CoreOS Builds Open-Source Clair to Improve Container Security

Most users don't know if there are vulnerable components inside of containers; Clair will help solve part of that challenge.

container security

Containers offer users a new more optimized way to run virtualized applications at scale, but what about security? Any user can pull down a container application from an image repository without knowing if the application is safe. A new open-source project from CoreOS called Clair is aiming to solve part of the challenge by providing a security system that scans containers' images for known vulnerabilities.

As it turns out, vulnerabilities in container images are widespread, at least according to one measure.

"Using Clair, we scanned millions of images currently in our registry and found an astonishingly large number of images contained older versions of packages such as OpenSSL that contain critical vulnerabilities," Joseph Schorr, lead software engineer for Quay at CoreOS, told eWEEK.

Quay, which CoreOS acquired in August 2014 and has been building out ever since, provides a private Docker container repository service. CoreOS is one of the leading vendors in the emerging container ecosystem, supporting both Docker and its own Rocket container technology. It is also a founding member of the Open Container Initiative.

While the new Clair open-source project is able to detect known vulnerabilities, it cannot detect zero-day issues. Clair does not perform an active analysis of code, Schorr said.

"We believe Clair is a single but important piece of the overall security strategy for containers, and we hope to address these other issues in the future," he said.

The way Clair works is it first scans the application container packages and the operating system metadata in each layer, Schorr said. It then compares the versions of those packages against the known Common Vulnerabilities and Exposures (CVE) vulnerability databases of the Linux distributions that are currently supported, which include Red Hat, Debian and Ubuntu.

"All the data is represented in a graph database [Cayley] and is updated automatically as new CVE information becomes available," Schorr said.

Container use is growing, and there are multiple efforts in the industry to help secure containers. Earlier this week, Twistlock announced the general availability of its technology for helping to limit risks from malicious containers. Twistlock's technology, however, is currently closed-source.

"The open nature of Clair means it is a central source for determining the vulnerabilities of a container," Schorr said. "We want to actively work with the community to contribute additional sources."

As an open-source technology, Clair can also potentially be used to help users secure themselves against risks from the public Docker Hub repository of container images.

"Since Clair is open-source, it is certainly possible for any individual or organization to run their own instance and, via Docker Hub's webhooks, have it scan images automatically for their repositories," Schorr said.

While CoreOS also has commercial offerings, Schorr emphasized that Clair itself will remain open-source and free.

"The primary integration of Clair is in our container registry product Quay, where it will be available for all repositories, both in our hosted option [] and soon in our enterprise option [Quay Enterprise]," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.