clair cicd下载 - clair cicd源头下载

clair cicd

其他类别

v1.0.2

下载

Clair-cicd

克莱尔（Clair）于16年11月发行，是一种非常有效的工具，用于静态分析docker图像，以确定图像中存在哪些已知漏洞。将克莱尔整合到CI/CD管道中：

很复杂（认为这部分是文档挑战）
创建性能问题（构建Clair所需的Postgres漏洞数据库很慢）
从风险评估的角度来看，本身本身不够

该存储库的创建是为了应对上述挑战。

背景

该回购的根源围绕以下信念：

当插入CI/CD管道中时，Clair可能是自动化Docker Image Image脆弱性风险评估的非常有效的基础
服务应在Docker容器中运行，因此CI/CD管道应集中于自动生成，评估并最终部署Docker Images
了解和评估服务的风险概况至关重要。安全很重要
在理解其风险状态之前，不应将Docker图像推到Docker注册表（这是一个重要的风险）
CI/CD管道应快速。多快？理想情况下，在代码提交和自动部署之间开始<5分钟
创建Docker映像（服务工程师）的人与确定Docker Image（安全分析师）中漏洞风险的人之间应有明确的职责分配
风险评估过程应产生可用于了解风险评估决定的证据

关键参与者

服务工程师 - 负责实施在Docker Image中包装的服务
安全分析师 - 负责定义clair_cicd消费的白名单，以影响Docker图像风险评估决策

如何使用

入门

要开始使用clair-cicd ，服务工程师将一行代码插入服务的CI管道。单行代码运行shell脚本评估图像风险。 CI管道的一部分责任是构建Docker图像，然后将Docker图像推到Docker注册表。 clair-cicd代码的一行在构建和测试后应出现，但在将Docker Image推到Docker注册表之前。

在这种简单的情况下，如果Docker映像在中等严重性之上没有已知的漏洞，则评估图像危机返回零退出状态。如果Docker映像包含任何已知漏洞，其严重程度高于媒介，则评估图像风险将返回非零退出状态，并且构建失败IE。构建应在将Docker映像推到Docker注册表之前失败。

该示例说明了Alpine的描述：3.4 Docker Image。

 ~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- alpine:3.4
~ > echo $?
0
~ >

了解风险评估决定

要了解assess-image-risk.sh SH的方式如何使用-v标志尝试使用风险评估决策。

 ~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- -v alpine:3.4
2020-01-12 16:43:35 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:44:17 successfully pulled clair database image
2020-01-12 16:44:17 starting clair database container ' clair-db-c1dbb5f93ae98755 '
2020-01-12 16:44:23 waiting for database server in container ' clair-db-c1dbb5f93ae98755 ' to start ...........................
2020-01-12 16:44:54 successfully started clair database container
2020-01-12 16:44:54 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.ElAlhGNl '
2020-01-12 16:44:59 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:45:13 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:45:13 starting clair container ' clair-e9573ae537134fa0 '
2020-01-12 16:45:15 successfully started clair container ' clair-e9573ae537134fa0 '
2020-01-12 16:45:15 saving docker image ' alpine:3.4 ' to ' /tmp/tmp.IaNHCH '
2020-01-12 16:45:16 successfully saved docker image ' alpine:3.4 '
2020-01-12 16:45:16 starting to create clair layers
2020-01-12 16:45:16 creating clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 successfully created clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 done creating clair layers
2020-01-12 16:45:16 starting to get vulnerabilities for clair layers
2020-01-12 16:45:16 saving vulnerabilities to directory ' /tmp/tmp.MDncHN '
2020-01-12 16:45:16 getting vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 successfully got vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 done getting vulnerabilities for clair layers
2020-01-12 21:45:17 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO io:95 Found 1 files with vulnerabilities in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.MDncHN/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:45:17 INFO io:122 Found 0 vulnerabilities in ' /tmp/tmp.MDncHN/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:45:17 INFO io:133 Found 0 vulnerabilities in 1 files in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO assessor:19 Assessment starts
2020-01-12 21:45:17 INFO assessor:26 Assessment ends - pass
~ > echo $?
0
~ >

