{"id":17267827,"url":"https://github.com/quay/clair-action","last_synced_at":"2026-03-04T23:32:10.641Z","repository":{"id":37852938,"uuid":"489134636","full_name":"quay/clair-action","owner":"quay","description":"Clair in the CI. Github actions, tekton pipelines etc.","archived":false,"fork":false,"pushed_at":"2026-01-19T23:07:51.000Z","size":20362,"stargazers_count":13,"open_issues_count":6,"forks_count":9,"subscribers_count":9,"default_branch":"main","last_synced_at":"2026-01-20T06:12:51.775Z","etag":null,"topics":["actions","ci","clair","tekton"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":"DCO","cla":null}},"created_at":"2022-05-05T21:46:29.000Z","updated_at":"2026-01-19T23:06:42.000Z","dependencies_parsed_at":"2023-02-17T08:30:38.576Z","dependency_job_id":"c8799383-ee19-47c3-bc8d-aac7c3b51466","html_url":"https://github.com/quay/clair-action","commit_stats":{"total_commits":84,"total_committers":4,"mean_commits":21.0,"dds":0.0714285714285714,"last_synced_commit":"4250e0fbfdb63e2162c33d016a8115fbf5aa1c55"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/quay/clair-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quay%2Fclair-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quay%2Fclair-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quay%2Fclair-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quay%2Fclair-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quay","download_url":"https://codeload.github.com/quay/clair-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quay%2Fclair-action/sbom","scorecard":{"id":755457,"data":{"date":"2025-08-11","repo":{"name":"github.com/quay/clair-action","commit":"4c60dd9b6a58f54a9418b0c9dcd0d6b412223a9f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":2,"reason":"3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/check-fast-forward.yaml:11","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/fast-forward.yaml:13","Warn: no topLevel permission defined: .github/workflows/check-fast-forward.yaml:1","Warn: no topLevel permission defined: .github/workflows/db_update.yaml:1","Warn: no topLevel permission defined: .github/workflows/fast-forward.yaml:1","Warn: no topLevel permission defined: .github/workflows/main.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yaml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yaml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/check-fast-forward.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/check-fast-forward.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/db_update.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/db_update.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/db_update.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/db_update.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/db_update.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/db_update.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/fast-forward.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/fast-forward.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/main.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/main.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/quay/clair-action/release.yaml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating quay.io/projectquay/clair-action:v0.0.11 to quay.io/projectquay/clair-action:v0.0.11@sha256:80486643baad47f2ac606e5c0e5274f296c08464aebb3dc90f97f22ba92505dd","Warn: containerImage not pinned by hash: cli.Dockerfile:4","Warn: containerImage not pinned by hash: cli.Dockerfile:15","Info: 0 out of 3 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 10 third-party GitHubAction dependencies pinned","Info: 0 out of 3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T21:34:06.041Z","repository_id":37852938,"created_at":"2025-08-22T21:34:06.041Z","updated_at":"2025-08-22T21:34:06.041Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30099395,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T23:31:22.529Z","status":"ssl_error","status_checked_at":"2026-03-04T23:31:22.112Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","ci","clair","tekton"],"created_at":"2024-10-15T08:11:44.416Z","updated_at":"2026-03-04T23:32:10.619Z","avatar_url":"https://github.com/quay.png","language":"Go","readme":"## About\n\n*NOTE* - Currently unstable and liable to change.\n\nGitHub Action to statically analyze container images for vulnerabilities using [Claircore](https://github.com/quay/claircore/).\n\n___\n\n- [About](#about)\n- [Usage](#usage)\n - [Image path](#image-path)\n - [Image ref](#image-ref)\n - [Image ref with auth](#image-ref-with-auth)\n - [Generating vulnerability DB and using it for report creation](#generating-vulnerability-db-and-using-it-for-report-creation)\n - [Generate the vulnerability DB example:](#generate-the-vulnerability-db-example)\n - [Using generated database:](#using-generated-database)\n- [Customizing](#customizing)\n - [inputs](#inputs)\n- [Releases](#releases)\n\n## Usage\n\n### Image path\n\n```yaml\nname: Clair\n\non:\n push:\n branches:\n - 'main'\n pull_request:\n branches:\n - 'main'\njobs:\n docker-build:\n name: \"Docker Build\"\n runs-on: ubuntu-latest\n steps:\n\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t a-really/great-app:${{ github.sha }} .\n\n - name: Save Docker image\n run: |\n docker save -o ${{ github.sha }} a-really/great-app:${{ github.sha }}\n\n - name: Run Clair V4\n uses: quay/clair-action@main\n with:\n image-path: ${{ github.sha }}\n format: sarif\n output: clair_results.sarif\n \n - name: Upload sarif\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: clair_results.sarif\n```\n\n### Image ref\n\n```yaml\nname: Clair\non:\n push:\n branches:\n - 'main'\njobs:\n docker:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v2\n -\n name: Set up QEMU\n uses: docker/setup-qemu-action@v2\n -\n name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v2\n -\n name: Login to DockerHub\n uses: docker/login-action@v2\n with:\n username: ${{ secrets.