Product Overview of Clair
Introduction
Clair is an open-source tool designed to enhance the security of container-based infrastructure by performing continuous static analysis to detect vulnerabilities in container images. Developed originally as a side project at CoreOS by the Quay team, Clair has evolved into a robust and scalable solution for ensuring the security of container images.
Key Features
Continuous Vulnerability Analysis
Clair conducts layer-by-layer analysis of container images to identify known security vulnerabilities. It imports vulnerability data from reputable sources, such as the National Vulnerability Database (NVD), and correlates this data with the indexed contents of container images to produce comprehensive lists of vulnerabilities.
Real-Time Updates and Notifications
When new vulnerabilities are published or existing vulnerability data changes, Clair can immediately identify which container image layers are affected without the need for a full re-scan of the images. This capability allows for real-time notifications via webhooks to configured endpoints, ensuring prompt action can be taken to address vulnerabilities.
Integration with Container Registries
Clair works seamlessly with container registries such as Quay, Amazon ECR, and the Red Hat Container Catalog. This integration enables automatic detection and reporting of vulnerabilities as new container images are pushed to the registry, ensuring that users have clear visibility into the security of the images they are using.
Customization and Scalability
Clair is highly customizable and scalable. All major components can be tailored programmatically at compile-time without requiring forks of the project. This flexibility allows Clair to be deployed in various configurations, including standalone and Operator deployments, making it suitable for enterprise environments.
ClairCore
For applications that need to embed Clair’s capabilities directly, ClairCore is available. ClairCore is a set of Golang modules that provide the core static analysis mechanism of Clair. It includes Indexers, which track vulnerabilities for specific software categories, and Matchers, which determine vulnerabilities across all layers of a container image manifest.
Severity Mapping and Reporting
Clair uses the Common Vulnerability Scoring System (CVSS) data from the NVD to enrich vulnerability information. It normalizes security database severity strings, making it easier for users to assess and react to vulnerability severities consistently. The tool generates comprehensive vulnerability reports that include detailed information such as severity scores, descriptions, and references.
Functionality
Indexing and Matching
Clair’s indexing service breaks down container image manifests into their essential components, uncovering contained packages, origin distributions, and package repositories. This information is stored in Clair’s database and used by the matcher service to identify vulnerabilities across all layers of the image.
API-Driven Analysis
Clair operates as a set of RESTful services, allowing for easy integration into various runtime architectures. This API-driven approach enables the automation of vulnerability detection and reporting within continuous integration and deployment pipelines.
Licensing
Clair is licensed under the Apache 2.0 License, providing the necessary freedom for use in both commercial and personal projects, making it a versatile tool for a broad range of use cases.
In summary, Clair is a powerful tool for ensuring the security of container images through continuous static analysis, real-time vulnerability updates, and seamless integration with container registries. Its customizable, scalable, and API-driven design makes it an essential component for maintaining a secure software supply chain.