clair cicd
v1.0.2
克萊爾(Clair)於16年11月發行,是一種非常有效的工具,用於靜態分析docker圖像,以確定圖像中存在哪些已知漏洞。將克萊爾整合到CI/CD管道中:
該存儲庫的創建是為了應對上述挑戰。
該回購的根源圍繞以下信念:
clair_cicd消費的白名單,以影響Docker圖像風險評估決策要開始使用clair-cicd ,服務工程師將一行代碼插入服務的CI管道。單行代碼運行shell腳本評估圖像風險。 CI管道的一部分責任是構建Docker圖像,然後將Docker圖像推到Docker註冊表。 clair-cicd代碼的一行在構建和測試後應出現,但在將Docker Image推到Docker註冊表之前。
在這種簡單的情況下,如果Docker映像在中等嚴重性之上沒有已知的漏洞,則評估圖像危機返回零退出狀態。如果Docker映像包含任何已知漏洞,其嚴重程度高於媒介,則評估圖像風險將返回非零退出狀態,並且構建失敗IE。構建應在將Docker映像推到Docker註冊表之前失敗。
該示例說明了Alpine的描述:3.4 Docker Image。
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- alpine:3.4
~ > echo $?
0
~ > 要了解assess-image-risk.sh SH的方式如何使用-v標誌嘗試使用風險評估決策。
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- -v alpine:3.4
2020-01-12 16:43:35 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:44:17 successfully pulled clair database image
2020-01-12 16:44:17 starting clair database container ' clair-db-c1dbb5f93ae98755 '
2020-01-12 16:44:23 waiting for database server in container ' clair-db-c1dbb5f93ae98755 ' to start ...........................
2020-01-12 16:44:54 successfully started clair database container
2020-01-12 16:44:54 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.ElAlhGNl '
2020-01-12 16:44:59 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:45:13 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:45:13 starting clair container ' clair-e9573ae537134fa0 '
2020-01-12 16:45:15 successfully started clair container ' clair-e9573ae537134fa0 '
2020-01-12 16:45:15 saving docker image ' alpine:3.4 ' to ' /tmp/tmp.IaNHCH '
2020-01-12 16:45:16 successfully saved docker image ' alpine:3.4 '
2020-01-12 16:45:16 starting to create clair layers
2020-01-12 16:45:16 creating clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 successfully created clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 done creating clair layers
2020-01-12 16:45:16 starting to get vulnerabilities for clair layers
2020-01-12 16:45:16 saving vulnerabilities to directory ' /tmp/tmp.MDncHN '
2020-01-12 16:45:16 getting vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 successfully got vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:45:16 done getting vulnerabilities for clair layers
2020-01-12 21:45:17 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO io:95 Found 1 files with vulnerabilities in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.MDncHN/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:45:17 INFO io:122 Found 0 vulnerabilities in ' /tmp/tmp.MDncHN/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:45:17 INFO io:133 Found 0 vulnerabilities in 1 files in directory ' /tmp/tmp.MDncHN '
2020-01-12 21:45:17 INFO assessor:19 Assessment starts
2020-01-12 21:45:17 INFO assessor:26 Assessment ends - pass
~ > echo $?
0
~ > 在上面的示例中,使用了默認漏洞白名單。當指定為JSON文檔時,這個白名單將是:
{
"ignoreSevertiesAtOrBelow" : " medium "
}默認情況下,如果在圖像中識別出任何漏洞的嚴重性高於媒介,則ession-image-crisk.sh將返回非零退出狀態。該介質源自默認漏洞白名單。
下面的示例說明瞭如何指定脆弱性白名單以及除媒介以外的其他嚴重性。請注意,使用json://前綴表示這是一個內聯白名單。
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- -v --whitelist ' json://{"ignoreSevertiesAtOrBelow": "negligible"} ' ubuntu:18.04
2020-01-12 16:46:56 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:46:58 successfully pulled clair database image
2020-01-12 16:46:58 starting clair database container ' clair-db-3b0811925f7e8bc2 '
2020-01-12 16:46:59 waiting for database server in container ' clair-db-3b0811925f7e8bc2 ' to start .............................
