coreos/clairClair Security Scanner by Quay.io / Redhat
Open source static analysis image vulnerability scanner by CoreOS
Not as good quality, easy to use or reliable as Trivy / Grype in my experience, see this issue.
- Indexer service
- records layers of container images
- Matcher service
- matches IndexReports from Indexer service against vulnerabilities
- runs Updaters in the background to periodically download vulnerabilities info into DB
https://quay.io/repository/projectquay/clair
See HariSekhon/Templates clair.yaml for config
CLAIR_MODE=combo
CLAIR_CONF=/path/to/mounted/config.yamlor CLI:
clair -conf "path/to/config.yaml" -mode "combo" # indexer / matcher / notifierhttps://quay.github.io/clair/reference/clairctl.html
Submit manifest to clair using clairctl
Installs the clair daemon not clairctl - there is no brew package for clairctl:
brew install clairMake sure to run this outside any Go directory with a go.mod file:
GO111MODULE=on go install github.com/quay/clair/v4/cmd/clairctl@latestPrints a manifest for a given docker image
clairctl manifest "$DOCKER_IMAGE:$DOCKER_TAG"--host defaults to localhost:6060:
clairctl --host "$CLAIR_HOST" report "$DOCKER_IMAGE:$DOCKER_TAG"From HariSekhon/Jenkins and HariSekhon/Diagrams-as-Code repos:
Ported from private Knowledge Base page 2023+