CoreOS Releases Clair 1.0 Production Ready Container Image Security Analyzer
By , - Source: CoreOS

CoreOS announced the release 1.0 of Clair, the container image security analysis solution for appc and Docker images. Analyses done on millions of container images in CoreOS’s Quay container registry using a beta version of Clair revealed an alarming number of images containing known security vulnerabilities, with 66% containing Ghost, and 80% containing the Heartbleed security bugs. According to CoreOS, over 70% of these problems could be fixed by performing a simple update to these containers’ installed images.

Clair enables DevOps teams to identify and remediate vulnerabilities within container images. CoreOS maintains a database of vulnerability data as part of Clair. Clair offers users a choice of performing either a static or a dynamic analysis. Dynamic analysis is performed on a running container image. With static analysis, the containers never need to be executed; instead, the filesystem of the container image is inspected for vulnerabilities. Vulnerabilities are displayed via Clair’s user interface, and additional workflows such as email notifications or web hooks can be executed.

CoreOS offers improved performance in Clair 1.0 over the previous beta version. One particular bottleneck was database response times. A new vulnerability database implementation using Postgres 9.4 has significantly improved some API response times. According to CoreOS, some operations that previously took 30 seconds can now be done in 30 milliseconds.

CoreOS has improved Clair 1.0’s RESTful JSON API by de-coupling the previous integration with container registries, allowing easier integration with other systems. For each vulnerability, the new Clair 1.0 API includes new concepts such as Clair “Features,” which are the name and source package of the vulnerability along with any available fixes. Clair 1.0 stores threat vulnerability metadata using the Common Vulnerability Scoring System (CVSS) when available. The Clair API allows companies to maintain their own extensions, and CoreOS welcomes contributions that can help extend Clair’s functionality.