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n -\n name: Build and push\n uses: docker/build-push-action@v3\n with:\n context: .\n push: true\n tags: user/app:latest\n - \n name: Run Clair V4\n uses: quay/clair-action@main\n with:\n image-ref: user/app:latest\n format: sarif\n output: clair_results.sarif\n \n - name: Upload sarif\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: clair_results.sarif\n```\n\n### Image ref with auth\n\nThe decision was taken (that might be changeable) to just ask for the .docker/config.json file (or whereever you keep your container registry authentication configuration). The reasons for this are:\n* Most people in their workflows are going to have logged into docker, or can do it easily with the docker-login action. This action already accounts for the various registry special cases.\n* The clair-action container does no need to depend on the `docker` binary. \nHere is an example of how to define a workflow to use the clair-action on a private image that exists in a registry:\n\n```yaml\nname: ci\n\non:\n push:\n branches:\n - 'main'\n pull_request:\n branches:\n - 'main'\njobs:\n docker-pull-vulns:\n name: \"Docker Pull and get vulns\"\n runs-on: ubuntu-latest\n steps:\n - name: Docker login\n uses: docker/login-action@v2\n with:\n registry: quay.io\n username: ${{ secrets.QUAY_USERNAME }}\n password: ${{ secrets.QUAY_ROBOT_TOKEN }}\n - name: Copy config\n run: |\n cp ${HOME}/.docker/config.json config.json\n - name: Run Clair V4\n uses: quay/clair-action@main\n with:\n image-ref: quay.io/crozzy/quay-test:v3.4.7-15\n format: sarif\n output: clair_results.sarif\n docker-config-dir: /\n - name: Upload sarif\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: clair_results.sarif\n```\n\n### Generating vulnerability DB and using it for report creation\n\nAs the vulnerability database isn't hosted anywhere, it is the responsibility of the user to generate it.\n`Clair-action` surfaces an update mode to allow users to do this.\n\n#### Generate the vulnerability DB example:\n\n```yaml\nname: db_update\n\non:\n workflow_dispatch: {}\n # Run every day at 5AM UTC\n schedule:\n - cron: '0 5 * * *'\n\njobs:\n docker:\n runs-on: ubuntu-latest\n steps:\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v1\n\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v1\n\n - name: Run Clair V4 update\n uses: quay/clair-action@main\n with:\n db-file: matcher.db\n mode: update\n\n - name: Cache DB\n uses: actions/cache@v3\n with:\n path: matcher.db\n key: matcher.db\n```\n\n#### Using generated database:\n\n```yaml\nname: ci\n\non:\n push:\n branches:\n - 'main'\n pull_request:\n branches:\n - 'main'\njobs:\n docker-build:\n name: \"Docker Build\"\n runs-on: ubuntu-latest\n steps:\n\n - name: Checkout code\n uses: actions/checkout@v2\n\n - name: Grab cache DB\n uses: actions/cache@v3\n with:\n path: matcher.db\n key: matcher.db\n\n - name: Build an image from Dockerfile\n run: |\n docker build -t crozzy/great-app:${{ github.sha }} .\n - name: Save Docker image\n run: |\n docker save -o ${{ github.sha }} crozzy/great-app:${{ github.sha }}\n - name: Run Clair V4\n uses: quay/clair-action@main\n with:\n image-path: ${{ github.sha }}\n db-file: matcher.db # Use DB from cache\n format: sarif\n output: clair_results.sarif\n - name: Upload artifact\n uses: actions/upload-artifact@v3\n with:\n name: sarif\n path: clair_results.sarif\n - name: Upload sarif\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: clair_results.sarif\n```\n\n## Customizing\n\n### inputs\n\nFollowing inputs can be used as `step.with` keys\n\n| Name | Type | Required | default | Description |\n| ------------------- | ------ | -------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| `image-ref` | String | yes* | - | The reference to an image in a container registry, currently this needs to be public (e.g., `quay.io/projectquay/clair:nightly`) |\n| `image-path` | String | yes* | - | Where on the filesystem the image was saved, i.e. the --output-flag from the `docker save` command the action require either this or `image-ref` to be defined (e.g., `/tmp/my-image.tar`) |\n| `format` | String | no | `clair` | The output format of the report, currently `clair`, `sarif` and `quay` are supported. |\n| `output` | String | yes | - | The file path where the report gets saved (e.g., /tmp/my-image-report.sarif) |\n| `return-code` | String | no | `0` | A code to return from the process if Clair found vulnerabilities. (e.g., `1`) |\n| `mode` | String | no | report | Specify which mode to run the action in, supported values are `report` and `update`. `report` reports vulnerabilities for an image, `update` update generates the sqlite3 vulnerability DB. |\n| `db-file` | String | no | empty string | Optional param to specify where on the filesystem the zstd compressed sqlite3 DB lives. |\n| `db-file-url` | String | no | liable to change | Optional param to specify your own url where the zstd compressed sqlite3 DB lives. |\n| `docker-config-dir` | String | no | - | Optional param to specify the docker (or other) config dir to allow for pulling of layers from private images |\n\n\\* either `image-ref` or `image-path` need to be defined.\n\n## Releases\n\nBefore tagging make sure to update the [Dockerfile](Dockerfile), this must happen for the action to use the correct container. The container is pre-built to keep latency as low as possible, pushing a tag should trigger that container build that is subsequently pushed to [Quay.io](https://quay.io/projectquay/clair-action).\n\n```sh\n# Update Dockerfile with new $TAG\ngit tag -as $TAG HEAD\ngit push upstream $TAG\ngh workflow view release --web # if you're partial to that kind of thing\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquay%2Fclair-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquay%2Fclair-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquay%2Fclair-action/lists"}