Documentation/reference/config.md
Clair is configured by a structured yaml or JSON1 file and an optional directory of "merge" and "patch" documents1. Each Clair node needs to specify what mode it will run in and a path to a configuration file via CLI flags or environment variables.
For example:
$ clair -conf ./path/to/config.yaml -mode indexer
$ clair -conf ./path/to/config.yaml -mode matcher
-mode
(also specified by CLAIR_MODE env variable)
One of the following strings
Sets which mode the clair instances will run in
"indexer": runs just the indexer node
"matcher": runs just the matcher node
"notifier": runs just the notifier node
"combo": will run all services on the same node.
-conf
(also specified by CLAIR_CONF env variable)
A file system path to Clair's config file
The above example starts two Clair nodes using the same configuration. One will only run the indexing facilities while the other will only run the matching facilities.
Environment variables respected by the Go standard library can be specified if needed. Some notable examples:
HTTP_PROXYHTTPS_PROXYSSL_CERT_DIRIf running in "combo" mode you must supply the indexer, matcher,
and notifier configuration blocks in the configuration.
Starting in Clair version 4.7.0, dropin configuration files are supported.
Given a root configurtaion file of /etc/clair/config.json, all files matching the globs /etc/clair/config.json.d/*.json and /etc/clair/config.json.d/*.json-patch would be loaded in lexical order after the root configuration file.
Similarly, given /etc/clair/config.yaml, all files matching the globs /etc/clair/config.yaml.d/*.yaml and /etc/clair/config.yaml.d/*.yaml-patch would be loaded.
Only the extensions yaml and json are supported, and indicate yaml and JSON formatting, respectively.
The dropin files must have the same extension and format as the root file.
Dropins with the bare suffix are treated as merge documents.
Dropins with the -patch suffix are treated as patch documents and must contain a valid RFC 6902 structure.
Yaml documents must be resolvable to the JSON subset.
Take care with the merge behavior around lists; a patch operation may be more suitable.
The clairctl check-config command can be used to ensure a merged configuration is what is intended.
In addition, placing test operations in a patch file that's evaluated last (such as zz-validate.json-patch) can be used to have Clair refuse to start if some configuration values are not what is intended.
The application defaults are applied after the configuration is loaded and as such, not reflected in the clairctl check-config command.
The output of that command is also not currently suitable to be used to "compile" a config to a single file.
Starting in version 4.7.0, unknown keys are disallowed.
Configurations that looked valid previously and loaded fine may now cause Clair to refuse to start.
In version 4.8.0, using Jaeger for trace submission was deprecated.
Configurations that use Jaeger will print a warning.
In future versions, using the Jaeger format may cause an error.
Please see the go module documentation for additional documentation on defaults and use.
http_listen_addr: ""
introspection_addr: ""
log_level: ""
tls: {}
indexer:
connstring: ""
scanlock_retry: 0
layer_scan_concurrency: 0
migrations: false
scanner: {}
airgap: false
matcher:
connstring: ""
indexer_addr: ""
migrations: false
period: ""
disable_updaters: false
update_retention: 2
matchers:
names: nil
config: nil
updaters:
sets: nil
config: nil
notifier:
connstring: ""
migrations: false
indexer_addr: ""
matcher_addr: ""
poll_interval: ""
delivery_interval: ""
disable_summary: false
webhook: null
amqp: null
stomp: null
auth:
psk: nil
trace:
name: ""
probability: null
jaeger:
agent:
endpoint: ""
collector:
endpoint: ""
username: null
password: null
service_name: ""
tags: nil
buffer_max: 0
otlp:
http: {}
grpc: {}
metrics:
name: ""
prometheus:
endpoint: null
Note: the above just lists every key for completeness. Copy-pasting the above as a starting point for configuration will result in some options not having their defaults set normally.
