Clair Image Scan Setup in a Codefresh Pipeline

Clair image scanning provides a report on known vulnerabilities in a docker image. Adding this to your Codefresh CI/CD pipeline means you can view threats and start automating your responses to them. This can be as simple as showing a report with the listed vulnerabilities to the development team, to something as complex as rolling back deployment to the last approved build if the vulnerabilities exceed your desired guidelines.

 

In order to use the Clair Scan you must have your own Clair Scan service setup ahead of time. You can then pass the docker image to your Clair Scan service during your CodeFresh Pipeline Setup. The report will need to be saved in a storage bucket and a link will be provided as an annotation to the docker image.

 

For our example, we are using GCP to provide the K8s cluster for Clair, and the storage bucket for the reports. Codefresh provides the pipeline and docker image repo.

 

Initial Setup: Connecting your K8s cluster to Codefresh

Before getting started, you’ll need to have your K8s cluster and cloud storage connected to CodeFresh.

 

For our example, we were using Gsuite accounts to add a Kubernetes K8s cluster. We used Gsuite accounts to authenticate our integration with GCP. Codefresh uses the Gsuite account configured in the next step, and if this account does not have permissions to view the K8s cluster you want to use then it will not be able to view that resource. This can cause problems if you use an individual’s Gsuite account if that user’s permissions change later on so you should consider creating a CodeFresh-specific account when configuring Codefresh’s integration with other services.

Under Account Settings, select Integrations, then Configure next to Kubernetes.

You will need to select Add Provider, and then log in with your Google account to connect the K8s cluster to Codefresh.

Similarly, under Account Settings > Integrations, you will need to select Configure next to cloud storage and then Add Cloud Provider to connect a storage bucket from GCP.

Deploying Clair Service

The next step is to deploy Clair into your K8s cluster. First, grab a copy of the helm chart for deploying Clair from Clair’s git repo.

The helm chart is here: https://github.com/coreos/clair/tree/master/contrib/helm/clair

Place the code into your own repo and create a codefresh pipeline to deploy that repo into your K8s cluster. You will need to adjust the helm chart to expose an endpoint for use by the Clair service. The fastest way to do this would be to change the service from ‘ClusterIP’ to ‘LoadBalancer’ in the Values.YAML file in the repo.

In Codefresh, you can now select Repos, and then add the repo you just created with the Clair helm chart. Now you will need to create a pipeline.

In the Environment Variables area, you should fill in the KubeContext and Namespace variables. KUBECONTEXT should be the name of your K8s cluster, while NAMESPACE will be the namespace inside of the cluster that your Clair service will deploy to. The YAML provided below will create the namespace if it does not already exist.

Then use the YAML below for your deployment pipeline.

 

version: ‘1.0’

stages:

– KubernetesCreateNamespace

– HelmInstall

steps:

KubernetesCreateNamespace:

stage: KubernetesCreateNamespace

image: ‘codefresh/cfstep-helm:2.9.1’

title: Creating Kubernetes Namespace

environment:

– ‘KUBE_CONTEXT=${{KUBECONTEXT}}’

commands:

– ‘kubectl config use-context ${{KUBECONTEXT}}’

– >-

kubectl get namespace ${{NAMESPACE}} || kubectl create namespace

${{NAMESPACE}}

HelmInstall:

image: ‘codefresh/cfstep-helm:2.9.1’

title: Installing Clair Helm chart

environment:

– CHART_NAME=./

– CHART_REF=./

– RELEASE_NAME=${{KUBECONTEXT}}-${{NAMESPACE}}

– KUBE_CONTEXT=${{KUBECONTEXT}}

– NAMESPACE=${{NAMESPACE}}

– SERVICE=clair

– VALUESFILE_env=./values.yaml

 

 

This will install the Clair service into your K8s cluster. You can view this through the KUBERNETES area of Codefresh, and see your clair service deployed under the namespace you specified. You should also see an ENDPOINT listed for the service, which you will need for your next step.

 

Running a Clair scan in your pipeline

 

Now to add your Clair scan, you need to add the appropriate steps to your pipeline. First, you’ll need the following variables added:

REGISTRY_PASSWORD: The access token to your Docker Registry
REGISTRY_USERNAME: The username to your Docker Registry
CF_ACCOUNT: The name of your codefresh account
CF_STORAGE_INTEGRATION: The name of your storage integration as it appears in the account settings area

BUCKET_NAME: The name of your cloud storage bucket.
CLAIR_URL: The endpoint for your Clair Service.
IMAGE_NAME: The name of the docker image that you are creating.

IMAGE_NAME_NORMALIZED: The name of the image, but with the / characters replaced with

PIPELINE_ID: This will be a string of letters and numbers IE: 5c16c350c3fb1206e50b625a  The easiest way to find this will be to run the pipeline once, and then check your google storage bucket. A new folder will have been created, and the name of that folder will match the pipeline ID.

 SecurityScan:

title: Run Clair Image Vulnerability Scan

stage: ScanImage

image: codefresh/cfstep-paclair:3.1.0

environment:

– IMAGE=${{IMAGE_NAME}}

– TAG=${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}

on_success:

metadata:

set:

– ${{BuildImage.imageId}}:

– CLAIR_REPORT: “https://g.codefresh.io/api/testReporting/v2/${{PIPELINE_ID}}/${{CF_BRANCH_TAG_NORMALIZED}}/gc/${{CF_STORAGE_INTEGRATION}}/${{BUCKET_NAME}}/${{CF_BUILD_ID}}/clair-scan-{{$IMAGE_NAME_NORMALIZED}}-${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}.html”

UploadReport:

title: Upload Clair Image Scan Vulnerability Report Cloud Storage

stage: ArchiveReport

image: codefresh/cf-docker-test-reporting

environment:

– REPORT_DIR=reports

– REPORT_INDEX_FILE=index.html

 

 

This will add annotations to your docker image showing where the report is stored and an overview of the vulnerabilities found.

You can click on the annotated link and view the full report that includes additional links to information about the vulnerabilities.

Additional Resources:

The Git Repo for the Clair vulnerability scanning project:
https://github.com/coreos/clair

The location of Clair’s helm chart in their repo: https://github.com/coreos/clair/tree/master/contrib/helm/clair

 

Codefresh’s own Blog article on this topic, and webinar on clair usage:
https://codefresh.io/security-testing/clair-vulnerability-scans/