Scanning private docker registry images using clair

[imaskm]

Hi,

Can we scan docker images on a private docker registry using clairctl or by calling the APIs directly? or do we need to write a separate flow for that?

[hdonnay]

The clairctl binary understands the docker authn file and login flow, although it may not support more exotic flows. If clairctl's limited auth support isn't enough, you can always use the clair HTTP APIs directly by creating and submitting manifests.

Clair should be given all the information it needs to fetch layers in its manifest, whether that takes the form of signed URLs or a URL and additional headers to send with the request is dependent on how the layers are hosted.

[eldoranstars]

Can you help plz?
What does clair need to connect docker private registry?
I get this error now:
"UNAUTHORIZED: The client does not have permission for manifest"

[eldoranstars]

I use imagePullSecrets for clair-index deployment, but it doesnt work yet
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials

[hdonnay]

That's not a Clair error.
As I said in the previous answer, Clair should be given all the information it needs to fetch layers in its manifest.
Put another way, you need to make sure that whatever is creating the manifest has the needed credentials.

[eldoranstars]

Yes, this is not Clair error =)
But i dont know how to tell Clair IMAGE about credentials for my registry.
I did not found it in documentation.
I cant do docker login.
I try imagePullSecrets, but it doesnt work.
Can you help?

[hdonnay]

You need to do the equivalent of docker login (e.g. ~/.docker/config.json, $DOCKER_CONFIG/config.json, or $XDG_RUNTIME_DIR/containers/auth.json) or build the manifest yourself.