Meet Clair, open source vulnerability analysis on containers

DockerCon Barcelona has lots of buzz coming out of it and we will be covering all of the action here this week.  We wanted to lead off with a story that was actually broke this past Friday from the CoreOS team. They have released a new open source tool called Clair. Clair performs vulnerability analysis on containers. As part of CoreOS’s Quay your container infrastructure can be automatically scanned for vulnerabilities.

I had a chance to speak with Joey Schorr from CoreOs one of the engineers behind Clair. Calling it vulnerability analysis rather scanning per se is actually much more accurate. Unlike vulnerability scanning in traditional servers and infrastructure, Clair is looking at manifests and other registry like indexes and seeing what packages or components are out of date. If out of date packages or components are found, Clair and Quay can notify you.

Schorr told me they purposefully did not build in patching or other remediation beyond notification. This seems something that a 3rd party may want build using APIs built in Claire.

Below is a slide show showing more about Clair and Quay’s new service:

[embeddoc url=”https://containerjournal.com/wp-content/uploads/2015/11/Identifying-Common-Vulnerabilities-and-Exposures-in-Containers-Final.pptx” viewer=”microsoft”]

It is good to see CoreOS and other container vendors hitting the container security question head on. This reminds me of the early years of the VMware era where many were questioning the security of hypervisors and the result was an explosion of hypervisor/VM security tools. Some of these were acquired by VMware directly others formed a vibrant ecosystem. I suspect a similar path will be forged here.

Stay tuned for more DockerCon 15 news this week.

Avatar

Alan Shimel

As Editor-in-chief of DevOps.com and Container Journal, Alan Shimel is attuned to the world of technology. Alan has founded and helped several technology ventures, including StillSecure, where he guided the company in bringing innovative and effective networking and security solutions to the marketplace. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events. In addition to his writing on DevOps.com and Network World, his commentary about the state of technology is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.

Alan Shimel has 29 posts and counting. See all posts by Alan Shimel