CoreOS open sources Clair, the vulnerability scanner for your containers
Adds scanning functions to Quay customers too
Container-friendly Linux vendor CoreOS has spent the last six months developing a scanning tool that checks for vulnerabilities in containers, and it's open sourcing the code for the whole community.
"Our mission is to fundamentally improve the security of the internet," Alex Polvi, CEO of CoreOS, told The Register. "The more eyes on security features the better, we definitely don't want just closed source for security software."
Dubbed Clair, the software analyzes each container layer for known vulnerabilities in Red Hat, Ubuntu, and Debian. The code creator then receives a report if a flaw is spotted, along with a link to the latest software database(s) where a fix can be found.
The need for such a tool is clear, Polvi said. The firm's own data showed that well-known vulnerabilities like Heartbleed were found in 80 per cent of the Docker images stored on Quay, CoreOS' hosted container repository service.
Part of the problem, he said, was that some of the packages used to build containers go out of date very quickly. As a result, there are a host of vulnerabilities out there and a scanner like Clair could cut their numbers considerably.
The Clair engine will be open for improvement to all comers, and CoreOS will also be building it into Quay – as a beta initially. As the code base improves, both Clair and Quay will see the benefit. ®