Deployment-ready docker configuration and instructions to use Quay Clair on your infrastructure and CIs

🌟 If this repo helped you please leave a star !
😃 Suggestions and feedbacks are highly appreciated

Run the following command, then wait about 5 minutes the time Clair indexes all CVEs.

docker-compose up -d

Use the utility container I've provided to easily scan an image, including one from a private registry.

1. Check the env variables of scan.docker-compose.yml

2. Run the scan !

   docker-compose -f scan.docker-compose.yml up

   You can try this vulnerable image : quay.io/noseka1/deep-dive-into-clair

1. Build the scan image and tag it

   docker build ./scan -t ghcr.io/flavienbwk/clair-docker/quay-clair-scan:v4.3.0

2. Push the image to your registry

3. Adapt the following command to your CI

   docker run --rm -e IMAGE_NAME="node:10-alpine" -e CLAIR_ENDPOINT="http://172.17.0.1:6060" -e REGISTRY_ENDPOINT="" -e REGISTRY_USERNAME="" -e REGISTRY_PASSWORD="" --privileged --network="host" -it ghcr.io/flavienbwk/clair-docker/quay-clair-scan:v4.3.0
   echo "Exit code : $?"

You must first have a connected Clair cluster initialized to perform the following actions

1. On internet-connected machine :

   clairctl --config clair_config/config.yml export-updaters updates.json

   ℹ️ The JSON file will be ~8.5Gb

2. Transfer the updates.json archive and run :

   clairctl import-updaters updates.json

   In order to have access to the internal networking including Postgres database, you may need to copy updates.json inside clair's container with docker cp command and then run the command above from inside the container.

3. Matcher processes should have the disable_updaters key set to disable automatic updaters running.

   matcher:
       disable_updaters: true

To learn more about Quay Clair, I recommend you :

• The official Clair documentation
• Ales Nosek's video "Deeping Dive into Image Vulnerabillity"