CoreOS announced the first preview of Clair, a tool that scans Docker containers for security vulnerabilities, last November and today, with the launch of Clair 1.0, it is ready to take the beta label off the service.
Given that developers often rely on pre-packaged containers — or regularly recycle the same ones — ensuring that the software included in them is safe to run is only going to get more important. And this isn’t even about malware but simply about out-of-date packages inside these containers that have known security vulnerabilities that a hacker could exploit.
CoreOS’s own research, based on the containers in its Quay container registry, shows that about 70 percent of the vulnerabilities it detected could be fixed by simply upgrading the packages in the container.
“Updating to the latest versions of installed software improves overall infrastructure security, which is why we deemed it important to analyze container images for security vulnerabilities as well as provide a clear path to updates mediating those issues that Clair uncovers,” the company argues. “Container images are often infrequently updated, but with Clair security scanning, users can identify and update problematic images more easily.”
CoreOS says it has added a number of changes to the tool since it first announced it. These include making the whole service more extensible and an improved REST API, for example, but Clair 1.0 also provides users with more details about each of the detected vulnerabilities.