<!--- The following are purposefully omitted. See comments in the config package for more information. # `$.tls.root_ca` # `$.updaters.filter` # `$.notifier.webhook.signed` # `$.auth.keyserver` # `$.auth.keyserver.api` # `$.auth.keyserver.intraservice` # `$.trace.otlp.http.client_tls` # `$.trace.otlp.http.client_tls.root_ca` # `$.trace.otlp.grpc.client_tls` # `$.trace.otlp.grpc.client_tls.root_ca` # `$.metrics.otlp.http.client_tls` # `$.metrics.otlp.http.client_tls.root_ca` # `$.metrics.otlp.grpc.client_tls` # `$.metrics.otlp.grpc.client_tls.root_ca` -->$.http_listen_addrA string in <host>:<port> format where <host> can be an empty string.
This configures where the HTTP API is exposed.
See /openapi/v1 for the API spec.
$.introspection_addrA string in <host>:<port> format where <host> can be an empty string.
This configures where Clair's metrics and health endpoints are exposed.
$.log_levelSet the logging level.
One of the following strings:
$.tlsTLS is a map containing the config for serving the HTTP API over TLS (and HTTP/2).
$.tls.certThe TLS certificate to be used. Must be a full-chain certificate, as in nginx.
$.tls.keyA key file for the TLS certificate. Encryption is not supported on the key.
$.indexerIndexer provides Clair Indexer node configuration.
$.indexer.airgapDisables HTTP access to the Internet for indexers and fetchers. Private IPv4 and IPv6 addresses are allowed. Database connections are unaffected.
$.indexer.connstringA Postgres connection string.
Accepts a format as a url (e.g.,
postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full)
or a libpq connection string (e.g.,
user=pqgotest dbname=pqgotest sslmode=verify-full).
$.indexer.index_report_request_concurrencyInteger.
Rate limits the number of index report creation requests.
Setting this to 0 will attempt to auto-size this value. Setting a negative value means "unlimited." The auto-sizing is a multiple of the number of available cores.
The API will return a 429 status code if concurrency is exceeded.
$.indexer.scanlock_retryA positive integer representing seconds.
Concurrent Indexers lock on manifest scans to avoid clobbering. This value tunes how often a waiting Indexer will poll for the lock.
<!--TODO: Move to async operating mode -->$.indexer.layer_scan_concurrencyPositive integer limiting the number of concurrent layer scans.
Indexers will index a Manifest's layers concurrently. This value tunes the number of layers an Indexer will scan in parallel.
$.indexer.migrationsA boolean value.
Whether Indexer nodes handle migrations to their database.
$.indexer.scannerIndexer configurations.
Scanner allows for passing configuration options to layer scanners. The scanner will have this configuration passed to it on construction if designed to do so.
$.indexer.scanner.distA map with the name of a particular scanner and arbitrary yaml as a value.
$.indexer.scanner.packageA map with the name of a particular scanner and arbitrary yaml as a value.
$.indexer.scanner.repoA map with the name of a particular scanner and arbitrary yaml as a value.
$.matcherMatcher provides Clair matcher node configuration.
$.matcher.cache_ageDuration string.
Controls how long clients should be hinted to cache responses for.
$.matcher.connstringA Postgres connection string.
Accepts a format as a url (e.g.,
postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full)
or a libpq connection string (e.g.,
user=pqgotest dbname=pqgotest sslmode=verify-full).
$.matcher.max_conn_poolA positive integer limiting the database connection pool size.
Clair allows for a custom connection pool size. This number will directly set how many active database connections are allowed concurrently.
This parameter will be ignored in a future version. Users should configure this through the connection string.
$.matcher.indexer_addrA string in <host>:<port> format where <host> can be an empty string.
A Matcher contacts an Indexer to create a VulnerabilityReport. The location of this Indexer is required.
$.matcher.migrationsA boolean value.
Whether Matcher nodes handle migrations to their databases.
$.matcher.periodA time.ParseDuration parseable string.
Determines how often updates for new security advisories will take place.
Defaults to 6 hours.
$.matcher.disable_updatersA boolean value.
Whether to run background updates or not.
