Celebrating Clair v2.0.0, the container security scanner

• By Jimmy Zelinskie

Organizations around the world have begun adopting container-oriented infrastructure in the past few years. The first step on the path to container enlightenment is packaging software in container images. Thinking of containers as black boxes is extremely useful for the consistent deployment of software. However, this abstraction is a double-edged sword: If the container is a black box, how do deployers know what’s in it?

Clair is an open source container analyzer announced by CoreOS in November 2015 that aims to address this concern. Clair performs static analysis of container images and correlates their contents with public vulnerability databases.

Today, we’re happy to announce the release of Clair v2.0.0. Clair v2 delivers new capabilities that render container contents more visible and more verifiable.

Clair v2 understands several new base (or FROM ) operating system images. The ability to identify flaws and vulnerabilities in container images based on Alpine Linux versions 3.3 through 3.5 expands Clair’s coverage to one of the most popular base operating systems. Oracle Linux versions 5, 6, and 7 are popular base system images for containers in the enterprise, and Clair v2 knows how to find and offer fixes for issues in those containers thanks to open-source work from Oracle’s Avi Miller. To handle this growing list of supported base systems and package managers, Clair v2 adds better comprehension of their disparate version formats.

Quay Enterprise and Clair administrators managing on-site Quay registries using Clair v1 will need to manually update the Clair configuration file to accommodate a format change for Clair v2. In exchange for this bit of admin work, the new Clair has much more detailed and clearer error descriptions, and writes such messages and other operational data to a log file in the more easily exchanged and processed JSON format.

This release was the product of direct feedback from Quay registry users and the work of many open source contributors: Abhilash Raj, Alexei Ledenev, Alexey Miroshkin, Andrew Lewis, Avi Miller, Bill Wang, Chris Kühl, David Xia, Fabian Ruff, Harsha Yalamanchili, Jens Piegsa, Josue Diaz, Julien Garcia Gonzalez, Kevin Burke, Lei Jitang, Liang Chenye, Lorenz Bausch, Masaya Yamauchi, Mats Linander, Matthew Moore, Matthias Nüßler, Michael Stapelberg, Mike Fiedler, Nick Platt, Robin Yue, Sergei Mamonov, Sida Chen, Stephane Jourdan, Steven Trescinski, Teppei Fukuda, Thomas Boerger, Tianon Gravi, Tobias Sarnowski, Vincent Batts, Yang Shukui, pizzarabe, and ruokai-lai.

In this release, we thank Nick Platt and the Spotify team for adding improved logging and suggesting changes to the Clair database schema feature.

Contribute to Clair

With wide coverage of the contents in users’ container images in place, the goal of Clair’s next major release will be improving the experience of running Clair for other purposes, and using its features in other projects. Making Clair easier to operate will give a new set of users insight into container contents.

You can help us make containers more transparent and secure: Checking out the Clair roadmap and learning how to set up a Clair development environment are great ways to get started. And as always, CoreOS is hiring.