Open in app

Sign in

Write

Sign in

Containers Security: Clair vs. KICS

Mark Mishaev
4 min readAug 9, 2021

Introduction

We witness containers rapidly becoming native choice for running cloud and on-premises workloads.

Containerized applications benefit from scalability, cost-effectiveness, better resources utilization and maintainability. In addition, containers become default solution for exercising modern DevOps practices, such as GitOps and CI/CD processes.

Needless to say, that scanning containers for security vulnerabilities and misconfigurations is a mandatory part of application development and deployment lifecycles.

In this post, we’ll explore two container security scanners: KICS and Clair.

Static Code Analysis

Let’s start with a brief overview of what static application security testing (SAST) is.

I’ll quote the definition from Checkmarx SAST solution description:

Static Application Security Testing, shortened as SAST, and also referred to as White-Box Testing, is a type of security testing which analyzes an applications source code to determine if security vulnerabilities exist. SAST solutions looks at the application ‘from the inside-out’, without needing to actually compile the code.

One of the primary advantages of static code analysis is that it allows early integration of it in SDLC, so that software developers writing the code, can get nearly real-time feedback on security issues and quality bugs that may lead to potential security breaches.

Same advantages apply to containers static code analysis, as we’ll see later in this post.

Clair

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).

Clair parses image contents and reporting vulnerabilities affecting the contents. This is done by indexing and matching container images against known vulnerabilities.

It supports the extraction of contents and assignment of vulnerabilities from the official base containers, such as Ubuntu, Alpine, AWS Linux, Debian, RHEL and others.

How Clair Works?

Clair’s analysis is broken into three distinct parts.

  1. Indexing: starts with submitting a Manifest to Clair. On receipt, Clair will fetch layers, scan their contents, and return an intermediate representation called an IndexReport.
  2. Matching: is taking an IndexReport and correlating vulnerabilities affecting the manifest the report represents.
  3. Notifications: when new vulnerabilities are discovered, the Clair notifier service will determine if these vulnerabilities affect any indexed Manifests. The notifier will then take action according to its configuration.

More detailed description of Clair’s internals and architecture could be found here.

KICS

KICS stands for Keeping Infrastructure as Code S ecure, is an open source projects for infrastructure-as-code (IaC) static code analysis.

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle.

It supports all the major IaC technologies:

and Docker as we can see is one of them.

KICS spots various docker vulnerabilities, such as exposing ports, multiple entry-point instructions, running with escalated privileges, running with sudo commands and others.

The full list of Docker queries could be found here.

How KICS works?

KICS is written in Golang using Open Policy Agent (OPA).

KICS has a pluggable architecture with extensible pipeline of parsing IaC languages, which allows an easy integration of new IaC languages and queries.

At a very high level, KICS is composed of the following main components: a command line interface, parser, queries execution engine, IaC providers, security queries, and results writer:

  • Command Line Interface => Provides CLI input to KICS.
  • Parser => responsible for parsing input IaC files (terraform and others)
  • IaC Providers => Converts IaC language into normalized JSON
  • Queries Execution Engine => applies REGO queries against normalized JSON
  • Security Queries => pre-built REGO queries for each security and misconfiguration

More detailed description of KICS’s internals and architecture could be found here.

Conclusion

In this post we took a look at two containers security tools Clair and KICS.

Both inspects containers configuration to identify security issues before they sneak into production environments.

Both use static code analysis to parse container manifests and query for known vulnerabilities.

Which one to use? It probably depends on the level of risk we’re willing to accept. Since both tools are open source and free, we can go ahead and employ both for the utmost coverage.

If we use containers for running our critical infrastructure or mission critical applications and would cause the most harm if compromised, having multiple tools would be a good decision.

I’ll wrap up with this quote by McGeorge Bundy:

If we guard our toothbrushes and diamonds with the equal zeal, we will lose fewer toothbrushes and more diamonds.

Originally published at https://www.linkedin.com.

Application Security
Docker Security
Infrastructure As Code
Static Code Analysis

--

--

Mark Mishaev

Written by Mark Mishaev

93 Followers

I am really passionate about agile leadership, software security, systems development and architecture.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams