flair-vulnerability-scanner

The repository is used to scan Flair images for vulnerabilities

Startup

To scan a Flair docker image, you need to start a scanner first, then start the scan.

Start the scanner

First start the database, Clair (scanner) and a docker registry by running

./start.sh

Wait for at least 30 minutes after startup to wait for the Clair to pull vulnerability into a local PostgreSQL database, otherwise, you won't find any vulnerabilities.

Do the scan

Then, run the scanning by first editing the following file scan/klarrunner/.env

APPNAME=flair-engine
APPVER=latest

where APPNAME is a flair docker image name, and APPVER is the version you would like to scan (latest by default).

After that run

./scan.sh

You should see high and critical vulnerability scanning results on the screen.

The scan.sh file builds the klar docker image from the scan/klarrunner folder that starts the actual scan. Then it pulls the image you requested to scan into the local docker repository, and then starts the scanning.

Troubleshooting

If any issues, run the following commands and try again.

docker-compose -f docker/scanner-docker-compose.yml down

docker-compose -f scan/klarrunner-docker-compose.yml down