Continuous Static Analysis Clair provides continuous static analysis for container images to detect vulnerabilities and that threaten a runtime using that image. Clair works in conjunction with container registries to detect and identify vulnerabilities both within the base operating system, installed packages and even programming languages. Clair keeps its database of vulnerabilities continuously updated as new vulnerabilities are published and images can be quickly re-analyzed for vulnerabilities without having to re-read the entire image contents.

Provides Visbility Into Containers Our project name (‘Clair’) is the French word for ‘clear, bright, transparent’. Clair exists to make opaque container contents visible and easily understood. That visibility is critical for a secure software supply chain and the confidence that your applications are built on a secure foundation.

Broad Container Content Support Inspects many popular Linux distributions (RHEL, Alpine, Ubuntu, Debian, Oracle, Photon, SUSE). Handles many popular programming languages (Java, Python, Golang, Javascript). Works with container images built using either OCI Distribution or Docker v2 specifications. Clair is regularly tested at-scale on every image stored in quay.io.

Flexible Architecture Modular architecture that supports various methods of deployment (micro-services, monolithic, CI pipeline, disconnected). Extensible codebase that encourages extension for new operating systems and package and language types.

100% Open Source Clair uses the Apache 2.0 license. This lets the community freely contribute and improve Clair while making sure it is useful in a wide variety of situations.