Skip to content
GitLab
Next
    • Why GitLab
    • Pricing
    • Contact Sales
    • Explore
  • Why GitLab
  • Pricing
  • Contact Sales
  • Explore
  • Sign in
  • Get free trial
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #321451

Deprecate GitLab integration with Clair Container Scanning Engine

GitLab's integration with Clair is being deprecated

Timeline

%13.9 - Clair is officially deprecated (meaning it is marked as planned for removal in a future release)

%14.0 - Trivy replaces Clair as the default container scanning engine. Clair no longer receives new features and updates.

Why is GitLab deprecating Clair?

GitLab did an extensive analysis to compare Clair and Trivy and found that Trivy would be easier to maintain, was more supportive of the long-term roadmap to scan containers running in production, and requires less resources to run.

Will I lose any features or functionality with the change from Clair to Trivy?

No, all features will continue to work. Some instructions may change, such as the instructions for operating in offline environments, but all capabilities that were available in the 13.x GitLab releases will also be available in 14.0.

How do the scan results compare between Clair and Trivy?

From our testing, we did not see a significant difference between the findings of each scanner. Trivy supports more languages and can detect some vulnerabilities that Clair cannot detect. It is possible that some customers might observe that Trivy does not find some vulnerabilities that were previously found by Clair; however, it is much more likely that scan coverage will only increase for the vast majority of users with this change.

What if I want to keep using Clair?

Customers who wish to continue to use Clair can do so by setting the CS_MAJOR_VERSION variable to version 3 (or earlier) in their gitlab-ci.yaml file for any release prior to the %14.0 release. Beginning with the %14.0 release, customers will need to ensure that the CS_MAJOR_VERSION variable is either removed or set to a version of 4 or higher for their container scanning jobs to continue to work. Additionally, they should verify that the CS_ANALYZER_IMAGE variable is not in use and that the CS_PROJECT variable, if present, is set to container-scanning.

What do I need to do to prepare for %14.0

The quickest solution is to remove the following variables from your CI files. Another option is to replace the following variables from your CI files:

Previous Variable Action Needed
CS_MAJOR_VERSION set it to a version higher than 3 or remove it from your CI file
CS_PROJECT set it to container-scanning or remove it from your CI file
CS_ANALYZER_IMAGE please use CS_MAJOR_VERSION instead of overriding this variable
CLAIR_DB_IMAGE it can be removed as it has no effect
CLAIR_DB_IMAGE_TAG it can be removed as it has no effect
Edited Apr 14, 2021 by Sam White
Assignee
Assign to
Time tracking