Common simple rest API to scan docker images.

              +---------------+
              |               | Offers common api for reporting and scanning.
              | CONTAINER-V-S | Communicates with clair and reports result.
              | API           |
              |               |
    +-------> +-+-------+-----+ <-------+
    |           ^       ^               | Requests to scan images like node:9.0
    |           |       |               | with source environment meta information.
    |           |       |               |
+---+---+ +-----+-+ +---+---+       +---+----+
|Kube   | |Kube   | |Kube   |       |Azure   |
|Agent  | |Agent  | |Agent  |  ...  |Agent   |
+-------+ +-------+ +-------+       +--------+

Theres many ready to use registry scanners available now also integrated to container registeries like in dockerhub or GCR. However they only scan image when it's pushed and their results are often hard to integrate to CI chain. Another problem in common solutions is that basically there are containers around in different environments with different version, how to collect knowledge which of them needs to be updated because of current state of vurnerabilities? This also contains third party containers which are very commonly used as part of solutions.

We already tested CLAIR as valid solution for scanning. We want to use it in multiple locations: CI and montly production cluster scanning. Addition to this it is important that we can collect reports to single point instead of fragmented locations (like each registry by its own).

Responsibility to pushing new data to this service is by agents which are tailored for each docker container service type. For example k8s and azure web app containers are two very different use cases but both require constant monitoring. In kubernetes theres agent software running in each cluster which get all images from deployments and send them to api for analysis.

compose folder contains local instance for clair and klar template that development mode can call. First edit docker-compose.yaml file and add your dockerhub username and password. These are needed because without them images from dockerhub cannot be pull properly.

cd compose && docker-compose up

Compose starts up current version in http://localhost:8080/doc/.

Then in another terminal

dotnet watch run --environment="Development"

Navigate http://localhost:5000/doc/

Start postresql:

docker run --name api-postresql-db -e POSTGRES_PASSWORD=passwordfortesting -it -p 5432:5432 postgres

Run app:

dotnet run --"General:ConnectionString"="User ID=postgres;Password=passwordfortesting;Host=localhost;Port=5432;Database=api;Pooling=true;"

After compose version is running, theres always stable version from dockerhub running in port 8181. This can be used as reference in error situations.

So if you need stable version navigate to http://localhost:8181/doc/.

• Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/node:latest to Clair failed: can't push layer to Clair: Post http://clair:6060/v1/layers: net/http: request canceled (Client.Timeout exceeded while awaiting headers)\n\nFailed to analyze using API v3: push image https://registry-1.docker.io/v2/library/node:latest to Clair failed: rpc error: code = Unavailable desc = transport is closing -> docker/for-win#611 (comment) This may occur with docker-on-windows.
  • Also check docker hub username and password configured for app.