本文主要描述Clair的部署内容
Install:首先要下载好需要的镜像等文件
# Clone the repo
git clone git@github.com:arminc/clair-scanner.git
# Build and install
cd clair-scanner
make build
make installLocal
# Run
./clair-scanner -h
如有问题,也可根据下面命令或网址自行下载
**https://hub.docker.com/r/arminc/clair-local-scan**
docker pull arminc/clair-local-scan
**https://hub.docker.com/r/arminc/clair-db**
docker pull arminc/clair-db
Build:编译Clair所需要的依赖项
make build
make cross
Run:启动Clair容器
docker run -p 5432:5432 -d --name db arminc/clair-db:latest
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest
Order:使用Clair扫描容器或者镜像
./clair-scanner -ip -routput.jason
./clair-scanner –-ip 172.17.0.1 -r report.json redis:3.2
如遇到以下问题,可按照本文下方的方法解决
问题:-bash: clair-scanner: command not found
解决办法:
Step 1: Download clair-scanner binnary from the releases page for your OS https://github.com/arminc/clair-scanner/releases
Step 2: 下载指定版本到clair-scanner文件下https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64
chmod 777 clair-scanner_linux_amd64
Step 3: Execute the following two commands:
docker run -d --name db arminc/clair-db:lstest
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:lstest
Step 4: Run clair-scanner binary that is appropriate for your OS for example mine will be:
./clair-scanner_linux_amd64 -w example-alpine.yaml --ip IP alpine:3.5
白名单:
clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5
白名单yaml示例:
generalwhitelist: #Approve CVE for any image
CVE-2017-6055: XML
CVE-2017-5586: OpenText
images:
ubuntu: #Approve CVE only for ubuntu image, regardles of the version. If it is a private registry with a custom port registry:777/ubuntu:tag this won't work due to a bug.
CVE-2017-5230: Java
CVE-2017-5230: XSX
alpine:
CVE-2017-3261: SE
帮助信息
$ ./clair-scanner -h
Usage: clair-scanner [OPTIONS] IMAGE
Scan local Docker images for vulnerabilities with Clair
Arguments:
IMAGE="" Name of the Docker image to scan
Options:
-w, --whitelist="" Path to the whitelist file
-t, --threshold="Unknown" CVE severity threshold. Valid values; 'Defcon1', 'Critical', 'High', 'Medium', 'Low', 'Negligible', 'Unknown'
-c, --clair="http://127.0.0.1:6060" Clair URL
--ip="localhost" IP address where clair-scanner is running on
-l, --log="" Log to a file
--all, --reportAll=true Display all vulnerabilities, even if they are approved
-r, --report="" Report output file, as JSON
--exit-when-no-features=false Exit with status code 5 when no features are found for a particular image
Results:
链接:
Clair scanner github官方
Clair-local-scan docker提供
Clair-db docker提供
clair-scanner command not found 问题溯源
Clair-scanner_linux_amd64 github提供
Clair v4.0.2 github官方
如有问题,下方留言