klar: Integration of Clair and Docker Registry
Integration of Clair and Docker Registry (supports both Clair API v1 and v3)
Klar is a simple tool to analyze images stored in a private or public Docker registry for security vulnerabilities using Clair. Klar is designed to be used as an integration tool so it relies on environment variables. It’s a single binary that requires no dependencies.
Klar serves as a client which coordinates the image checks between the Docker registry and Clair.
Klar process returns if 0 if the number of detected high severity vulnerabilities in an image is less than or equal to a threshold (see below) and 1 if there were more. It will return 2 if an error has prevented the image from being analyzed.
Klar can be configured via the following environment variables:
- CLAIR_ADDR – address of the Clair server. It has a form of protocol://host:port – protocol and port default to http and 6060 respectively and may be omitted. You can also specify basic authentication in the URL: protocol://login:password@host:port.
- CLAIR_OUTPUT – severity level threshold, vulnerabilities with severity level higher than or equal to this threshold will be outputted. Supported levels are Unknown, Negligible, Low, Medium, High, Critical, Defcon1. Default is Unknown.
- CLAIR_THRESHOLD – how many outputted vulnerabilities Klar can tolerate before returning 1. Default is 0.
- CLAIR_TIMEOUT – timeout in minutes before Klar cancels the image scanning. Default is 1
- – Docker registry account name.
- DOCKER_PASSWORD – Docker registry account password.
- DOCKER_TOKEN – Docker registry account token. (Can be used in place of DOCKER_USER and DOCKER_PASSWORD)
- DOCKER_INSECURE – Allow Klar to access registries with bad SSL certificates. The default is false. Clair will need to be booted with -insecure-tls for this to work.
- DOCKER_TIMEOUT – timeout in minutes when trying to fetch layers from a docker registry
- DOCKER_PLATFORM_OS – The operating system of the Docker image. The default is Linux. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest.
- DOCKER_PLATFORM_ARCH – The architecture of the Docker image is optimized for. Default is amd64. This only needs to be set if the image specified references a Docker ManifestList instead of a usual manifest.
- REGISTRY_INSECURE – Allow Klar to access insecure registries (HTTP only). Default is false.
- JSON_OUTPUT – Output JSON, not plain text. Default is false.
- FORMAT_OUTPUT – Output format of the vulnerabilities. Supported formats are standard, json, table. Default is standard. If JSON_OUTPUT is set to true, this option is ignored.
- WHITELIST_FILE – Path to the YAML file with the CVE whitelist. Look at whitelist-example.yaml for the file format.
- IGNORE_UNFIXED – Do not count vulnerabilities without a fix towards the threshold
Copyright (c) 2016 Optiopay GmbH