As container use grows, there is an increasing need to understand from a security perspective what is actually running in a container. That’s the goal of CoreOS’ Clair container security project, which officially hits the 1.0 milestone today, in an effort to help organizations validate container application security.
Clair was first announced in November 2015 as an open-source effort to identify vulnerable components inside containers. Container applications can integrate any number of different components that could potentially include known vulnerabilities.
“Our authoritative sources for data are currently upstream operating system vendors and the National Vulnerability Database,” Jake Moshenko, product manager at CoreOS, told eWEEK. “We rely on the operating system vendors to provide the lists of affected packages as well as inform us of when they are fixed.”
Clair’s upstream sources of information are also what allow the project to retroactively and immediately identify when old images are found susceptible to new vulnerabilities, Moshenko said. “Clair provides the information about any known vulnerability in container images that users may not otherwise know about. We have additional actionable information in our new APIs that tells developers exactly which of their packages contain vulnerabilities, and which vulnerabilities will be fixed by upgrading to the latest version.”
In terms of rebuilding a container image after a vulnerable component is found, Clair itself doesn’t actually change any user image. That said, Moshenko noted that by using the webhook notifications that come from Clair or from CoreOS’ Quay repository technology, a user could choose to kick off a workflow to automatically update and rebuild their images.
While Clair started out as a CoreOS project, it is an open-source effort, and in the last several months, it has benefited from multiple external contributions.
“Of the 15 contributors to the github.com/coreos/clair repository, only four are paid CoreOS devs,” Moshenko said.
With the 1.0 release of Clair, the project has also added in new extensibility with subsystem components. Moshenko explained that the subsystems provide extension points in the software.
“Anyone who uses Clair is free to add their own sources of truth or indexing strategies,” Moshenko said. “As an example, a large company that tracks its own security vulnerabilities and defects could write their own detectors and fetchers to plug into their infrastructure.”
There are now multiple efforts in the market to help improve container security and detect potential vulnerabilities present in container applications. Docker Inc. announced its Nautilus security effort in November 2015 to help identify vulnerable containers. Linux vendor Red Hat has partnered with Black Duck Software to build Deep Container Inspection to find potential vulnerabilities.
Since Clair is open source, it can be deployed on premises, Moshenko said. Clair also indexes everything it scans up-front and is able to find and notify users about problems without re-running or re-analyzing images.
There are a number of items on the list for Clair’s future development. “We plan to work with smaller operating system vendors to try to get machine readable sources for their vulnerability data,” Moshenko said. “We are also planning built-in support for container images to self-report their software features and vulnerability data without relying on the operating system vendor directly.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.