$.matcher.disable_enrichmentA boolean value.
Whether to enrich the returned vulnerabilities or not.
$.matcher.update_retentionAn integer value limiting the number of update operations kept in the database.
Sets the number of update operations to retain between garbage collection cycles. This should be set to a safe MAX value based on database size constraints.
Defaults to 10.
If a value less than 0 is provided, GC is disabled. 2 is the minimum value to ensure updates can be compared for notifications.
$.matchersMatchers provides configuration for the in-tree Matchers and RemoteMatchers.
$.matchers.namesA list of string values informing the matcher factory about enabled matchers.
If the value is nil the default list of Matchers will run:
If an empty list is provided zero matchers will run.
$.matchers.configProvides configuration to specific matcher.
A map keyed by the name of the matcher containing a sub-object which will be provided to the matchers factory constructor.
A hypothetical example:
config:
python:
ignore_vulns:
- CVE-XYZ
- CVE-ABC
$.updatersUpdaters provides configuration for the Matcher's update manager.
$.updaters.setsA list of string values informing the update manager which Updaters to run.
If the value is nil (or null in yaml) the default set of Updaters will run:
If an empty list is provided zero updaters will run.
$.updaters.configProvides configuration to specific updater sets.
A map keyed by the name of the updater set name containing a sub-object which will be provided to the updater set's constructor.
A hypothetical example:
config:
ubuntu:
security_tracker_url: http://security.url
ignore_distributions:
- cosmic
$.notifierNotifier provides Clair notifier node configuration.
$.notifier.connstringA Postgres connection string.
Accepts a format as a url (e.g.,
postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full)
or a libpq connection string (e.g.,
user=pqgotest dbname=pqgotest sslmode=verify-full).
$.notifier.migrationsA boolean value.
Whether Notifier nodes handle migrations to their database.
$.notifier.indexer_addrA string in <host>:<port> format where <host> can be an empty string.
A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities. The location of this Indexer is required.
$.notifier.matcher_addrA string in <host>:<port> format where <host> can be an empty string.
A Notifier contacts a Matcher to list update operations and acquire diffs. The location of this Indexer is required.
$.notifier.poll_intervalA time.ParseDuration parsable string.
The frequency at which the notifier will query at Matcher for Update Operations.
$.notifier.delivery_intervalA time.ParseDuration parsable string.
The frequency at which the notifier attempt delivery of created or previously failed notifications.
$.notifier.disable_summaryA boolean.
Controls whether notifications should be summarized to one per manifest or not.
$.notifier.webhookConfigures the notifier for webhook delivery.
$.notifier.webhook.targetURL where the webhook will be delivered.
$.notifier.webhook.callbackThe callback url where notifications can be retrieved. The notification ID will be appended to this url.
This will typically be where the clair notifier is hosted.
$.notifier.webhook.headersA map associating a header name to a list of values.
$.notifier.amqpConfigures the notifier for AMQP delivery.
Note: Clair does not declare any AMQP components on its own. All attempts to use an exchange or queue are passive only and will fail The broker administrators should setup exchanges and queues ahead of time.
$.notifier.amqp.directA boolean value.
If true the Notifier will deliver individual notifications (not a callback) to the configured AMQP broker.
$.notifier.amqp.rollupInteger 0 or greater.
If direct is true this value will inform notifier how many notifications
to send in a single direct delivery. For example, if direct is set to
true and rollup is set to 5, the notifier will deliver no more then
5 notifications in a single json payload to the broker. Setting the value
to 0 will effectively set it to 1.
$.notifier.amqp.exchangeThe AMQP Exchange to connect to.
$.notifier.amqp.exchange.namestring value
The name of the exchange to connect to.
$.notifier.amqp.exchange.typestring value
The type of the exchange. Typically:
$.notifier.amqp.exchange.durabilitybool value
Whether the configured queue is durable or not.
$.notifier.amqp.exchange.auto_deletebool value
Whether the configured queue uses an auto_delete policy.
