用clair推送和分析容器
paclair的Python项目详细描述
paclair是与Coreos’s Clair交互的python3 cli工具。
功能:
- 现在与clair v3兼容(删除不可用)
- 无需安装Docker,因为Paclair直接与注册表交互。
- 与所有注册中心兼容。
- 使用简单。
- 由于轻量级输出模式,在CI作业中易于集成。
安装
要安装paclair,只需使用pip(或pipenv):
$ pip install paclair ✨?✨
喂!
配置
示例
conf目录中提供了一个示例配置文件
General:
clair_url: 'https://localhost:6060'
# clair_api_version: 3
# Whitelist known CVE's not to shown in html report
# cve_whitelist:
# - CVE-2016-9843
# - CVE-2016-9840
# - CVE-2016-6313
Plugins:
Docker:
class: paclair.plugins.docker_plugin.DockerPlugin
registries:
artifactory.registry.com:
token_url: "https://artifactory.registry.com/api/docker/{image.repository}/v2/token?service=artifactory.registry.com"
protocol: 'http'
api_prefix: '/api/docker/{image.repository}'
registry.gitlab.domain.com:
auth:
- "*****"
- "*****"
# Example for a private gitlab server
gitlab.example.com:4567:
# If using https with an internal CA, ensure verify is pointing to it
protocol: 'https'
verify: "/etc/ssl/certs/ca-certificates.crt"
auth:
- "*****"
- "*****"
# Example for ECR Docker Repository
xxxxxxxxxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com:
token: "" # Execute this command to get token aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'
protocol: 'https'
token_type: Basic
插件在执行期间动态加载。这就是为什么必须指定 你想要使用的插件。
我们有不同的插件来与不同的资源交互(例如:Docker注册表,ElasticSearch) 因为我们使用自定义的clair变体,可以分析多个docker图像。
如果你只想使用paclair来分析docker的图片,就不要为其他插件而烦恼。
选项
| Config Option | Description |
|---|---|
| General::clair_url | url of the Clair Server. |
| General::verify | Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. |
| General::clair_api_version | Clair Api Version. If different from 3, will be set to default. Default to 1. |
| General::html_template | Html template. You can use a custom html template when using html output. |
| General::cve_whitelist | CVE vulnerability list not to be included in the report post analysis (stats or html). |
| Plugins | List of plugins to use. If you only want to analyse docker images, keep the default configuration. |
| Plugins::Docker::class | Class for the docker plugin |
| Plugins::Docker::registries | You can specify configuration for registries (authentification, …) if needed. |
| Plugins::Docker::registries::regi stry1::auth | login/password |
| Plugins::Docker::registries::regi stry1::verify | Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use. |
| Plugins::Docker::registries::regi stry1::protocol | Protocol to use (http or https). Default to https. |
| Plugins::Docker::registries::token | You can specify an authentication token (use with token_type). Default to None. |
| Plugins::Docker::registries::token _type | Specify the token type. Default to Bearer. |
运行测试
发射毒素。
$ tox
用法
usage: paclair [-h][--debug][--syslog][--conf CONF] plugin hosts [hosts ...]{push,delete,analyse} ... positional arguments: plugin Plugin to launch hosts Image/hostname to analyse {push,delete,analyse} Command to launch push Push images/hosts to Clair delete Delete images/hosts from Clair analyse Analyse images/hosts already pushed to Clair optional arguments: -h, --help show this help message and exit --debug Debug mode --syslog Log to syslog --conf CONF Conf file
分析命令用法
usage: paclair plugin hosts [hosts ...] analyse [-h][--output-format {stats,html}][--output-report {file,term}][--output-dir OUTPUT_DIR][--delete] optional arguments: -h, --help show this help message and exit --output-format {stats,html} Change default output format (default: json) --output-report {file,term} Change report location (default: logger) --output-dir OUTPUT_DIR Change output directory (default: current) --delete Delete after analyse
示例
将ubuntu图像推送到clair
$ paclair --conf conf/conf.yml Docker ubuntu push Pushed ubuntu to Clair.
分析ubuntu映像(stats only show fixable cve)
$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format stats
Medium: 3如果不指定–output format stats,则可以使用完整的json。
分析ubuntu图像并在目录/tmp中获取html报告
$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format html --output-dir /tmp
删除ubuntu图像
$ paclair --conf conf/conf.yml Docker ubuntu delete ubuntu was deleted from Clair.
贡献
请随意贡献。
欢迎加入QQ群-->: 979659372