2020-01-12 16:47:32 successfully started clair database container
2020-01-12 16:47:32 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.BXCs3Giy '
2020-01-12 16:47:34 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:47:36 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:47:36 starting clair container ' clair-fc579c71e7daba57 '
2020-01-12 16:47:38 successfully started clair container ' clair-fc579c71e7daba57 '
2020-01-12 16:47:38 saving docker image ' ubuntu:18.04 ' to ' /tmp/tmp.lPDhNd '
2020-01-12 16:47:43 successfully saved docker image ' ubuntu:18.04 '
2020-01-12 16:47:43 starting to create clair layers
2020-01-12 16:47:43 creating clair layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:43 successfully created clair layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:43 creating clair layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 successfully created clair layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 creating clair layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 successfully created clair layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 creating clair layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 successfully created clair layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 done creating clair layers
2020-01-12 16:47:44 starting to get vulnerabilities for clair layers
2020-01-12 16:47:44 saving vulnerabilities to directory ' /tmp/tmp.dkfgmI '
2020-01-12 16:47:44 getting vulnerabilities for layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd '
2020-01-12 16:47:44 getting vulnerabilities for layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' 27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54 '
2020-01-12 16:47:44 getting vulnerabilities for layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e '
2020-01-12 16:47:44 getting vulnerabilities for layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 successfully got vulnerabilities for layer ' 1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d '
2020-01-12 16:47:44 done getting vulnerabilities for clair layers
2020-01-12 21:47:45 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO io:95 Found 4 files with vulnerabilities in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/27a911bb510bf1e9458437f0f44216fd38fd08c462ed7aa026d91aab8c054e54.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/cc59b0ca1cf21d77c81a98138703008daa167b1ab1a115849d498dba64e738dd.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/1ee34a985f7aef86436a5519f5ad83f866a74c7d9a0c22e47c4213ee9cb64e6d.json '
2020-01-12 21:47:45 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.dkfgmI/d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e.json '
2020-01-12 21:47:45 INFO io:122 Found 33 vulnerabilities in ' /tmp/tmp.dkfgmI/d80735acaa72040a0a98ca3ae6891f9abb4e2f5d627b4099c4fefdc3ce1e696e.json '
2020-01-12 21:47:45 INFO io:133 Found 33 vulnerabilities in 4 files in directory ' /tmp/tmp.dkfgmI '
2020-01-12 21:47:45 INFO assessor:19 Assessment starts
2020-01-12 21:47:45 INFO assessor:34 Assessing vulnerability CVE-2018-11236 - start
2020-01-12 21:47:45 INFO assessor:52 Vulnerability CVE-2018-11236 @ severity medium greater than whitelist severity @ negligible - fail
2020-01-12 21:47:45 INFO assessor:36 Assessing vulnerability CVE-2018-11236 - finish
2020-01-12 21:47:45 INFO assessor:23 Assessment ends - fail
~ > echo $?
1
~ >以上是直列白名單的一個例子。也可以在文件中指定白名單。下面的示例說明了用法。請注意,使用file://前綴表示白名單包含在文件中。
~ > cat whitelist.json
{
" ignoreSevertiesAtOrBelow " : " medium "
}
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- -v --whitelist file://whitelist.json alpine:3.4
2020-01-12 16:48:41 pulling clair database image ' simonsdave/clair-cicd-database:latest '
2020-01-12 16:48:42 successfully pulled clair database image
2020-01-12 16:48:42 starting clair database container ' clair-db-191152e37b864e4b '
2020-01-12 16:48:43 waiting for database server in container ' clair-db-191152e37b864e4b ' to start .............................
2020-01-12 16:49:16 successfully started clair database container
2020-01-12 16:49:16 clair configuration in ' /var/folders/7x/rr443kj575s8zz54jrbrp4jc0000gn/T/tmp.GdlBNmiG '
2020-01-12 16:49:19 pulling clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:49:20 successfully pulled clair image ' simonsdave/clair-cicd-clair:latest '
2020-01-12 16:49:20 starting clair container ' clair-747d1c50606fba7e '
2020-01-12 16:49:21 successfully started clair container ' clair-747d1c50606fba7e '
2020-01-12 16:49:22 saving docker image ' alpine:3.4 ' to ' /tmp/tmp.Eldkbe '
2020-01-12 16:49:23 successfully saved docker image ' alpine:3.4 '
2020-01-12 16:49:23 starting to create clair layers
2020-01-12 16:49:23 creating clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 successfully created clair layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 done creating clair layers
2020-01-12 16:49:23 starting to get vulnerabilities for clair layers
2020-01-12 16:49:23 saving vulnerabilities to directory ' /tmp/tmp.pCOhlL '
2020-01-12 16:49:23 getting vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 successfully got vulnerabilities for layer ' 378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d '
2020-01-12 16:49:23 done getting vulnerabilities for clair layers
2020-01-12 21:49:23 INFO io:89 Looking for vulnerabilities in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO io:95 Found 1 files with vulnerabilities in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO io:104 Looking for vulnerabilities in ' /tmp/tmp.pCOhlL/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:49:23 INFO io:122 Found 0 vulnerabilities in ' /tmp/tmp.pCOhlL/378cb6b4a17e08c366cebd813d218f60889848387fa61a56ac054ca027a4890d.json '
2020-01-12 21:49:23 INFO io:133 Found 0 vulnerabilities in 1 files in directory ' /tmp/tmp.pCOhlL '
2020-01-12 21:49:23 INFO assessor:19 Assessment starts
2020-01-12 21:49:23 INFO assessor:26 Assessment ends - pass
~ > echo $?
0
~ >特定的漏洞也可以被列入白色。下面的示例說明了此功能。如果將-v (冗長)標誌添加到assess-image-risk.sh中Vulnerability CVE-2019-13627 in whitelist - pass
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- --whitelist ' json://{"ignoreSevertiesAtOrBelow":"low"} ' ubuntu:18.04
~ > echo $?
1
~ > cat whitelist.json
{
" ignoreSevertiesAtOrBelow " : " low " ,
" vulnerabilities " : [
{ " cveId " : " CVE-2018-20839 " , " rationale " : " reason #1 " },
{ " cveId " : " CVE-2019-5188 " , " rationale " : " reason #2 " },
{ " cveId " : " CVE-2018-11236 " , " rationale " : " reason #3 " },
{ " cveId " : " CVE-2019-13627 " , " rationale " : " reason #4 " },
{ " cveId " : " CVE-2019-13050 " , " rationale " : " reason #5 " },
{ " cveId " : " CVE-2018-11237 " , " rationale " : " reason #6 " },
{ " cveId " : " CVE-2018-19591 " , " rationale " : " reason #7 " }
]
}
~ > curl -s -L
https://raw.githubusercontent.com/simonsdave/clair-cicd/master/bin/assess-image-risk.sh |
bash -s -- --whitelist ' file://whitelist.json ' ubuntu:18.04
~ > echo $?
0
~ >ITO白人主義者值得一看的第7期,上面寫著:
使用
--whitelist命令行參數指定assess-image-risk.sh的白名單時,應支持https://Scheme,除了現有的json://,file://schemes。為什麼這很重要?理想情況下,白名單應由安全分析師而不是服務工程師維護。這意味著,應將白名單維持在另一個回購中,並具有適當的更改管理過程。json://andfile://方案可以很好地維護同一回購中的白名單是服務代碼。但是,最好將白名單維護在倉庫中,該倉庫僅適用於服務工程師,並且只能由可以應用適當更改管理流程的安全分析師進行編輯,以進行更改(代碼審查,功能分支等)。
有3個移動的零件:
從此文檔開頭的樣本中,您可以看到將最新版本的評估圖像風險夾捲成局部運行bash shell的方法。然後,使用SimonsDave/Clair-Database旋轉評估圖像風險。然後,使用SimonsDave/Clair-Cicd-Clair容器可以使用SimonsDave/Clair-Cicd-Clair運行另一個容器,可以與SimonsDave/Clair-Database容器進行交談。 Simonsdave/Clair-Cicd-Clair容器正在運行後,Issess-image-crisk.sh docker Exec的此BASH腳本可以進行實際的風險評估。
在了解clair-cicd工作原理的情況下,您會欣賞執行評估圖像風險的能力。 SH是定義執行環境要求的原因。評估圖像 - 風險SHS是一個用於啟動風險評估過程的BASH腳本,因此,是該腳本定義了clair-cicd的大部分假設/要求 - 該腳本使用Docker,SED和OpenSSL,因此所有這些都需要在運行clair-cicd環境中可用
