Anchore
Container security and compliance platform for scanning container images and software supply chains
Clair
Transparent vulnerability scanning for container images using static analysis
Clair provides automated static analysis of OCI and Docker container images, indexing them via an API to detect known vulnerabilities and give teams clear insight into container security.
Overview
Overview
Clair is a service that performs static analysis of container images to identify known vulnerabilities. It accepts OCI‑compliant and Docker images, indexes them through a RESTful API, and matches each layer against vulnerability databases. The result is a clear, machine‑readable report that developers and security teams can consume to assess the risk of any image before it runs in production.
Who should use it
The tool is aimed at security engineers, DevOps practitioners, and platform teams that need automated, repeatable scanning as part of CI/CD pipelines or Kubernetes admission controls. Because Clair runs as a standalone service, it can be deployed on‑premises or in any cloud environment, and it integrates easily with existing registries and orchestration platforms. Stable binaries are distributed via the project's releases page, ensuring a reliable production footprint while the main branch remains a development sandbox.
Highlights
Static analysis of OCI and Docker images
API-driven image indexing and vulnerability matching
Transparent reporting of known CVEs
Designed for integration with CI/CD pipelines
Pros
- Clear, transparent vulnerability results
- Supports both OCI and Docker image formats
- API enables automation
- Active community and frequent releases
Considerations
- Main branch may be unstable; use releases for production
- Requires external vulnerability data feeds
- Setup can be complex for beginners
- Limited to static analysis, no runtime scanning
Managed products teams compare with
When teams consider Clair, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Fit guide
Great for
- Security teams needing automated container vulnerability scans
- DevOps pipelines that require API-driven image assessment
- Organizations adopting OCI/Docker standards
- Teams valuing transparent security reporting
Not ideal when
- Environments that need real-time runtime protection
- Users seeking a single‑click GUI tool
- Projects requiring out‑of‑the‑box vulnerability feeds without configuration
- Teams without capacity to manage a service deployment
How teams use it
CI/CD pipeline integration
Automatically fail builds that contain images with known vulnerabilities
Kubernetes admission control
Block deployment of container images that exceed defined CVE thresholds
Periodic security audit
Generate comprehensive reports of all images stored in a registry
Compliance monitoring
Map container images to regulatory vulnerability requirements and alert on violations
Tech snapshot
Go92%
jq3%
Makefile2%
Shell1%
Dockerfile1%
Smarty1%
Frequently asked questions
What image formats does Clair support?
Clair can analyze OCI and Docker container images.
How is Clair accessed?
Through its RESTful API, you can index images and query for vulnerabilities.
Where can I obtain stable binaries?
Use the releases page; the main branch may be unstable.
What license is Clair released under?
Apache‑2.0.
How can I contribute or get support?
Join the mailing list, IRC channel, or file issues on GitHub.
Project at a glance
Active- Stars
- 10,903
- Watchers
- 10,903
- Forks
- 1,195
LicenseApache-2.0
Repo age10 years old
Last commit23 hours ago
Primary languageGo
Last synced 2 hours ago