用clair推送和分析容器
paclair的Python项目详细描述
paclair是与Coreos’s Clair交互的python3 cli工具。
功能:
- 现在与clair v3兼容(删除不可用)
- 无需安装Docker,因为Paclair直接与注册表交互。
- 与所有注册中心兼容。
- 使用简单。
- 由于轻量级输出模式,在CI作业中易于集成。
安装
要安装paclair,只需使用pip(或pipenv):
$ pip install paclair ✨?✨
喂!
配置
示例
conf目录中提供了一个示例配置文件
General: clair_url: 'https://localhost:6060' # clair_api_version: 3 # Whitelist known CVE's not to shown in html report # cve_whitelist: # - CVE-2016-9843 # - CVE-2016-9840 # - CVE-2016-6313 Plugins: Docker: class: paclair.plugins.docker_plugin.DockerPlugin registries: artifactory.registry.com: token_url: "https://artifactory.registry.com/api/docker/{image.repository}/v2/token?service=artifactory.registry.com" protocol: 'http' api_prefix: '/api/docker/{image.repository}' registry.gitlab.domain.com: auth: - "*****" - "*****" # Example for a private gitlab server gitlab.example.com:4567: # If using https with an internal CA, ensure verify is pointing to it protocol: 'https' verify: "/etc/ssl/certs/ca-certificates.crt" auth: - "*****" - "*****" # Example for ECR Docker Repository xxxxxxxxxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com: token: "" # Execute this command to get token aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' protocol: 'https' token_type: Basic
插件在执行期间动态加载。这就是为什么必须指定 你想要使用的插件。
我们有不同的插件来与不同的资源交互(例如:Docker注册表,ElasticSearch) 因为我们使用自定义的clair变体,可以分析多个docker图像。
如果你只想使用paclair来分析docker的图片,就不要为其他插件而烦恼。
选项
Config Option | Description |
---|---|
General::clair_url | url of the Clair Server. |
General::verify | Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. |
General::clair_api_version | Clair Api Version. If different from 3, will be set to default. Default to 1. |
General::html_template | Html template. You can use a custom html template when using html output. |
General::cve_whitelist | CVE vulnerability list not to be included in the report post analysis (stats or html). |
Plugins | List of plugins to use. If you only want to analyse docker images, keep the default configuration. |
Plugins::Docker::class | Class for the docker plugin |
Plugins::Docker::registries | You can specify configuration for registries (authentification, …) if needed. |
Plugins::Docker::registries::regi stry1::auth | login/password |
Plugins::Docker::registries::regi stry1::verify | Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. |
Plugins::Docker::registries::regi stry1::protocol | Protocol to use (http or https). Default to https. |
Plugins::Docker::registries::token | You can specify an authentication token (use with token_type). Default to None. |
Plugins::Docker::registries::token _type | Specify the token type. Default to Bearer. |
运行测试
发射毒素。
$ tox
用法
usage: paclair [-h][--debug][--syslog][--conf CONF] plugin hosts [hosts ...]{push,delete,analyse} ... positional arguments: plugin Plugin to launch hosts Image/hostname to analyse {push,delete,analyse} Command to launch push Push images/hosts to Clair delete Delete images/hosts from Clair analyse Analyse images/hosts already pushed to Clair optional arguments: -h, --help show this help message and exit --debug Debug mode --syslog Log to syslog --conf CONF Conf file
分析命令用法
usage: paclair plugin hosts [hosts ...] analyse [-h][--output-format {stats,html}][--output-report {file,term}][--output-dir OUTPUT_DIR][--delete] optional arguments: -h, --help show this help message and exit --output-format {stats,html} Change default output format (default: json) --output-report {file,term} Change report location (default: logger) --output-dir OUTPUT_DIR Change output directory (default: current) --delete Delete after analyse
示例
将ubuntu图像推送到clair
$ paclair --conf conf/conf.yml Docker ubuntu push Pushed ubuntu to Clair.
分析ubuntu映像(stats only show fixable cve)
$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format stats
Medium: 3
如果不指定–output format stats,则可以使用完整的json。
分析ubuntu图像并在目录/tmp中获取html报告
$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format html --output-dir /tmp
删除ubuntu图像
$ paclair --conf conf/conf.yml Docker ubuntu delete ubuntu was deleted from Clair.
贡献
请随意贡献。