Vulnerability Static Analysis for Containers
Clone or download
jzelinskie Merge pull request #656 from glb/elsa_CVEID
vulnsrc_oracle: one vulnerability per CVE
Latest commit 504f0f3 Nov 7, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github .github: add stale and issue template enforcement Sep 26, 2018
Documentation *: remove bzr dependency Jul 10, 2018
api api: Rename detector type to DType Oct 8, 2018
cmd/clair clair: Implement worker detector support Oct 8, 2018
contrib Pinning helm postgres dep to the working 1.0.0 Oct 31, 2018
database database: add mapping for Ubuntu Cosmic (18.10) Oct 29, 2018
ext vulnsrc_oracle: one vulnerability per CVE Nov 2, 2018
pkg Merge pull request #647 from KeyboardNerd/spkg/cvrf Oct 23, 2018
testdata/DistUpgrade clair: move worker to top level package Jan 26, 2017
vendor vendor: Update package Oct 23, 2018
.dockerignore Adding httputil and version packages Sep 5, 2018
.travis.yml Bump Go versions and use '.x' to always get latest patch versions Oct 28, 2018
DCO Initial commit Nov 13, 2015
Dockerfile Add build-base to docker image Sep 25, 2018
LICENSE Initial commit Nov 13, 2015
NOTICE Initial commit Nov 13, 2015 README: fixed issues address Mar 20, 2018 *: update roadmap Oct 8, 2018
bill-of-materials.json api: remove dependency on graceful Sep 6, 2018 update CoC Jan 4, 2018
config.yaml.sample config: removed worker config Sep 19, 2018
glide.lock vendor: Update package Oct 23, 2018
glide.yaml vendor: Update package Oct 23, 2018
notifier.go database: changed Notification interface name Sep 11, 2018
updater.go updater: Add vulnsrc affected feature type Oct 18, 2018
updater_test.go updater: Add vulnsrc affected feature type Oct 18, 2018
worker.go database: rename utility functions with commit/rollback Oct 8, 2018
worker_test.go database: move dbutil and testutil to database from pkg Oct 8, 2018


Build Status Docker Repository on Quay Go Report Card GoDoc IRC Channel

Note: The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get stable binaries.

Clair Logo

Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

  1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
  2. Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
  3. Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
  4. When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occured.

Our goal is to enable a more transparent view of the security of container-based infrastructure. Thus, the project was named Clair after the French term which translates to clear, bright, transparent.

Getting Started


  • IRC: #clair on
  • Bugs: issues


See CONTRIBUTING for details on submitting patches and the contribution workflow.


Clair is under the Apache 2.0 license. See the LICENSE file for details.