Skip to main content

Push and Analyse containers with Clair

Project description

Paclair is a Python3 Cli tool to interact with Coreos’s Clair.


  • Now compatible with Clair V3 (delete is not available)
  • No need to have docker installed since Paclair interacts directly with the registries.
  • Compatible with all registries.
  • Simple to use.
  • Easy integration in a CI job thanks to a lightweight output mode.


To install Paclair, simply use pip (or pipenv):

$ pip install paclair




An example configuration file is available in the conf directory

  clair_url: 'https://localhost:6060'
  # clair_api_version: 3
  # Whitelist known CVE's not to shown in html report
  # cve_whitelist:
  #   - CVE-2016-9843
  #   - CVE-2016-9840
  #   - CVE-2016-6313
    class: paclair.plugins.docker_plugin.DockerPlugin
        token_url: "{image.repository}/v2/token?"
        protocol: 'http'
        api_prefix: '/api/docker/{image.repository}'
          - "*****"
          - "*****"
      # Example for a private gitlab server
        # If using https with an internal CA, ensure verify is pointing to it
        protocol: 'https'
        verify: "/etc/ssl/certs/ca-certificates.crt"
          - "*****"
          - "*****"
      # Example for ECR Docker Repository
        token: "" # Execute this command to get token aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken'
        protocol: 'https'
        token_type: Basic

Plugins are dynamically loaded during execution. That’s why you have to specify the class of the plugins you want to use.

We have various plugins to interact with different sources (ex: docker registry, Elasticsearch) because we use a custom variant of Clair which can analyse more than Docker images.

If you want to use Paclair only to analyse docker images, don’t bother with others plugins.


Config Option Description
General::clair_url url of the Clair Server.
General::verify Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use.
General::clair_api_version Clair Api Version. If different from 3, will be set to default. Default to 1.
General::html_template Html template. You can use a custom html template when using html output.
General::cve_whitelist CVE vulnerability list not to be included in the report post analysis (stats or html).
Plugins List of plugins to use. If you only want to analyse docker images, keep the default configuration.
Plugins::Docker::class Class for the docker plugin
Plugins::Docker::registries You can specify configuration for registries (authentification, …) if needed.
Plugins::Docker::registries::regi stry1::auth login/password
Plugins::Docker::registries::regi stry1::verify Either a boolean, in which case it controls whether we verify the server’s TLS certificate, or a string, in which case it must be a path to a CA bundle to use.
Plugins::Docker::registries::regi stry1::protocol Protocol to use (http or https). Default to https.
Plugins::Docker::registries::token You can specify an authentication token (use with token_type). Default to None.
Plugins::Docker::registries::token _type Specify the token type. Default to Bearer.

Running the tests

Launch tox.

$ tox


usage: paclair [-h] [--debug] [--syslog] [--conf CONF]
               plugin hosts [hosts ...] {push,delete,analyse} ...

positional arguments:
  plugin                Plugin to launch
  hosts                 Image/hostname to analyse
                        Command to launch
    push                Push images/hosts to Clair
    delete              Delete images/hosts from Clair
    analyse             Analyse images/hosts already pushed to Clair

optional arguments:
  -h, --help            show this help message and exit
  --debug               Debug mode
  --syslog              Log to syslog
  --conf CONF           Conf file

Analyse command usage

usage: paclair plugin hosts [hosts ...] analyse [-h]
                                            [--output-format {stats,html}]
                                            [--output-report {file,term}]
                                            [--output-dir OUTPUT_DIR]

optional arguments:
  -h, --help            show this help message and exit
  --output-format {stats,html}
                        Change default output format (default: json)
  --output-report {file,term}
                        Change report location (default: logger)
  --output-dir OUTPUT_DIR
                        Change output directory (default: current)
  --delete              Delete after analyse


Push ubuntu image to Clair

$ paclair --conf conf/conf.yml Docker ubuntu push
Pushed ubuntu to Clair.

Analyse ubuntu image (stats only show fixable CVE)

$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format stats
Medium: 3

You can have the full json if you don’t specify –output-format stats.

Analyse ubuntu image and get a html report in directory /tmp

$ paclair --conf conf/conf.yml Docker ubuntu analyse --output-format html --output-dir /tmp

Delete ubuntu image

$ paclair --conf conf/conf.yml Docker ubuntu delete
ubuntu was deleted from Clair.


Feel free to contribute.


Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for paclair, version 3.2.1
Filename, size File type Python version Upload date Hashes
Filename, size paclair-3.2.1.tar.gz (31.9 kB) File type Source Python version None Upload date Hashes View
Filename, size paclair-3.2.1-py3-none-any.whl (30.7 kB) File type Wheel Python version py3 Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page