$.notifier.amqp.routing_keystring value
The name of the routing key each notification will be sent with.
$.notifier.amqp.callbacka URL string
If direct is false, this URL is provided in the notification callback sent
to the broker. This URL should point to Clair's notification API endpoint.
$.notifier.amqp.urislist of URL strings
A list of one or more AMQP brokers to connect to, in priority order.
$.notifier.amqp.tlsConfigures TLS connection to AMQP broker.
$.notifier.amqp.tls.root_castring value
The filesystem path where a root CA can be read.
$.notifier.amqp.tls.certstring value
The filesystem path where a tls certificate can be read. Note that clair
also respects SSL_CERT_DIR, as documented for the Go crypto/x509 package.
$.notifier.amqp.tls.keystring value
The filesystem path where a TLS private key can be read.
$.notifier.stompConfigures the notifier for STOMP delivery.
$.notifier.stomp.directA boolean value.
If true, the Notifier will deliver individual notifications (not a
callback) to the configured STOMP broker.
$.notifier.stomp.rollupInteger 0 or greater.
If direct is true, this value will limit the number of notifications
sent in a single direct delivery. For example, if direct is set to
true and rollup is set to 5, the notifier will deliver no more
then 5 notifications in a single json payload to the broker. Setting the value
to 0 will effectively set it to 1.
$.notifier.stomp.callbacka URL string
If direct is false, this URL is provided in the notification callback sent
to the broker. This URL should point to Clair's notification API endpoint.
$.notifier.stomp.destinationa string value
The STOMP destination to deliver notifications to.
$.notifier.stomp.urislist of URL strings
A list of one or more STOMP brokers to connect to in priority order.
$.notifier.stomp.tlsConfigures TLS connection to STOMP broker.
$.notifier.stomp.tls.root_castring value
The filesystem path where a root CA can be read.
Note that clair also respects SSL_CERT_DIR, as documented for the Go
crypto/x509 package.
$.notifier.stomp.tls.certstring value
The filesystem path where a tls certificate can be read.
$.notifier.stomp.tls.keystring value
The filesystem path where a tls private key can be read.
$.notifier.stomp.userConfigures login details for the STOMP broker.
$.notifier.stomp.user.loginstring value
The STOMP login to connect with.
$.notifier.stomp.user.passcodestring value
The STOMP passcode to connect with.
$.authDefines ClairV4's external and intra-service JWT based authentication.
If multiple auth mechanisms are defined, Clair will pick one. Currently, there are not multiple mechanisms.
$.auth.pskDefines preshared key authentication.
$.auth.psk.keya string value
A shared base64 encoded key distributed between all parties signing and verifying JWTs.
$.auth.psk.issa list of string value
A list of JWT issuers to verify. An empty list will accept any issuer in a JWT claim.
$.traceDefines distributed tracing configuration based on OpenTelemetry.
$.trace.nameWhich submission format to use, one of:
$.trace.probabilitya float value
The probability a trace will occur.
$.trace.jaegerDefines values for Jaeger tracing.
NOTE: Jaeger has deprecated using the jaeger protocol and encouraging users to migrate to OTLP,
which Jaeger can ingest natively.
$.trace.jaeger.agentDefines values for configuring delivery to a Jaeger agent.
$.trace.jaeger.agent.endpointa string value
An address in <host>:<post> syntax where traces can be submitted.
$.trace.jaeger.collectorDefines values for configuring delivery to a Jaeger collector.
$.trace.jaeger.collector.endpointa string value
An address in <host>:<post> syntax where traces can be submitted.
$.trace.jaeger.collector.usernamea string value
$.trace.jaeger.collector.passworda string value
$.trace.jaeger.service_namea string value
$.trace.jaeger.tagsa mapping of a string to a string
$.trace.jaeger.buffer_maxan integer value
$.trace.otlpConfiguration for OTLP traces.
Only one of the http or grpc keys should be provided.