添加脆弱性白名单

在上面的示例中，使用了默认漏洞白名单。当指定为JSON文档时，这个白名单将是：

{
  "ignoreSevertiesAtOrBelow" : " medium "
}

默认情况下，如果在图像中识别出任何漏洞的严重性高于媒介，则ession-image-crisk.sh将返回非零退出状态。该介质源自默认漏洞白名单。

下面的示例说明了如何指定脆弱性白名单以及除媒介以外的其他严重性。请注意，使用json://前缀表示这是一个内联白名单。

 ~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- -v --whitelist ' json://{"ignoreSevertiesAtOrBelow": "negligible"} ' ubuntu:18.04
2020-01-12 16:46:56 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:46:58 successfully pulled clair database image
2020-01-12 16:46:58 starting clair database container ' clair-db-3b0811925f7e8bc2 '
2020-01-12 16:46:59 waiting for database server in container ' clair-db-3b0811925f7e8bc2 ' to start .............................
2020-01-12 16:47:32 successfully started clair database container
2020-01-12 16:47:32 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.BXCs3Giy '
2020-01-12 16:47:34 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:47:36 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:47:36 starting clair container ' clair-fc579c71e7daba57 '
2020-01-12 16:47:38 successfully started clair container ' clair-fc579c71e7daba57 '
2020-01-12 16:47:38 saving docker image ' ubuntu:18.04 ' to ' /tmp/tmp.lPDhNd '
2020-01-12 16:47:43 successfully saved docker image ' ubuntu:18.04 '
2020-01-12 16:47:43 starting to create clair layers
2020-01-12 16:47:43 creating clair layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:43 successfully created clair layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:43 creating clair layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 successfully created clair layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 creating clair layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 successfully created clair layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 creating clair layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 successfully created clair layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 done creating clair layers
2020-01-12 16:47:44 starting to get vulnerabilities for clair layers
2020-01-12 16:47:44 saving vulnerabilities to directory ' /tmp/tmp.dkfgmI '
2020-01-12 16:47:44 getting vulnerabilities for layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:44 getting vulnerabilities for layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 getting vulnerabilities for layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 getting vulnerabilities for layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 done getting vulnerabilities for clair layers
2020-01-12 21:47:45 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO io:95 Found 4 files with vulnerabilities in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e.json '
2020-01-12 21:47:45 INFO io:133 Found 33 vulnerabilities in 4 files in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO assessor:19 Assessment starts
2020-01-12 21:47:45 INFO assessor:34 Assessing vulnerability CVE-2018-11236 - start
2020-01-12 21:47:45 INFO assessor:52 Vulnerability CVE-2018-11236 @ severity medium greater than whitelist severity @ negligible - fail
2020-01-12 21:47:45 INFO assessor:36 Assessing vulnerability CVE-2018-11236 - finish
2020-01-12 21:47:45 INFO assessor:23 Assessment ends - fail
~ > echo $?
1
~ >

以上是直列白名单的一个例子。也可以在文件中指定白名单。下面的示例说明了用法。请注意，使用file://前缀表示白名单包含在文件中。

 ~ > cat whitelist.json
{
  " ignoreSevertiesAtOrBelow " : " medium "
}
~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- -v --whitelist file://whitelist.json alpine:3.4
2020-01-12 16:48:41 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:48:42 successfully pulled clair database image
2020-01-12 16:48:42 starting clair database container ' clair-db-191152e37b864e4b '
2020-01-12 16:48:43 waiting for database server in container ' clair-db-191152e37b864e4b ' to start .............................
2020-01-12 16:49:16 successfully started clair database container
2020-01-12 16:49:16 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.GdlBNmiG '
2020-01-12 16:49:19 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:49:20 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:49:20 starting clair container ' clair-747d1c50606fba7e '
2020-01-12 16:49:21 successfully started clair container ' clair-747d1c50606fba7e '
2020-01-12 16:49:22 saving docker image ' alpine:3.4 ' to ' /tmp/tmp.Eldkbe '
2020-01-12 16:49:23 successfully saved docker image ' alpine:3.4 '
2020-01-12 16:49:23 starting to create clair layers
2020-01-12 16:49:23 creating clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 successfully created clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 done creating clair layers
2020-01-12 16:49:23 starting to get vulnerabilities for clair layers
2020-01-12 16:49:23 saving vulnerabilities to directory ' /tmp/tmp.pCOhlL '
2020-01-12 16:49:23 getting vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 successfully got vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 done getting vulnerabilities for clair layers
2020-01-12 21:49:23 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO io:95 Found 1 files with vulnerabilities in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.pCOhlL/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:49:23 INFO io:122 Found 0 vulnerabilities in ' /tmp/tmp.pCOhlL/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:49:23 INFO io:133 Found 0 vulnerabilities in 1 files in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO assessor:19 Assessment starts
2020-01-12 21:49:23 INFO assessor:26 Assessment ends - pass
~ > echo $?
0
~ >

