Container software maker CoreOS Inc. has often criticized its blue-chip rival Docker Inc. for security flaws, saying the CoreOS own design is a lot safer. Now, the company has gone a step further in its quest to secure containers with the general release of Clair 1.0, a dedicated container scanning tool that can detect security vulnerabilities in containers and help developers patch them.

Launched into beta just last November, Clair has evolved rapidly, with the stable release said to offer superior performance with recursive database queries, which allows for up to three-times faster response times. In addition, Clair 1.0 also comes with an improved RESTful JSON API.

All indications are that Clair 1.0 has evolved into a highly robust security tool that can easily be extended and integrated with different environments. As CoreOS notes in its blog post announcing the release, Clair’s biggest selling point isn’t just that it can detect security issues in containers; it can also patch them automatically. According to the company, this is important because containers are flexible and scalable by design, and so developers can’t afford to waste time fixing holes manually. By automating the security side of things, developers get to enjoy the primary benefit of containers.

How does it work?

Clair works by scanning the contents of container images to determine if the applications used to build them contain any known vulnerabilities. It does this by comparing metadata to vulnerabilities in databases like Common Vulnerabilities and Exposures.

Clair also provides users with specific, actionable advice when it detects a problem with an image. In most cases, this is a recommendation to upgrade the suspect package to a more recent version, but in some cases it might also advise removing some dependencies that are not needed in the final image. For example, if Node.js is only to be used as part of a build script and not the running of the application, it can be removed from the final image safely.

It all sounds rather nifty, but it’s too soon to say if the offering is compelling enough to get people to switch from Docker to CoreOS’s container solution, which is what the company really wants. Docker is far more well-established, and its developer is better-funded. Clair can also be used to scan Docker container images as well as CoreOS container images, and so the new feature is not a strong incentive to switch.

But support for Docker instances may attract people to try CoreOS, the company hopes, giving it a foot in the door of the container space. With security concerns continuing to plague Docker, CoreOS gets to stay relevant in the space by filling the gap.

Photo Credit: rainer.n.foto via Compfight cc