explaingit

quay/clair

10,978GoAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Open-source tool that scans container images for known security vulnerabilities without running them, exposing results through an API teams can integrate into their deployment pipeline.

Mindmap

mindmap
  root((Clair))
    What it does
      Scans container images
      Finds vulnerabilities
      No runtime needed
    How it works
      Static analysis
      CVE database lookup
      REST API
    Integrations
      Docker
      OCI images
      CI/CD pipelines
    Audience
      DevOps teams
      Security engineers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan all container images before they are deployed to catch known security flaws automatically.

USE CASE 2

Integrate Clair's API into a CI/CD pipeline so builds fail if a container contains critical vulnerabilities.

USE CASE 3

Audit an existing container registry to get a report of which images have unpatched security issues.

Tech stack

GoDockerOCI

Getting it running

Difficulty · hard Time to first run · 1h+

Requires running Clair as a service alongside your container registry and wiring up its API, full setup covered in a separate documentation book.

Apache 2.0, use freely for any purpose including commercial, modify and distribute as long as you include the license notice.

In plain English

Clair is an open-source security tool that scans container images for known vulnerabilities. Containers are a technology used to package and run software in isolated environments, and they are widely used in modern software deployments. Because containers bundle many software packages together, they can inadvertently include components with known security flaws. Clair works by analyzing the contents of a container image without actually running it (a process called static analysis). It reads what software packages are present inside the image and checks them against databases of known security issues. Teams using Clair can integrate it into their workflow to get visibility into which of their containers have vulnerabilities before deploying them. The tool exposes an API that other systems can call to submit container images for indexing and then query for vulnerability matches. It supports Docker containers and the OCI image format, which is the broader industry standard for container images. The name comes from the French word for "clear" or "transparent," reflecting the project's goal of making the security of container infrastructure easier to see and understand. Clair is written in Go, maintained under the Apache 2.0 license, and hosted by the Quay container registry project. Full architecture and operational documentation is available in a separate online book linked from the repository.

Copy-paste prompts

Prompt 1
Help me call the Clair API to submit a Docker image for vulnerability indexing and then query the results.
Prompt 2
Show me how to integrate Clair into a GitHub Actions CI pipeline so it blocks deploys when critical CVEs are found.
Prompt 3
Explain what Clair's static analysis actually checks inside a container image and how it matches packages to CVE databases.
Prompt 4
Help me set up Clair with an OCI-format image registry and write a script that emails me a daily vulnerability report.
Open on GitHub → Explain another repo

← quay on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.