You can setup Clair as a combined deployment.

Before you begin

You will need an Arm based instance from a cloud service provider or any Arm server running Linux.

The instructions are tested on Ubuntu. Other Linux distributions are possible with some modifications.

Install Docker and Go (latest versions preferred).

Install and run Clair (combined)

In combined deployment, all Clair services run in a single OS process. This is the easiest deployment model to configure.

  1. Download Clair:

tar -xvf clair-v4.5.1.tar.gz
cd clair-v4.5.1
  1. Edit docker-compose.yaml to setup the database

You need a postgres database for Clair to store all vulnerabilities specific to containers.

Because postgres runs inside a private container network and Clair runs on localhost, you need to expose postgres port 5432 to localhost.

Use a text editor to open docker-compose.yaml and search for the clair-database section.

Add the 2 lines to the clair-database section of the compose file:


      - "5432:5432"

The clair-database section should look like this:


      - "5432:5432"
    container_name: clair-database

  1. Start the postgres service:

Use docker compose to start the database service:


            sudo docker compose up -d clair-database

You can view the running postgres service with Docker:


            docker ps

The output will be similar to:


        CONTAINER ID   IMAGE         COMMAND                  CREATED          STATUS                    PORTS                                       NAMES
f4f1cba58e9e   postgres:12   "docker-entrypoint.s…"   29 seconds ago   Up 20 seconds (healthy)>5432/tcp, :::5432->5432/tcp   clair-database

  1. Modify the config.yaml file

Clair uses a configuration file to configure the indexer, matcher and notifier.

In combined mode, you need to configure the indexer, matcher and notifier to communicate with postgres exposed on port 5432 of localhost.

Use a text editor to open and modify the configuration file at clair/local-dev/clair/config.yaml

Find the value of connstring 3 times in the file. There is a connstring for the indexer, matcher and notifier.

In each case, replace the connstring with the new value:



  connstring: host=localhost port=5432 user=clair dbname=indexer sslmode=disable



  connstring: host=localhost port=5432 user=clair dbname=matcher sslmode=disable



  connstring: host=localhost port=5432 user=clair dbname=notifier sslmode=disable
  1. Build Clair

Generate the Clair binary with go:


            go build ./cmd/clair

This will create a clair binary in the top directory.

  1. Run Clair

Run the Clair combined deployment:


            ./clair -conf "./local-dev/clair/config.yaml" -mode "combo"

The log in the terminal confirms that Clair is running successfully as a combined deployment.

You can now open a new terminal and submit the manifest to generate the vulnerability report.