特定的漏洞也可以被列入白色。下面的示例说明了此功能。如果将-v （冗长）标志添加到assess-image-risk.sh中Vulnerability CVE-2019-13627 in whitelist - pass

 ~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- --whitelist ' json://{"ignoreSevertiesAtOrBelow":"low"} ' ubuntu:18.04
~ > echo $?
1
~ > cat whitelist.json
{
  " ignoreSevertiesAtOrBelow " : " low " ,
  " vulnerabilities " : [
    { " cveId " : " CVE-2018-20839 " , " rationale " : " reason #1 " },
    { " cveId " : " CVE-2019-5188 " , " rationale " : " reason #2 " },
    { " cveId " : " CVE-2018-11236 " , " rationale " : " reason #3 " },
    { " cveId " : " CVE-2019-13627 " , " rationale " : " reason #4 " },
    { " cveId " : " CVE-2019-13050 " , " rationale " : " reason #5 " },
    { " cveId " : " CVE-2018-11237 " , " rationale " : " reason #6 " },
    { " cveId " : " CVE-2018-19591 " , " rationale " : " reason #7 " }
  ]
}
~ > curl -s -L 
  https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh | 
  bash -s -- --whitelist ' file://whitelist.json ' ubuntu:18.04
~ > echo $?
0
~ >

ITO白人主义者值得一看的第7期，上面写着：

使用--whitelist命令行参数指定assess-image-risk.sh的白名单时，应支持https:// Scheme，除了现有的json:// ， file:// schemes。为什么这很重要？理想情况下，白名单应由安全分析师而不是服务工程师维护。这意味着，应将白名单维持在另一个回购中，并具有适当的更改管理过程。 json:// and file://方案可以很好地维护同一回购中的白名单是服务代码。但是，最好将白名单维护在仓库中，该仓库仅适用于服务工程师，并且只能由可以应用适当更改管理流程的安全分析师进行编辑，以进行更改（代码审查，功能分支等）。

它如何工作 +要求/假设

有3个移动的零件：

评估图像风险是bash脚本，它可以进行繁重的举重以协调另外两个移动零件的相互作用
Clair的漏洞数据库已包装在Docker Image SimonsDave/Clair-Database中 - Circleci Cron作业用于重建SimonsDave/Clair-Database每周3天，以确保脆弱性数据库为当前
基于docker image quay.io/coreos/clair，包装在SimonsDave/Clair-Cicd-Clair Docker Image中包装包装的Python和Bash风险评估脚本

从此文档开头的样本中，您可以看到将最新版本的评估图像风险夹卷成局部运行bash shell的方法。然后，使用SimonsDave/Clair-Database旋转评估图像风险。然后，使用SimonsDave/Clair-Cicd-Clair容器可以使用SimonsDave/Clair-Cicd-Clair运行另一个容器，可以与SimonsDave/Clair-Database容器进行交谈。 Simonsdave/Clair-Cicd-Clair容器正在运行后，Issess-image-crisk.sh docker Exec的此BASH脚本可以进行实际的风险评估。

在了解clair-cicd工作原理的情况下，您会欣赏执行评估图像风险的能力。SH是定义执行环境要求的原因。评估图像 - 风险SHS是一个用于启动风险评估过程的BASH脚本，因此，是该脚本定义了clair-cicd的大部分假设/要求 - 该脚本使用Docker，SED和OpenSSL，因此所有这些都需要在运行clair-cicd环境中可用