Clair is an open-source API-driven analysis engine - interview with Quentin Machu software engineer on the Quay team.

Dear Readers,

Today we would like to share with you an interview with Quentin Machu, software engineer on the Quay team. What is the Clair and Quay Security Scanning? Find out below!


[PenTest Magazine] Please introduce yourself to our readers.

[Quentin Machu] My name is Quentin Machu and I am a software engineer on the Quay team that recently completed his Masters degree in Computer Engineering in France. I am passionate about software engineering and distributed systems. In addition to working on the Quay team at CoreOS, I am maintainer of the Clair open source project, which scans containers for vulnerabilities (


[PM] What are your thoughts about trends in vulnerabilities?

[QM] Vulnerabilities have always existed. But as we record and store more and more sensitive data, on constantly evolving networks and infrastructures, they are becoming significantly important to track and manage. A single leak has the power to ruin a company or product. Some vulnerabilities are now even branded (e.g. Heartbleed, Poodle, Ghost, Freak, …) and have their own logos.

As an example of this trend, it appears that Heartbleed, one of the most famous vulnerabilities (which was released over a year ago) is still affecting nearly 80% of container images stored on Quay. We found this through using Clair in our product. This shows the importance of applying fixes as soon as they arise.


[PM] Can you tell us something about Quay Security Scanning & Clair, in case some of our readers don’t know the tool?

[QM] Clair is an open-source API-driven analysis engine that inspects containers layer-by-layer for known security flaws based on the packages used by those containers. Using Clair, you can easily build services that provide continuous monitoring and notification for container vulnerabilities.

Quay Security Scanning is a new feature running on Quay Hosted that uses Clair to examine the millions of containers stored there for security vulnerabilities. Quay users can log in today to see Security Scanning information on their dashboard, including a list of potentially vulnerable containers in their repositories. Users can also setup notifications (Slack, email, generic webhooks and more) to be alerted every time that either they push a vulnerable container image or that a new vulnerability is released and affects their existing images. This feature is enabled for all repositories stored on Quay, both public and private.

Overall, vulnerabilities will always exist in the world of software. Good security practice means being prepared for the mishaps – to identify insecure packages and be prepared to update them quickly. Clair is designed to help identify insecure packages that may exist in containers.


[PM] How did you came up with idea of creating it?

[QM] The idea came up from a brainstorm around increasing the security of containers, and something that would be really useful for the community. During this discussion, one of our engineers mentioned Heartbleed, the first vulnerability to be branded with a name and a logo, which started us thinking about how we could address similar releases in the container space.

Clair and Quay Security Scanning is the result, with the goal of making it easy for developers to know when their containers are vulnerable with a minimum amount of lead time.


[PM] Your project was released 12 days ago. Have you already got any feedback from users?

[QM] Clair has been well-received by the community and people all around the world are starting to use it to secure their private registries and their own container images. We’ve also had a great deal of interest in contributions and improvements to the system.

People are often really astonished by the amount and the severity of the vulnerabilities that affect their container – that is the most common feedback!


[PM] Can you tell us how exactly does it work?

[QM] Clair analyzes each container layer once, extracting all required data to detect known vulnerabilities, and caches layer data for examination against vulnerabilities discovered in the future. For security reasons, Clair performs this analysis based on the metadata found in the container, rather than running the container itself.

Detecting vulnerabilities can be achieved with several techniques. One option is to compute hashes of binaries. These are presented on a layer and then compared with a database. However, building this database would become tricky considering the vast number of different packages and library versions.

Clair instead takes advantage of common package managers, which quickly and comprehensively provide lists of installed binary and source packages. Package lists are extracted for each layer that composes your container image, with the difference between the layer’s package list and its parent stored. This method is efficient in its use of storage, and allows Clair to scan each layer only once, though that layer may be used in many container images. Coupled with vulnerability databases, such as the Debian’s Security Bug Tracker, Clair is able to tell which vulnerabilities threaten a package and, therefore by extension, the layers and containers themselves.


[PM] Does Clair use the oval data published by various companies?

[QM] Clair uses, at the moment, three trusted sources of vulnerabilities:

* Debian Security Bug Tracker

* Ubuntu CVE Tracker

* Red Hat Security Data (OVAL)

As you can guess from their names, these sources are distro-specific. Thanks to that, Clair can take into consideration all the different package implementations (including backports), and thus, be accurate.

To complement, Clair is, by design, extensible; both detection systems and vulnerability sources can be added quite easily.


[PM] Your tool analyzes millions of containers. How do you store everything?

[QM] Storage efficiency has been a day-one design requirement.

Internally, Clair uses a graph structure abstraction to store and query layer data and thus, can use several different storage backend such as PostgreSQL, BoltDB, MongoDB, LevelDB or even in-memory store. We use and recommend using BoltDB for single-instance deployments or PostgreSQL for distributed deployments.

Clair stores a minimum amount of data, a simple diff for each layer and consequently does not use much space, even for millions of containers. With these diffs, Clair can tell which vulnerability affects which images and send notifications as soon as new vulnerabilities are discovered, without re-scanning any container.


[PM] Clair is an open source tool. How do you feel about sharing your work with others?

[QM] To be honest, I personally got really excited when I learned that it was destined to be an open-source project. We at CoreOS believe that security is not an option; that every actor should work transparently towards it and make this progress publicly available, for the greater good. Nowadays, the majority of our personal and business data are stored online and hacking has become (sadly) a real business. I am glad to contribute to this project to bring people a better understanding and awareness around the vulnerabilities that may jeopardize sensitive data.


[PM]  What is the future of the application?

[QM] This initial Clair release represents a first step to container security analysis. Recent feedback shows that Clair works fine as well with OpenVZ, LXC and rkt images. The next big item on the roadmap is supporting more package managers (pip, npm, …) and compiled apps.


[PM]  Have you got any final thoughts? Is there something you would like to add?

[QM] Feel free to reach me and make contributions to Clair. The true power of an open-source project is its community!




December 9, 2015
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013