as:
In addition I’ll use Klar (https://github.com/optiopay/klar). Klar serves as a client which coordinates the image checks between the Docker registry and Clair.
At this point we need :
- Docker
- Docker-compose
- A Docker registry
- Clair
- Klar
- Traefik v2
Fortunately for us, all of this can be dockerized.
First Step: Create a private Docker Registry
# workdir structure:…/workdir
- acme.json
- traefik.yml
- docker-compose-traefik.yml
This step can be bypassed if you already have a Docker Registry or if you’re using Docker Hub to store your images.
If you’re like me and need a private Docker Registry, I’ll use traefik v2 as a reverse proxy to expose the Docker Registry container.
# traefik.yml
entryPoints:
web:
address: :80
websecure:
address: :443certificatesResolvers:
letsencrypt:
acme:
email: your@email.com
storage: acme.json
httpChallenge:
entryPoint: web
providers:
docker:
endpoint: unix:///var/run/docker.sock
exposedByDefault: false
log:
level: DEBUGapi:
dashboard: true
This configuration of traefik is a simple one. Only thing that matters is the certificateResolvers letsencrypt. The actions needed to generate the acme.json file are quite easy: touch acme.json and then chmod 600 acme.json
Let’s take focus on the docker-compose.yml file for traefik v2.
# docker-compose-traefik.yml
version: "3.7"services:
traefik:
image: traefik:latest
container_name: traefik…