What is Clair?
Clair provides continuous static analysis for container images to detect vulnerabilities and that threaten a runtime using that image. Clair works in conjunction with container registries to detect and identify vulnerabilities both within the base operating system, installed packages and even programming languages. Clair keeps its database of vulnerabilities continuously updated as new vulnerabilities are published and images can be quickly re-analyzed for vulnerabilities without having to re-read the entire image contents.
Clair is used by many open source container registries such as quay.io, ECR and the Red Hat Container Catalog to ensure container image consumers have the best visibility into the images they are pulling.
Why ‘Clair’?
Our project name is the French word for “clear, bright, transparent”. Clair exists to make opaque container contents visible and easily understood. That visibility is critical for a secure software supply chain and the confidence that your applications are built on a secure foundation.
Why Clair V4? What about Clair V2? What happened to Clair V3?
Clair V4 is a complete re-write of Clair V2 (which began as a side project at CoreOS by the Quay team). Clair V2 became extremely popular however the code an architecture didn’t lend themselves to greater extensibility and the scalabilty needed for various deployment models. Clair V4 was a fresh re-think about how Clair should work with an emphasis on easy extension and integration.
Clair V3 was an early attempt at addressing many of Clair V2’s shortcomings however it was never properly resourced to be successful. This effort was abandoned in favor of Clair V4.
What’s the difference between Clair and ClairCore?
Clair is a set of RESTful services that allows container static analysis to be easily added to most runtime architectures. Some applications however may wish to embed Clair’s capabilities within their own runtime. For that reason, Clair’s runtime is packaged as a set of easily consumable golang modules called Claircore.
Claircore provides the actual static analysis mechanism (e.g. the ‘heart’) of Clair. To understand Clair it is important to understand how Claircore works.
Claircore is split into two main functions; Indexers and Matchers.
- Indexers are responsible for continuously tracking vulnerabilities for a specific software category (e.g. Ubuntu Linux) and maintaining an index of vulnerabilities per unique container image layer that has been read.
- Matchers are responsible for receiving container image manifests and working with the Indexers to determine what vulnerabilities exist across all layers within that image manifest.
Why does Clair not show me the same vulnerabilities as product XYZ?
Performing static analysis on container images can be done in many ways. Clair’s approach may not be exactly the same approach taken by other products or tools in this same space. It is very likely that different tools will give you different result sets depending on what vulnerability data sources they use, how they match against vulnerabilities, and even what types of packages they analyze.
Clair’s approach is to report whatever it can find in a container image and do its best to identify where container contents may be affected by known vulnerabilities. Due to the varying nature of vulnerability data and the unbound possibilities on a container image, Clair’s results may very likely not match other tools attempting to do the same thing.
How is Clair licensed?
Clair is licensed with the Apache 2.0 License. We feel this license gives enough freedom to allow Clair to be used in a broad range of use cases both commercial and personal.