Clair is an open-source static analysis tool for finding vulnerabilities in container images. Developed by Red Hat (originally CoreOS), Clair parses OCI and Docker image layers and matches discovered packages against vulnerability databases covering 9+ Linux distributions. It serves as the scanning backend for Red Hat Quay and Quay.io container registries. 11k GitHub stars, 117 contributors.
How does Clair scan container images?
Clair scans container images through a three-part pipeline: indexing, matching, and notifications. This architecture separates image analysis from vulnerability correlation, allowing Clair to re-evaluate previously scanned images against newly discovered CVEs without re-indexing.
During indexing, Clair fetches container image layers, examines their contents, and identifies installed packages, language runtimes, and distributions. The output is an IndexReport. Because OCI uses content-addressed layers, Clair skips any layer it has already indexed.
During matching, Clair checks indexed packages against vulnerability databases that update continuously in the background. Every match request returns results based on the latest security data. Distribution-specific updaters paired with matchers determine how vulnerabilities relate to specific packages.
The notification service watches for newly discovered vulnerabilities that affect previously indexed manifests and fires alerts through configured webhooks.
What vulnerability databases does Clair use?
Clair pulls vulnerability data from 9+ distribution-specific sources plus the NVD for severity enrichment:
| Source | Data Type |
|---|---|
| Alpine SecDB | Alpine Linux advisories |
| Debian OVAL | Debian security advisories |
| Ubuntu OVAL | Ubuntu security advisories |
| RHEL OVAL | Red Hat Enterprise Linux advisories |
| Oracle OVAL | Oracle Linux advisories |
| SUSE OVAL | SUSE Linux advisories |
| AWS Linux | Amazon Linux advisories |
| VMware Photon | Photon OS advisories |
| NVD | CVSS severity enrichment |
Each updater polls its source periodically, so vulnerability reports stay current without manual intervention.
Architecture
Clair v4 wraps the ClairCore library, which handles distribution detection, vulnerability source integration, and layer indexing. ClairCore can be used on its own for custom scanning implementations; Clair adds the HTTP API and orchestration on top.
Written in Go, Clair exposes a REST API for submitting manifests and retrieving vulnerability reports. It stores state in PostgreSQL and can run as a single combined process or as separate indexer, matcher, and notifier services for scale.
When should you use Clair?
Clair is best suited for organizations that need server-side vulnerability scanning integrated with their container registry workflow. It is the right choice if you already run Red Hat Quay or Quay.io, or if you are building custom registry infrastructure that needs an API-driven scanning backend. The REST API design works well for automated pipelines that scan images on push.
Limitations: Clair only does container image scanning. It does not support filesystem, IaC, or source code scanning. Alpine SecDB does not include severity information, so Alpine-based image vulnerabilities show as “Unknown” severity until NVD enrichment adds CVSS data. Clair requires PostgreSQL and is operationally heavier than CLI-based scanners like Trivy or Grype.
For a broader view of container security options, see our container security tools category page.
