Account Log in
Jump to section

What is Clair?

Copy URL

Clair is an open source project which provides a tool to monitor the security of your containers through the static analysis of vulnerabilities in appc and docker containers. Clair is an API-driven analysis engine that inspects containers layer-by-layer for known security flaws. Using Clair, you can easily build services that provide continuous monitoring for container vulnerabilities.

Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project. Clair supports container security by:

  • Updating vulnerability data from a set of sources you define and storing this data in its database
  • Allowing clients to query this database for vulnerabilities within specific images through the use of an API
  • Indexing container images with a list of features present in the image through the use of an API

Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat ®, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.

Clair has also introduced support for programming language package managers, starting with Python, and a new image-oriented API.

Automatic detection of vulnerabilities will help increase awareness and best security practices across development and operations teams, and encourage action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.

For example, CVE-2014-0160, aka "Heartbleed" has been known for some time, yet Red Hat Quay security scanning found it is still a potential threat to a high percent of the container images users have stored on Quay. 

Take note that vulnerabilities often rely on particular conditions in order to be exploited. For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undertake deeper analysis as required.

Clair is part of the open source Project Quay. The Kubernetes platform Red Hat OpenShift® can utilize Clair for container security through a Kubernetes Operator called the Container Security Operator which is itself a component of Red Hat Quay. Red Hat Quay is an open source container image registry platform which enables you to build, distribute, and deploy containers across global datacenters, focusing on cloud-native and DevSecOps development models and environments.

The Quay Container Security Operator—which integrates with Red Hat OpenShift—allows you to increase the security of your image repositories with automation, authentication, and authorization systems. Red Hat Quay is available with Red Hat OpenShift or as a standalone component.

Our consultants can help

As part of Red Hat’s commitment to open source communities Red Hat will continue participating in the development of Project Quay as a member of the Cloud Native Computing Foundation.

Red Hat makes significant contributions to the engineering of new features for Clair and Project Quay. Red Hat also runs one of the key databases of vulnerabilities used by Clair. In addition, Red Hat runs the largest installation of Clair via quay.io which serves as a real-world load testing environment.

Keep reading

Article

Containers vs VMs

Linux containers and virtual machines (VMs) are packaged computing environments that combine various IT components and isolate them from the rest of the system.

Article

What is container orchestration?

Container orchestration automates the deployment, management, scaling, and networking of containers.

Article

What's a Linux container?

A Linux container is a set of processes isolated from the system, running from a distinct image that provides all the files necessary to support the processes.

More about containers

Products

Red Hat OpenShift

An enterprise-ready Kubernetes container platform with full-stack automated operations to manage hybrid cloud, multicloud, and edge deployments.

Resources

Training

Free training course

Running Containers with Red Hat Technical Overview

Free training course

Containers, Kubernetes and Red Hat OpenShift Technical Overview

Free training course

Developing Cloud-Native Applications with Microservices Architectures

Red Hat logo LinkedInYouTubeFacebookTwitter

Products

Tools

Try, buy, sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now

Select a language

© 2022 Red Hat, Inc. Red Hat Summit