Jump to section

What is Clair?

Copy URL

Clair is an open source project which provides a tool to monitor the security of your containers through the static analysis of vulnerabilities in appc and docker containers. Clair is an API-driven analysis engine that inspects containers layer-by-layer for known security flaws. Using Clair, you can easily build services that provide continuous monitoring for container vulnerabilities.

Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container. When vulnerability data changes upstream, the previous state and new state of the vulnerability along with the images they affect can be sent via webhook to a configured endpoint. All major components can be customized programmatically at compile-time without forking the project. Clair supports container security by:

  • Updating vulnerability data from a set of sources you define and storing this data in its database
  • Allowing clients to query this database for vulnerabilities within specific images through the use of an API
  • Indexing container images with a list of features present in the image through the use of an API

Clair scans each container layer and provides a notification of vulnerabilities that may be a threat, based on the Common Vulnerabilities and Exposures database (CVE) and similar databases from Red Hat ®, Ubuntu, and Debian. Since layers can be shared between many containers, introspection is vital to build an inventory of packages and match that against known CVEs.

Clair has also introduced support for programming language package managers, starting with Python, and a new image-oriented API.

Automatic detection of vulnerabilities will help increase awareness and best security practices across development and operations teams, and encourage action to patch and address the vulnerabilities. When new vulnerabilities are announced, Clair knows right away, without rescanning, which existing layers are vulnerable and notifications are sent.

For example, CVE-2014-0160, aka "Heartbleed" has been known for some time, yet Red Hat Quay security scanning found it is still a potential threat to a high percent of the container images users have stored on Quay. 

Take note that vulnerabilities often rely on particular conditions in order to be exploited. For example, Heartbleed only matters as a threat if the vulnerable OpenSSL package is installed and being used. Clair isn’t suited for that level of analysis and teams should still undertake deeper analysis as required.

Clair is part of the open source Project Quay. The Kubernetes platform Red Hat OpenShift® can utilize Clair for container security through a Kubernetes Operator called the Container Security Operator which is itself a component of Red Hat Quay. Red Hat Quay is an open source container image registry platform which enables you to build, distribute, and deploy containers across global datacenters, focusing on cloud-native and DevSecOps development models and environments.

The Quay Container Security Operator—which integrates with Red Hat OpenShift—allows you to increase the security of your image repositories with automation, authentication, and authorization systems. Red Hat Quay is available with Red Hat OpenShift or as a standalone component.

Red Hat OpenShift Service on AWS (ROSA) can build images from your source code, deploy them, and manage their lifecycle. It provides an internal, integrated container image registry that can be deployed in your ROSA environment to locally manage images. Quay.io, a public Red Hat Quay Container Registry instance provided and maintained by Red Hat, serves most of the container images and Operators to ROSA clusters. Red Hat Quay is available both as a hosted service and as software you can install in your own data center or cloud environment. Advanced features in Red Hat Quay include geo-replication, image scanning, and the ability to roll back images. These features include utilizing Clair as part of your overall OpenShift configuration. 

As part of Red Hat’s commitment to open source communities Red Hat will continue participating in the development of Project Quay as a member of the Cloud Native Computing Foundation.

Red Hat makes significant contributions to the engineering of new features for Clair and Project Quay. Red Hat also runs one of the key databases of vulnerabilities used by Clair. In addition, Red Hat runs the largest installation of Clair via quay.io which serves as a real-world load testing environment.

Keep reading

Article

What's a Linux container?

A Linux container is a set of processes isolated from the system, running from a distinct image that provides all the files necessary to support the processes.

Article

Containers vs VMs

Linux containers and virtual machines (VMs) are packaged computing environments that combine various IT components and isolate them from the rest of the system.

Article

What is container orchestration?

Container orchestration automates the deployment, management, scaling, and networking of containers.

More about containers

Products

An enterprise application platform with a unified set of tested services for bringing apps to market on your choice of infrastructure.

Resources

Podcast

Command Line Heroes Season 1, Episode 5:
"The Containers Derby"

E-Book

Boost agility with hybrid cloud and containers

Training

Free training course

Running Containers with Red Hat Technical Overview

Free training course

Containers, Kubernetes and Red Hat OpenShift Technical Overview

Free training course

Developing Cloud-Native Applications with Microservices Architectures