clair v2.0.8 releases: Vulnerability Static Analysis for Containers


Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

  1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
  2. Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
  3. Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
  4. When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.

Our goal is to enable a more transparent view of the security of the container-based infrastructure. Thus, the project was named Clair after the French term which translates to clearbrighttransparent.




  • Container – the execution of an image
  • Image – a set of tarballs that contain the filesystem contents and run-time metadata of a container
  • Layer – one of the tarballs used in the composition of an image, often expressed as a filesystem delta from another layer

Specific to Clair

  • Ancestry – the Clair-internal representation of an Image
  • Feature – anything that when present in a filesystem could be an indication of a vulnerability (e.g. the presence of a file or an installed software package)
  • Feature Namespace (featurens) – a context around features and vulnerabilities (e.g. an operating system or a programming language)
  • Vulnerability Source (vulnsrc) – the component of Clair that tracks upstream vulnerability data and imports them into Clair’s database
  • Vulnerability Metadata Source (vulnmdsrc) – the component of Clair that tracks upstream vulnerability metadata and associates them with vulnerabilities in Clair’s database

Changelog v2.0.8

  • Switched to a static TLS Cipher Suite that does not use 3DES, protecting clients from suffering from Sweet32
  • Fixed debugging log lines that were being printed always
  • Added exponential backoff for updater failures (thanks @reasonerjt)

Install && Use

Copyright (C) 2015 coreos