Today we are releasing a new feature in beta, Security Scanning. Quay Security Scanning will automatically detect and report vulnerabilities in your containers. We have already scanned millions of containers on Quay with this feature, and found that nearly 80% are subject to major vulnerabilities, such as Heartbleed.
Security Scanning is powered by our open source vulnerability analysis tool, Clair. You can read about Clair on the CoreOS blog. We are open sourcing Clair in order to be transparent about the vulnerabilities we are looking for, as well as assist other container registry vendors to provide this type of transparency to their users.
In practice, every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification. It will include a level of the vulnerability – high, medium or low – with a description and packages that are installed. A link is included to the vulnerability’s source information, which generally includes steps required to patch the vulnerability.
For a quick overview of the feature and how it works, please check out the following steps.
How to See Your Vulnerable Images
Starting today, the vulnerability status can be seen as a new column entitled “Security Scan” in the tags view. This column will show Passed if no vulnerabilities were detected in the tag’s image. Quay Security Scanning will scan and will rate any vulnerabilities found in containers as high, medium or low.
Results of your proactive security scans can be viewed by tag for each of your repositories.
If the tag has a vulnerability, the highest priority vulnerability will be shown (color coded), along with the total number of vulnerabilities detected. Clicking on the vulnerability information will bring up the full vulnerability list:
On the vulnerability list, you can see the full information for each vulnerability, including its priority, its description and a link to its source information.
Finally, we’ve added another panel for viewing the full list of detected packages in a container image, including their versions and source OS.
How to Setup Notifications
To react quickly to identified vulnerabilities, notifications can be configured for email, Slack, generic webhooks, and more. These settings are configurable per repository so each development team can choose how to be notified and the level of severity they care about.
Security Scanning is currently in beta, so please provide your feedback by emailing support. Additionally, support for Quay Enterprise is coming soon, but not part of this release.
Try security scanning today by logging into Quay.io.