Does Clair support for scanning of distroless container images?

Environment

• Red Hat Quay
  • 3.8
• Red Hat Clair
  • 4.6.1

Issue

• Can distroless images be scanned by Clair?
• Currently, Clair scan results show unsupported status for distroless images like calico-cni from dockerhub. Is there a plan to include scanning for such images in the future?

Resolution

• Support for scanning distroless containers is added to latest version of This content is not included.Clair 4.6.1. This feature will not be present in earlier versions. For operator-based Clair, this fix can be seen in Quay operator 3.8.7.

Root Cause

• Challenge when scanning distroless container images was: that it was difficult to determine exactly what packages are in the final image because package information is stored in multiple state files. This meant that there was a chance that the scanner actually reported more (or fewer) vulnerabilities when scanning an image, simply because it detected too many (or too few) packages inside.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.