Static analysis tool for vulnerabilities in container images (used by Quay.io).
| Item | Value |
|---|---|
| Type | OSS |
| License | Apache-2.0 |
| Pricing | Free |
| Homepage | https://github.com/quay/clair |
| Latest Version | v4.9.0 |
| Last Updated | 2025-12-10 |
| Feature | Supported |
|---|---|
| Container Scanning | ✅ |
| Language/Library Scanning | ❌ |
| SBOM Generation | ❌ |
| Policy Evaluation | ❌ |
| IaC Scanning | ❌ |
| Secret Detection | ❌ |
| License Scanning | ❌ |
| Build Tool Plugin | ❌ |
| API Server | ✅ |
| Agentless SSH Scanning | ❌ |
| Dashboard | ❌ |
| Centralized Management | ❌ |
Feature reference: Official Documentation
Source: https://github.com/quay/clair/releases
securityv4.9.0 Release
enrichment: don't consider vulnerability.Description for enrichments
postgres: better GetEnrichments query
rpm: fix use of unique.Handle pinning fs.FS
vex: account for new VEX RPM module logic
cvss: switch to NVD 2.0 JSON feeds
chore: upgrade from pgx v4 to v5
vex: allow timeout to pull down VEX archive to be configurable
rpm: add function to determine if packages are installed from RPMs
sbom: add encoder to encode index reports as SPDX documents
rhel: deprecate updater in favor of VEX updater
suse: dynamic distribution discovery
securityv4.8.0 Release
This release deprecates the updaters that rely on the Red Hat OVAL v2 security data in favor of the Red Hat VEX data. This change includes a database migration to delete all the vulnerabilities that originated from the OVAL v2 feeds, meaning there could be a time in production environments before the VEX updater completes for the first time when no Red Hat vulnerabilities exist. This release also contains a clairctl admin command to clean up the deprecated vulnerabilities outside of the migration workflow which allows an operator to pre-run the migration:
clairctl -D admin pre v4.8.0
rhel: move IgnoreUnpatched config key from updater to matcher
rhel: add csaf/vex updater
datastore: add vuln and enrich stream updates
cpe: add match expression support
/fast-forward commandbuild_and_deploy.sh scriptGOTOOLCHAINgo commandbuildctl usage more convenientgit archivefeaturev4.7.4 Release
The default layer download location has changed
tarfs: follow hardlinks in ReadFile
debian: update how "source" packages are handled
dpkg: improve Source handling
libindex: add O_TMPFILE fallback logic
osv: parse database_specific severity when no CVSS severity is defined
featurev4.7.3 Release
Highlights:
featurev4.7.2 Release
crda: remove crda support
chore: update toolkit to latest version v1.1.1
admin: add pre v4.7.3 admin command to create index
contrib: add grafana dashboards for deletion metrics
docs: add dropins to prose documentation
featurev4.7.1 Release
featurev4.7.0 Release
admin subcommandfeaturev4.7.0-rc.1 Release
cmd.LoadConfigcmd.LoadConfiggo get commandfeaturev4.6.1 Release
featurev4.6.0 Release
set-outputclairctl binariesrequest_id to logsfeaturev4.5.1 Release
featurev4.5.0 Release
bugfixv4.5.0-rc.0 Release
docker-compose versionfeaturev4.4.4 Release
featurev4.4.3 Release
featurev4.4.2 Release
featurev4.4.1 Release
featurev4.4.0 Release
featurev4.4.0-rc.7 Release
featurev4.4.0-rc.6 Release
featurev4.4.0-rc.5 Release
featurev4.3.6 Release
featurev4.3.5 Release
featurev4.3.4 Release
featurev4.3.2 Release
featurev4.3.0 Release
securityv4.3.0-rc.0 Release
featurev4.2.3 Release
featurev4.1.6 Release
featurev4.2.2 Release
Generated at 2026-07-10 22:23 UTC