Published on April 4th, 2016 | by NJ Ouchn0
Clair – Image Containers Security Analyzer by CoreOS
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project.
Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named
Clair after the French term which translates to clear, bright, transparent.
Clair 1.0 introduces new details for each detected vulnerability including:
- Name and version of the source package of the vulnerability, called a Feature in Clair.
- The feature version(s) that fix the vulnerability, if they exist.
- Metadata such as the Common Vulnerability Scoring System (CVSS). When available, CVSS metadata provides the fundamental characteristics of the vulnerability such as means of access, whether authentication is required, and the impacts to confidentiality, integrity, or availability.
- Flags the specific layer in the image that introduces the vulnerability to make applying patches even easier.