Clair镜像安全扫描工具

本文主要描述Clair的部署内容
Install:首先要下载好需要的镜像等文件

# Clone the repo
git clone git@github.com:arminc/clair-scanner.git
# Build and install 
cd clair-scanner
make build
make installLocal
# Run
./clair-scanner -h

如有问题,也可根据下面命令或网址自行下载

**https://hub.docker.com/r/arminc/clair-local-scan**
docker pull arminc/clair-local-scan
**https://hub.docker.com/r/arminc/clair-db**
docker pull arminc/clair-db

Build:编译Clair所需要的依赖项

make build
make cross

Run:启动Clair容器

docker run -p 5432:5432 -d --name db arminc/clair-db:latest
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:latest

Order:使用Clair扫描容器或者镜像

./clair-scanner -ip -routput.jason
./clair-scanner –-ip 172.17.0.1 -r report.json redis:3.2

如遇到以下问题,可按照本文下方的方法解决

问题:-bash: clair-scanner: command not found
解决办法:
Step 1: Download clair-scanner binnary from the releases page for your OS https://github.com/arminc/clair-scanner/releases
Step 2: 下载指定版本到clair-scanner文件下https://github.com/arminc/clair-scanner/releases/download/v12/clair-scanner_linux_amd64 
		chmod 777 clair-scanner_linux_amd64
Step 3: Execute the following two commands:
		docker run -d --name db arminc/clair-db:lstest
		docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:lstest
Step 4: Run clair-scanner binary that is appropriate for your OS for example mine will be:
./clair-scanner_linux_amd64 -w example-alpine.yaml --ip IP alpine:3.5

白名单:

clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5

白名单yaml示例:

generalwhitelist: #Approve CVE for any image
  CVE-2017-6055: XML
  CVE-2017-5586: OpenText
images:
  ubuntu: #Approve CVE only for ubuntu image, regardles of the version. If it is a private registry with a custom port registry:777/ubuntu:tag this won't work due to a bug.
    CVE-2017-5230: Java
    CVE-2017-5230: XSX
  alpine:
    CVE-2017-3261: SE

帮助信息

$ ./clair-scanner -h

Usage: clair-scanner [OPTIONS] IMAGE

Scan local Docker images for vulnerabilities with Clair

Arguments:
  IMAGE=""     Name of the Docker image to scan

Options:
  -w, --whitelist=""                    Path to the whitelist file
  -t, --threshold="Unknown"             CVE severity threshold. Valid values; 'Defcon1', 'Critical', 'High', 'Medium', 'Low', 'Negligible', 'Unknown'
  -c, --clair="http://127.0.0.1:6060"   Clair URL
  --ip="localhost"                      IP address where clair-scanner is running on
  -l, --log=""                          Log to a file
  --all, --reportAll=true               Display all vulnerabilities, even if they are approved
  -r, --report=""                       Report output file, as JSON
  --exit-when-no-features=false         Exit with status code 5 when no features are found for a particular image

Results:
Clair镜像安全扫描工具
链接:
Clair scanner github官方
Clair-local-scan docker提供
Clair-db docker提供
clair-scanner command not found 问题溯源
Clair-scanner_linux_amd64 github提供
Clair v4.0.2 github官方

如有问题,下方留言

上一篇:PostgreSQL统计信息的几个重要视图


下一篇:华为员工年薪 200 万!真相让人心酸!