Clair

The example Yaml configurations in this file are using the legacy 0.8 syntax. If you are using Drone 1.0 or Drone Cloud please ensure you use the appropriate 1.0 syntax. Learn more here.

The Clair plugin submits your docker image to your Clair server to scan your docker image for security vulnerabilities.

The below pipeline configuration demonstrates simple usage:

pipeline:
  clair:
    image: jmccann/drone-clair:1
    url: http://clair.company.com
    username: johndoe
    password: mysecret
    scan_image: python:2.7

To verify https/ssl connections with a different CA certificate use ca_cert

pipeline:
  clair:
    image: jmccann/drone-clair:1
    url: http://clair.company.com
    username: johndoe
    password: mysecret
    scan_image: python:2.7
+   ca_cert: |
+     -----BEGIN CERTIFICATE-----
+     MII...
+     -----END CERTIFICATE-----

Secrets

Instead of configuring sensitive information in your .drone.yml file in plain text you can use Drone secrets and substitute the values at runtime using string replacement.

Please see the Drone documentation to learn more about secrets.

pipeline:
  clair:
    image: jmccann/drone-clair:1
    url: http://clair.company.com
-   username: johndoe
-   password: mysecret
+   username: ${DOCKER_USERNAME}
+   password: ${DOCKER_PASSWORD}
    scan_image: python:2.7

Parameter Reference

url

Clair server URL

username

Docker Registry username to download the scan_image from

password

Docker Registry password to download the scan_image from

scan_image

The docker image to scan. Supports Docker Hub or private repos.

ca_cert

The CA Cert to verify https with