Skip to main content

Command line tools for container quality assurance

Project description

# Singularity Container Tools

These are tools for Singularity containers, optimized for using with continuous integration for security and quality checks. For an example of the package being used in a continuous integration context, see the [stools-clair](https://github.com/singularityhub/stools-clair) repository.

[![asciicast](https://asciinema.org/a/178712.png)](https://asciinema.org/a/178712)

In this work we will use [Clair OS](https://github.com/coreos/clair) combined with Continuous Integration (travis and circle) to scan [Singularity](https://singularityware.github.io) containers for security vulnerabilities.

## Background Clair is intended to run as a server to continuous scan Docker layers for vulnerabilities. This doesn’t map well to the research domain because of the following:

  • Docker containers come in layers (.tar.gz files) while Singularity images are single binary files that don’t “plug in” nicely to Clair.
  • Most researchers can’t support continuous running of such a service.

On the other hand, a typical researcher does use services like [TravisCI](https://travis-ci.org) and [CircleCI](https://circle-ci.org) to run their code bases against tests. Since these services now offer running containers and other service-type things, we in fact could do the following:

  • Spin up a Clair server during testing
  • Build a Singularity image, and scan the filesystem contents (before finalized in the image).

While this isn’t a continually running service, we can minimally ensure that a container is scanned each time it is built (and then likely merged to be used in production). If the user takes advantage of [Singularity Hub](https://www.singularity-hub.org) or [Singularity Registry Server](https://singularityhub.github.io/sregistry) the image will be pushed or built for production after passing these various tests.

This experiment is based on early discussion in [this thread](https://github.com/singularityhub/sregistry/issues/14).

## Basic Usage

If you want, build the container (or use from Docker Hub)

`bash docker build -t vanessa/stools-clair . `

Start the application with docker compose. Note that you should have the images you want to scan in the $PWD, which will be mapped to the container in /code (see the docker-compose.yml file). You can change this around, just be sure that the containers you want to add are here. I’ll be updating this so the server inside can accept a post for an external container, but I need some sleep first :)

`bash docker-compose up -d `

Scan a local image in $PWD mapped to /code in the container. If you didn’t clone the repo, make sure you get the [docker-compose.yml](https://github.com/singularityhub/stools/blob/master/docker-compose.yml) file first!

`bash singularity pull shub://vsoch/singularity-hello-world docker exec -it clair-scanner sclair vsoch-singularity-hello-world-master-latest.simg `

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
stools-0.0.1.tar.gz (9.3 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page