clair v4.6 releases: Vulnerability Static Analysis for Containers


Clair is an open-source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).

  1. In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
  2. Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
  3. Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
  4. When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.

Our goal is to enable a more transparent view of the security of the container-based infrastructure. Thus, the project was named Clair after the French term which translates to clearbrighttransparent.




  • Container – the execution of an image
  • Image – a set of tarballs that contain the filesystem contents and run-time metadata of a container
  • Layer – one of the tarballs used in the composition of an image, often expressed as a filesystem delta from another layer

Specific to Clair

  • Ancestry – the Clair-internal representation of an Image
  • Feature – anything that when present in a filesystem could be an indication of a vulnerability (e.g. the presence of a file or an installed software package)
  • Feature Namespace (featurens) – a context around features and vulnerabilities (e.g. an operating system or a programming language)
  • Vulnerability Source (vulnsrc) – the component of Clair that tracks upstream vulnerability data and imports them into Clair’s database
  • Vulnerability Metadata Source (vulnmdsrc) – the component of Clair that tracks upstream vulnerability metadata and associates them with vulnerabilities in Clair’s database

Changelog v4.6


  • 577a55d4: use httputil to construct requests


  • 1f1010fe: add automatic memory limit discovery


  • ef896eb6: bump actions/stale from 6 to 7
  • 5a212ffe: bump peter-evans/create-pull-request from 4.1.4 to 4.2.3
  • b883bc2b: bump gsactions/commit-message-checker from 1 to 2





  • 8b899803: use git-archive for version information



  • 25ac033f: use new signer scheme in test
  • a9228d40: add a request_id to logs
  • #1547### Httputil
  • e746ff05: rework request signing and request restriction



  • d99f7005: add explicit signer argument

Install && Use

Copyright (C) 2015 coreos