Containers specialist CoreOS has released an open source tool designed to help organisations better secure their infrastructure by inspecting container images for known security flaws and offering the relevant patch or update if available.
CoreOS is best known for its namesake build of Linux, which is optimised for hosting and running applications and services inside containers. However, the firm has a portfolio of other products, including the new Clair security project.
Clair is designed to give IT teams in a DevOps environment key information to maintain security by delivering useful and actionable details about vulnerabilities that threaten containers, CoreOS said.
The tool was made available as a preview release towards the end of last year, but has now reached version 1.0 status and is being made more widely available to address the security problems surrounding containers.
"Community feedback guided many of the latest Clair features, including the ability not only to reveal whether a vulnerability is present but to offer the available patch or update to correct it," said CoreOS software engineer Quentin Machu on the CoreOS blog.
Many organisations have turned to containers as a more flexible way to deliver applications and services, but there are concerns about the security of container infrastructure, mainly because containers do not have the same level of isolation as virtual machines and are a less mature technology.
Clair scans each container layer and provides a notification of any identified vulnerabilities that may be a threat based on information from the Common Vulnerabilities and Exposures (CVE) database and similar databases from Red Hat, Ubuntu and Debian. Layers may be shared between many containers, so introspection is vital to build an inventory of packages and match that against known CVEs, CoreOS said.
"Updating to the latest versions of installed software improves overall infrastructure security, which is why we deemed it important to analyse container images for security vulnerabilities as well as provide a clear path to updates mediating those issues that Clair uncovers," Machu said.
"Container images are often infrequently updated, but with Clair security scanning users can identify and update problematic images more easily."
V3 sister site Computing will run an online security seminar on 22 March called Anti-Virus Software Has Had Its Day - How Can You Protect Against Advanced Threats? - register for free.
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons