Scan Docker image vulnerabilities using Clair, Klar, Docker Registry and Traefik
Problem: Need to verify Docker image vulnerabilities
Solution: use the open source tool Clair (https://github.com/quay/clair)
Clair is an open source project for the static analysis of already known vulnerabilities in containers. It pulls the known vulnerabilities from various sources such as:
In addition I’ll use Klar (https://github.com/optiopay/klar). Klar serves as a client which coordinates the image checks between the Docker registry and Clair.
At this point we need :
- A Docker registry
- Traefik v2
Fortunately for us, all of this can be dockerized.
First Step: Create a private Docker Registry
# workdir structure:…/workdir
This step can be bypassed if you already have a Docker Registry or if you’re using Docker Hub to store your images.
If you’re like me and need a private Docker Registry, I’ll use traefik v2 as a reverse proxy to expose the Docker Registry container.
This configuration of traefik is a simple one. Only thing that matters is the certificateResolvers letsencrypt. The actions needed to generate the acme.json file are quite easy: touch acme.json and then chmod 600 acme.json
Let’s take focus on the docker-compose.yml file for traefik v2.