In order to facilitate simple scanning of Docker and Rkt images based on Oracle Linux, I added support for Oracle Linux to both Clair and Vuls (VULnerability Scanner).

Clair by CoreOS

From the CoreOS website:

Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project.

Clair is most obviously seen by the integrated and automated scanning provided by CoreOS’ public registry, Quay.io. Likewise, Clair is also integrated in CoreOS’ Quay Enterprise product.

Both now support Oracle Linux as a scanning target and will report any vulnerabilities detected in uploaded images.

Quay.io showing Clair scans of Oracle Linux tags. Quay.io showing Clair scans of Oracle Linux tags.

There are also various client tools including Clairctl, Klar and Reg that integrate the public Docker Hub, private Docker registries and Clair to provide command-line image scanning capabilities.

Vuls

Vuls (VULnerability Scanner) is an open source scanner written in Go. It’s designed to scan images on a Linux or FreeBSD host and supports several target operating systems including Oracle Linux, Ubuntu, Debian, CentOS, Amazon Linux, Red Hat Enterprise Linux, FreeBSD and Raspian.

Vuls is an agentless scanner which only requires a single host which is configured with SSH access to all target machines. It includes a text-based report viewer and can provide reporting to web-based engines like VulsRepo.

If you have any issues with the Oracle Linux integration for one of these products, please open an issue with the product directly, usually via their GitHub repository. I’m sure they’ll ping me to take a look.

Is your preferred container security product missing Oracle Linux support?

Let me know via email at me@dje.li.