clair
Vulnerability Static Analysis for Containers
Open-source tool that scans container images for known security vulnerabilities without running them, exposing results through an API teams can integrate into their deployment pipeline.
Clair is an open-source security tool that scans container images for known vulnerabilities. Containers are a technology used to package and run software in isolated environments, and they are widely used in modern software deployments. Because containers bundle many software packages together, they can inadvertently include components with known security flaws.
Clair works by analyzing the contents of a container image without actually running it (a process called static analysis). It reads what software packages are present inside the image and checks them against databases of known security issues. Teams using Clair can integrate it into their workflow to get visibility into which of their containers have vulnerabilities before deploying them.
The tool exposes an API that other systems can call to submit container images for indexing and then query for vulnerability matches. It supports Docker containers and the OCI image format, which is the broader industry standard for container images.
The name comes from the French word for "clear" or "transparent," reflecting the project's goal of making the security of container infrastructure easier to see and understand. Clair is written in Go, maintained under the Apache 2.0 license, and hosted by the Quay container registry project. Full architecture and operational documentation is available in a separate online book linked from the repository.
Where it fits
- Scan all container images before they are deployed to catch known security flaws automatically.
- Integrate Clair's API into a CI/CD pipeline so builds fail if a container contains critical vulnerabilities.
- Audit an existing container registry to get a report of which images have unpatched security issues.