Clair 1.0 Brings Advances in Container Security
CoreOS pushes the open-source container security project to the 1.0 milestone and production stability.As container use grows, there is an increasing need to understand from a security perspective what is actually running in a container. That's the goal of CoreOS' Clair container security project, which officially hits the 1.0 milestone today, in an effort to help organizations validate container application security. Clair was first announced in November 2015 as an open-source effort to identify vulnerable components inside containers. Container applications can integrate any number of different components that could potentially include known vulnerabilities. "Our authoritative sources for data are currently upstream operating system vendors and the National Vulnerability Database," Jake Moshenko, product manager at CoreOS, told eWEEK. "We rely on the operating system vendors to provide the lists of affected packages as well as inform us of when they are fixed." Clair's upstream sources of information are also what allow the project to retroactively and immediately identify when old images are found susceptible to new vulnerabilities, Moshenko said. "Clair provides the information about any known vulnerability in container images that users may not otherwise know about. We have additional actionable information in our new APIs that tells developers exactly which of their packages contain vulnerabilities, and which vulnerabilities will be fixed by upgrading to the latest version."
In terms of rebuilding a container image after a vulnerable component is found, Clair itself doesn't actually change any user image. That said, Moshenko noted that by using the webhook notifications that come from Clair or from CoreOS' Quay repository technology, a user could choose to kick off a workflow to automatically update and rebuild their images.