Security Scanning in Beta, Powered by Clair

November 13, 2015 · By Joey Schorr

Today we are releasing a new feature in beta, Security Scanning. Quay Security Scanning will automatically detect and report vulnerabilities in your containers. We have already scanned millions of containers on Quay with this feature, and found that nearly 80% are subject to major vulnerabilities, such as Heartbleed.

Security Scanning is powered by our open source vulnerability analysis tool, Clair. You can read about Clair on the CoreOS blog. We are open sourcing Clair in order to be transparent about the vulnerabilities we are looking for, as well as assist other container registry vendors to provide this type of transparency to their users.

In practice, every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification. It will include a level of the vulnerability – high, medium or low – with a description and packages that are installed. A link is included to the vulnerability’s source information, which generally includes steps required to patch the vulnerability.

For a quick overview of the feature and how it works, please check out the following steps.

How to See Your Vulnerable Images

repository tags

Starting today, the vulnerability status can be seen as a new column entitled “Security Scan” in the tags view. This column will show Passed if no vulnerabilities were detected in the tag’s image. Quay Security Scanning will scan and will rate any vulnerabilities found in containers as high, medium or low.

repository tags with critical vulnerability

Results of your proactive security scans can be viewed by tag for each of your repositories.

If the tag has a vulnerability, the highest priority vulnerability will be shown (color coded), along with the total number of vulnerabilities detected. Clicking on the vulnerability information will bring up the full vulnerability list:

image security

On the vulnerability list, you can see the full information for each vulnerability, including its priority, its description and a link to its source information.

image packages

Finally, we’ve added another panel for viewing the full list of detected packages in a container image, including their versions and source OS.

How to Setup Notifications

To react quickly to identified vulnerabilities, notifications can be configured for email, Slack, generic webhooks, and more. These settings are configurable per repository so each development team can choose how to be notified and the level of severity they care about.

Next Steps

Security Scanning is currently in beta, so please provide your feedback by emailing support. Additionally, support for Quay Enterprise is coming soon, but not part of this release.

Try security scanning today by logging into Quay.io.