Clair 1.0 Brings Advances in Container Security | eWeek

Clair 1.0 Brings Advances in Container Security

container security
Mar 18, 2016
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

As container use grows, there is an increasing need to understand from a security perspective what is actually running in a container. That’s the goal of CoreOS’ Clair container security project, which officially hits the 1.0 milestone today, in an effort to help organizations validate container application security.

Clair was first announced in November 2015 as an open-source effort to identify vulnerable components inside containers. Container applications can integrate any number of different components that could potentially include known vulnerabilities.

“Our authoritative sources for data are currently upstream operating system vendors and the National Vulnerability Database,” Jake Moshenko, product manager at CoreOS, told eWEEK. “We rely on the operating system vendors to provide the lists of affected packages as well as inform us of when they are fixed.”

Clair’s upstream sources of information are also what allow the project to retroactively and immediately identify when old images are found susceptible to new vulnerabilities, Moshenko said. “Clair provides the information about any known vulnerability in container images that users may not otherwise know about. We have additional actionable information in our new APIs that tells developers exactly which of their packages contain vulnerabilities, and which vulnerabilities will be fixed by upgrading to the latest version.”

In terms of rebuilding a container image after a vulnerable component is found, Clair itself doesn’t actually change any user image. That said, Moshenko noted that by using the webhook notifications that come from Clair or from CoreOS’ Quay repository technology, a user could choose to kick off a workflow to automatically update and rebuild their images.

While Clair started out as a CoreOS project, it is an open-source effort, and in the last several months, it has benefited from multiple external contributions.

“Of the 15 contributors to the github.com/coreos/clair repository, only four are paid CoreOS devs,” Moshenko said.

With the 1.0 release of Clair, the project has also added in new extensibility with subsystem components. Moshenko explained that the subsystems provide extension points in the software.

“Anyone who uses Clair is free to add their own sources of truth or indexing strategies,” Moshenko said. “As an example, a large company that tracks its own security vulnerabilities and defects could write their own detectors and fetchers to plug into their infrastructure.”

There are now multiple efforts in the market to help improve container security and detect potential vulnerabilities present in container applications. Docker Inc. announced its Nautilus security effort in November 2015 to help identify vulnerable containers. Linux vendor Red Hat has partnered with Black Duck Software to build Deep Container Inspection to find potential vulnerabilities.

Since Clair is open source, it can be deployed on premises, Moshenko said. Clair also indexes everything it scans up-front and is able to find and notify users about problems without re-running or re-analyzing images.

There are a number of items on the list for Clair’s future development. “We plan to work with smaller operating system vendors to try to get machine readable sources for their vulnerability data,” Moshenko said. “We are also planning built-in support for container images to self-report their software features and vulnerability data without relying on the operating system vendor directly.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.