Automatically scan a particular local docker image or all local docker containers with Clair Vulnerability Scanner using Clair-Scanner and clair-local-scan.

• docker (1.12 or newer)
• docker-compose (1.9.0 or newer)

To get json output of the clair scan of all running containers to standard out just run:

./clair-container-scan.sh -p

The output will be empty and the return code will be zero, if no CVE was found. If there are findings, the output will list details in json.

You should always add the -p flag to get the latest CVE database version. You can use the -v flag to add verbose output, in case of a problem.

To scan one particular local image just specify the image name as parameter:

# To scan alpine:3.4 run:
./clair-container-scan.sh -p alpine:3.4

The output will be empty and the return code will be zero, if no CVE was found.

If there are findings, the output will list details in json.

The easiest (but not most secure way) of integrating into your CI/CD tool is to run following one-liner (replace alpine:3.4 with the image you want to scan):

# to scan alpine:3.4 again
curl -s https://raw.githubusercontent.com/usr42/clair-container-scan/master/clair-container-scan.sh | sh -s -- alpine:3.4

WARNING: You should never pipe a remote-script directly into a shell, unless you completely trust the source and integrity of the file to execute. Usually, it is better to download the file, validate its input, and run you local, validated version.

• Docker
• docker-compose
• Clair Vulnerability Scanner
• Clair-Scanner (release v8 is included)
• clair-local-scan