CoreOS routinely criticizes Docker for not putting security first and claims that its own container system is safer by design.
To that end, it has released the 1.0 version of open source project Clair, which ensures that the software packaged inside containers aren't inadvertently riddled with security issues.
What's under the hood?
Clair scans the contents of container images -- the files that contain the software launched inside a container -- to determine if they were built with versions of applications with known vulnerabilities. It compares package metadata against entries in vulnerability databases, such as the CVE.
Clair's method for gathering and processing vulnerability information isn't hard-wired. All of Clair's behaviors are pluggable, albeit with default batteries included. Data gathering from public sources, detection routines for inspecting container images, notification books, and the storage layer for vulnerability data can be swapped out or augmented by the user or by third parties.
It also provides the user with specific, actionable advice in the event of a detected problem. Most of the time, this consists of upgrading the package in question to a more recent version, but sometimes, it includes removing dependencies that are not required in the final image. If Node.js, for instance, is used as only part of a build script and isn't included in the running application, it can be safely dropped from the final image.
In the run-up to version 1.0, CoreOS worked hard to improve Clair's performance. Some database queries took as long as 30 seconds to complete; switching to Postgres 9.4 as the database back end "improved some of our API responses in production by 3 orders of magnitude" (from 30 seconds to 30 milliseconds), according to CoreOS.
The real dangers inside
The container model theoretically provides a high degree of security by default, but they also bring new twists on existing problems. CoreOS focuses on how containers are spun up and executed, which has many quirks. Docker, meanwhile, offers Docker Bench for checking container environments against best practices.
Clair addresses the lack of thought given to what might be inside a container image once it's created. The danger isn't malicious intent, but indifference.
CoreOS also wants Clair to become part of the process of building container repositories. The company's own Quay container repository uses Clair, but CoreOS hopes other hosted repository solutions -- including Docker's -- will pick up on, deploy, and bring changes to Clair.