CoreOS, the company behind the popular lightweight Linux distribution for data center deployments with the same name, has recently made a big bet on containers. Today, the company is launching Clair, an open-source tool for monitoring the security of containers — and it’s also integrating Clair into its paid Quay container registry service as a beta feature (with support for Quay Enterprise coming at a later date).
Containers make life easier for many developers, but just like a Linux distribution needs to be regularly updated to mitigate vulnerabilities, containers may also come with outdated software packages installed in them. CoreOS says over 80 percent of Docker images stored in its Quay service are still vulnerable to the infamous Heartbleed bug, for example.
Clair can scan containers for known vulnerabilities and then alert developers of potential issues. CoreOS is getting this data from the vulnerability databases of Red Hat, Ubuntu and Debian.
“Vulnerabilities will always exist in the world of software. Good security practice means being prepared for the mishaps – to identify insecure packages and be prepared to update them quickly,” the team Clair team writes today. “Clair is designed to help you identify insecure packages that may exist in your containers.”
The team notes that the tools is still pretty naive, though. Heartbleed is only an issue when you’re using the OpenSLL package that includes this bug. Clair only knows that the package is in the container, though. It doesn’t know whether you’re actually using it or not. “Clair isn’t suited for that level of analysis and teams should still undergo deeper analysis as required,” the team notes.