Clair logo Clair logo background glow

Clair

Analyzes container images layer-by-layer to identify vulnerabilities using static analysis and integrates with registries for security monitoring

&

+Static AnalysisScans container image contents for known vulnerabilities using static code analysis enabling users detect issues before deployment
+Layer-by-Layer AnalysisExamines each image layer independently to identify vulnerabilities which helps pinpoint problems in specific layers
+API DrivenOffers an API that clients use for image indexing and vulnerability queries allowing for integration with custom workflows and automation processes
+Vulnerability Reporting APIProvides endpoints that output lists of vulnerabilities present in container images and gives users a straightforward method to retrieve and display scan results
+Health Check APIExposes endpoints for monitoring the operational status of modules and services
+Vulnerability Data StorageStores vulnerability information in a dedicated database for subsequent querying allowing users to retrieve historical and current security data reliably
+Vulnerability Data SynchronizationImports vulnerability data from external sources when updates occur and helps keep the stored information current and relevant for ongoing security assessment
+Vulnerability Severity ScoresUses data from external systems such as the National Vulnerability Database (NVD) to provide standard severity scores, assisting users in understanding the impact of each vulnerability
+Webhook AlertsSends notifications to configured endpoints when vulnerability data changes for timely review and response by security teams
+Component CustomizationAllows users to alter components programmatically at compile time providing the flexibility needed to adapt the tool to varying security requirements
+Image IndexingCreates an index of container image contents by processing each layer allowing for the retrieval of detailed component lists during vulnerability scans
+Vulnerability Data EnrichmentMatches detected vulnerabilities with external databases to supplement the available information
+Registry IntegrationConnects with container registries, such as Red Hat Quay, to tie image storage and scanning processes together
+Image Format SupportProcesses container images in various formats (OCI and Docker)
+Regular Interval ScanningProvides container scanning at set time intervals to keep security status up to date
+Component ScalingAllows modules to run on different computing nodes to manage system resources and balance loads in varying deployment scenarios
+Custom Data SourcesPermits users to define the sources from which vulnerability data is imported, tailoring the data feed to meet an organization’s specific needs
+Vulnerability Identifier MatchingLinks detected vulnerabilities to standard identifiers such as Common Vulnerabilities and Exposures database (CVE) helping cross-reference issues with external security records
+CI/CD Pipeline IntegrationSupports the inclusion of vulnerability scanning steps in continuous integration and delivery workflows through its API
+Audit Trail LoggingRecords events generated during image analysis to support review and tracking
+Kubernetes Operator IntegrationSupports integration with Kubernetes Operators to manage scan tasks in container orchestrated systems
-Indexing TimeThe time taken to index image layers varies based on the structure of each image. This variation can postpone the generation of vulnerability reports for the user
-Manual ScalingOperates on a set scanning schedule that may not adapt automatically to changes in workload. Increasing capacity to scan more images requires manual configuration of resources and scaling. This process may prevent the user from relying on automatic adjustment to meet workload demands.
-Database Load IncreaseContinuous scanning and indexing generate a high volume of database queries. This load can interfere with the user’s access to vulnerability data when needed.
-Non-Real-Time AnalysisAnalyzes container images after they are built rather than while they operate. This design stops the user from monitoring changes in container behavior continuously.

Platform

Social

Not available, but we appreciate help! You can help us improve this page by contacting us.

System Requirements

Not available, but we appreciate help! You can help us improve this page by contacting us.

Ratings

Not available, but we appreciate help! You can help us improve this page by contacting us.

Developer

QUAY, Red Hat Inc

Written in

Go

Initial Release

14 November 2015