Skip to content

Latest commit

 

History

History
49 lines (38 loc) · 2.19 KB

README.md

File metadata and controls

49 lines (38 loc) · 2.19 KB

Clair container scan

Anchore Image Overview

Overview

Automatically scan a particular local docker image or all local docker containers with Clair Vulnerability Scanner using Clair-Scanner and clair-local-scan.

Prerequisites

  • docker (1.12 or newer)
  • docker-compose (1.9.0 or newer)

Quick start

Scan all local containers

To get json output of the clair scan of all running containers to standard out just run:

./clair-container-scan.sh -p

The output will be empty and the return code will be zero, if no CVE was found. If there are findings, the output will list details in json.

You should always add the -p flag to get the latest CVE database version. You can use the -v flag to add verbose output, in case of a problem.

Scan a particular local image

To scan one particular local image just specify the image name as parameter:

# To scan alpine:3.4 run:
./clair-container-scan.sh -p alpine:3.4

The output will be empty and the return code will be zero, if no CVE was found.

If there are findings, the output will list details in json.

Integration in CI/CD

The easiest (but not most secure way) of integrating into your CI/CD tool is to run following one-liner (replace alpine:3.4 with the image you want to scan):

# to scan alpine:3.4 again
curl -s https://raw.githubusercontent.com/usr42/clair-container-scan/master/clair-container-scan.sh | sh -s -- alpine:3.4

WARNING: You should never pipe a remote-script directly into a shell, unless you completely trust the source and integrity of the file to execute. Usually, it is better to download the file, validate its input, and run you local, validated version.

Credits