$.trace.otlp.httpConfiguration for OTLP traces submitted by HTTP.
$.trace.otlp.http.url_pathRequest path to use for submissions.
Defaults to /v1/traces.
$.trace.otlp.http.compressionCompression for payloads. One of:
$.trace.otlp.http.endpointHost:port for submission. Defaults to localhost:4318.
$.trace.otlp.http.headersKey-value pairs of additional headers for submissions.
$.trace.otlp.http.insecureUse HTTP instead of HTTPS.
$.trace.otlp.http.timeoutMaximum of of time for a trace submission.
$.trace.otlp.http.client_tls.certClient certificate for connection.
$.trace.otlp.http.client_tls.keyKey for the certificate specified in cert.
$.trace.otlp.grpcConfiguration for OTLP traces submitted by gRPC.
$.trace.otlp.grpc.reconnectSets the minimum time between connection attempts.
$.trace.otlp.grpc.service_configA string containing a JSON-format gRPC service config.
$.trace.otlp.grpc.compressionCompression for payloads. One of:
$.trace.otlp.grpc.endpointHost:port for submission. Defaults to localhost:4317.
$.trace.otlp.grpc.headersKey-value pairs of additional headers for submissions.
$.trace.otlp.grpc.insecureDo not verify the server certificate.
$.trace.otlp.grpc.timeoutMaximum of of time for a trace submission.
$.trace.otlp.grpc.client_tls.certClient certificate for connection.
$.trace.otlp.grpc.client_tls.keyKey for the certificate specified in cert.
$.trace.sentryConfiguration for submitting traces to Sentry.
This is done via OpenTelemetry instrumentation, so may not provide identical results compared to other tracing backends or native Sentry instrumentation.
There's no integration for error submission. This means that alternative implementations of the Sentry API that do not support submitting traces (such as GlitchTip) are not usable.
$.trace.sentry.dsnSentry DSN to use.
See also sentry-go.ClientOptions.
$.trace.sentry.environmentSentry environment to use.
See also sentry-go.ClientOptions.
$.metricsDefines distributed tracing configuration based on OpenTelemetry.
$.metrics.namea string value
$.metrics.prometheusConfiguration for a prometheus metrics exporter.
$.metrics.prometheus.endpointa string value
Defines the path where metrics will be served.
$.metrics.otlpConfiguration for OTLP metrics.
Only one of the http or grpc keys should be provided.
$.metrics.otlp.httpConfiguration for OTLP metrics submitted by HTTP.
$.metrics.otlp.http.url_pathRequest path to use for submissions.
Defaults to /v1/metrics.
$.metrics.otlp.http.compressionCompression for payloads. One of:
$.metrics.otlp.http.endpointHost:port for submission. Defaults to localhost:4318.
$.metrics.otlp.http.headersKey-value pairs of additional headers for submissions.
$.metrics.otlp.http.insecureUse HTTP instead of HTTPS.
$.metrics.otlp.http.timeoutMaximum of of time for a metrics submission.
$.metrics.otlp.http.client_tls.certClient certificate for connection.
$.metrics.otlp.http.client_tls.keyKey for the certificate specified in cert.
$.metrics.otlp.grpcConfiguration for OTLP metrics submitted by gRPC.
$.metrics.otlp.grpc.reconnectSets the minimum time between connection attempts.
$.metrics.otlp.grpc.service_configA string containing a JSON-format gRPC service config.
$.metrics.otlp.grpc.compressionCompression for payloads. One of:
$.metrics.otlp.grpc.endpointHost:port for submission. Defaults to localhost:4318.
$.metrics.otlp.grpc.headersKey-value pairs of additional headers for submissions.
$.metrics.otlp.grpc.insecureUse HTTP instead of HTTPS.
$.metrics.otlp.grpc.timeoutMaximum of of time for a metrics submission.
$.metrics.otlp.grpc.client_tls.certClient certificate for connection.
$.metrics.otlp.grpc.client_tls.keyKey for the certificate specified in cert.