{"id":22294554,"url":"https://github.com/dtrudg/clair-singularity","last_synced_at":"2025-07-08T08:35:21.273Z","repository":{"id":110336284,"uuid":"101200019","full_name":"dtrudg/clair-singularity","owner":"dtrudg","description":"Scan Singularity container images using a Clair server","archived":false,"fork":false,"pushed_at":"2022-03-31T21:46:31.000Z","size":161,"stargazers_count":16,"open_issues_count":3,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-06-02T15:47:58.161Z","etag":null,"topics":["clair","security-audit","singularity-container"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dtrudg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-08-23T16:07:17.000Z","updated_at":"2023-05-07T07:13:44.000Z","dependencies_parsed_at":null,"dependency_job_id":"ea28265f-4598-41b1-8d4b-0c1f4b2002a6","html_url":"https://github.com/dtrudg/clair-singularity","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/dtrudg/clair-singularity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dtrudg%2Fclair-singularity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dtrudg%2Fclair-singularity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dtrudg%2Fclair-singularity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dtrudg%2Fclair-singularity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dtrudg","download_url":"https://codeload.github.com/dtrudg/clair-singularity/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dtrudg%2Fclair-singularity/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264232276,"owners_count":23576808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clair","security-audit","singularity-container"],"created_at":"2024-12-03T17:37:34.729Z","updated_at":"2025-07-08T08:35:21.268Z","avatar_url":"https://github.com/dtrudg.png","language":"Python","readme":"# clair-singularity\n\n[![CircleCI](https://circleci.com/gh/dtrudg/clair-singularity/tree/master.svg?style=svg)](https://circleci.com/gh/dtrudg/clair-singularity/tree/master)\n\n__Scan [Singularity](http://sylabs.io/singularity/) container images for\nsecurity vulnerabilities using [CoreOS\nClair](https://github.com/coreos/clair).__\n\n![screenshot](screenshot.png)\n\nThe [CoreOS Clair vulnerability scanner](https://github.com/coreos/clair) is a\nuseful tool able to scan docker and other container formats for security\nvulnerabilities. It obtains up-to-date lists of vulnerabilities for various\nplatforms (namespaces) from public databases.\n\nWe can use Clair to scan singularity containers, by exploiting the fact that an\nexported .tar.gz of a singularity container image is similar to a single layer\ndocker image.\n\nThis tool:\n\n* Exports a singularity image to a temporary .tar.gz file (this will be under\n  `$TMPDIR`)\n* Serves the .tar.gz file via an in-built http server, so the Clair service can\n  retrieve it\n* Calls the Clair API to ingest the .tar.gz file as a layer for analysis\n* Calls the Clair API to retireve a vulnerability report for this layer\n* Displays a simple text, or full JSON format report\n\nBased on experiments detailed [in this\nGist](https://gist.github.com/dctrud/479797e5f48cfe39cdb4b50a15e4c567)\n\n## IMPORTANT NOTES\n\nFunctionality was last tested using SingularityCE 3.9.7.\n\nThis tool should be considered proof of concept, not heavily tested. Use at your\nown risk.\n\nThere is no support yet for SSL client certificates to verify that we are\nsending API requests to a trusted Clair instance, or that only a trusted Clair\ninstance can retrieve images from the inbuilt http server. *This means that this\nsolution is insecure except with an isolated local install of Clair*.\n\n## Requirements\n\nTo use clair-singularity you will need a *Linux* host with:\n\n* Python 3.5 or greater installed\n* SingularityCE 3+ installed (tested with 3.9.7) and the singularity\n  executable in your `PATH`\n* A Clair instance running somewhere, that is able to access the machine you\n  will run clair-singularity on. It's easiest to accomplish this using docker to\n  run a local Clair instance as below.\n\n## Starting a local Clair instance\n\nIf you have docker available on your local machine, the easiest way to start\nscanning your Singularity images is to fire up a Clair instance locally, with\ndocker. The official Clair docker images are a blank slate, and do not include\nany vulnerability information. At startup Clair will have to download\nvulnerability information from the internet, which can be quite slow. Images\nfrom github user arminc are available that include pre-seeded databases:\n\n\u003chttps://github.com/arminc/clair-local-scan\u003e\n\nTo startup a Clair instance locally using these instances:\n\n```bash\ndocker run -d --name db arminc/clair-db:2022-03-31\ndocker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.1.8_9bca9a9a7bce2fd2e84efcc98ab00c040177e258\n```\n\n*Replace the clair-db:2022-03-31 image tag with a later date for newer\nvulnerabilities*\n\n## Installation\n\nClone the git repo, or download and extract the zip then:\n\n```bash\npython setup.py install\n```\n\n## Usage\n\n### Clair on same machine\n\nTo scan a singularity image, using a clair instance running under local docker,\non port 6060:\n\n```bash\nclair-singularity myimage.sif\n```\n\n/If your hostname is not resolvable to a non-localhost IP of your machine,\naccessible to docker containers, you must specify the IP with `--bind-ip`/\n\n### Clair on a different machine\n\nIf clair is running on a different machine, you must use the `--clair-uri`\noption to specify the base URI to the clair instance, and the `--bind-ip` and/or\n`--bind-port` options to specify a public IP and port on this machine, that\nclair can access to retrieve images from `clair-singularity`.\n\n```bash\nclair-singularity \\\n --clair-uri http://10.0.1.202:6060 \\\n --bind-ip=10.0.1.201 \\\n --bind-port=8088 myimage.img\n```\n\n### Full JSON Reports\n\nBy default, clair-singularity gives a simplified text report on STDOUT. To\nobtain the full JSON report returned by Clair use the `--jsoon-output` option.\n\n```bash\nclair-singularity --json-output myimage.img\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdtrudg%2Fclair-singularity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdtrudg%2Fclair-singularity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdtrudg%2Fclair-singularity/lists"}