Chapter 3. Red Hat Quay Security Scanning with Clair

Red Hat Quay supports scanning container images for known vulnerabilities with a scanning engine such as Clair. This document explains how to configure Clair with Quay.

3.1. Visit the management panel

Sign in to a superuser account from the Red Hat Quay login screen. For example, if the host were reg.example.com, you would go to http://reg.example.com/superuser to view the management panel: Log in as superuser to set up Clair scanning

3.2. Enable Security Scanning

  • Click the configuration tab () and scroll down to the section entitled Security Scanner. Enable scanning from superuser account
  • Check the "Enable Security Scanning" box

3.3. Enter a security scanner

In the "Security Scanner Endpoint" field, enter the HTTP endpoint of a Red Hat Quay-compatible security scanner such as Clair. Enter location of security scanner

3.4. Generate an auth key

To connect Red Hat Quay securely to the scanner, click "Create Key >" to create an authentication key between Quay and the Security Scanner.

3.4.1. Authentication for high-availability scanners

If the security scanning engine is running on multiple instances in a high-availability setup, select "Generate shared key": Select key for security scanner

Enter an optional expiration date, and click "Generate Key": Generate key for security scanner

Save the key ID and download the preshared private key into the configuration directory for the security scanning engine. Generate key for security scanner

3.4.2. Authentication for single-instance scanners

If the security scanning engine is being run on a single instance, select "Have the service provide a key": Provide key for security scanner

Once the following dialog is visible, run the security scanning engine: Run security scanner

When the security scanning engine connects, the key will be automatically approved.

3.5. Save configuration

  • Click "Save Configuration Changes"
  • Restart the container (you will be prompted)