Container-loving CoreOS Inc. has just released a new scanning tool that checks for vulnerabilities in containers to the open-source community.

The new tool is called “Clair”, and is described as an API-driven analysis engine that inspects containers on a layer-by-layer basis to detect known security floors.

“Using Clair, you can easily build services that provide continuous monitoring for container vulnerabilities,” wrote Quentin Machu, a CoreOS software engineer, in a blog post. “CoreOS believes tools that improve the security of the world’s infrastructure should be available for all users and vendors, so we made the project open source. With that same purpose, we welcome your feedback and contributions to the Clair project.”

The new tool will soon be incorporated into Quay, the CoreOS container registry. Called the Quay Security Scanning, the new feature automatically scans, detects and reports vulnerabilities, CoreOS said.

The company said it’s already put Quay Security Scanning through its paces in internal tests, scanning “millions of containers” in its registry for any vulnerabilities. And to the company’s horror, it found that almost 80 percent of the containers it scanned did have major vulnerabilities, including the infamous Heartbleed bug. The good news is that CoreOS Linux comes with an auto-update tool that’s already patched Heartbleed at the operating system level, which means the flawed containers won’t present any problems to its users. But that doesn’t hide the fact that numerous containers – if not the majority of them – still have serious security problems.

Quay Security Scanning works like this: Each time an image is uploaded into Quay, the system automatically checks for vulnerabilities. If any problems are found these are automatically flagged in the interface, and a notification is sent. This notification also tags the problem with an alert level – low, medium or high – as well as a description of the problem in the package. It also includes a link to the source information of whatever vulnerability is present, which, when available, will also provide details on how to patch the vulnerability.

In turn, Clair “scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the vulnerability databases Common Vulnerabilities and Exposures (CVE) maintained by Red Hat, Ubuntu, and Debian,” writes CoreOS’ Machu. “Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.”

We’re quietly hopeful that the new system works as well as CoreOS says it does. After all, security concerns are probably the single biggest obstacle preventing containers from fulfilling their promise and becoming a standard in the enterprise.

Photo Credit: Martin Gommel via Compfight cc