Clair is an open-source static analysis engine for container image vulnerabilities, providing security scanning and indexing of image layers and package metadata. It generates queryable reports and alerts by matching against vulnerability databases, making it easy to integrate into image registries, CI/CD pipelines, and automated review processes.
Core Features & Highlights
- Static analysis: Scan image contents layer by layer to detect CVEs and known weaknesses.
- Indexing & matching: Index image contents to support efficient queries and historical comparisons.
- Open API: Integrate with registries, build systems, or alerting platforms via
clair's HTTP API.
Use Cases & Target Users
- For image registry operators, DevOps, SREs, security teams, and developers who want to discover security issues early in the build/deploy stages.
- Suitable for automated scans in CI/CD, image release reviews, registry hardening, and compliance checks.
Key Advantages
- Open-source and self-hostable: community-maintained, easy to customize and deploy privately.
- Synchronizes with vulnerability databases (such as NVD and distribution security sources) to provide auditable detections.
- Scalable and automation-friendly, reducing runtime security risk and speeding up detection and remediation.