Customer Problem: As a Quay user I like to get as much coverage from security scanning as possible. While my OS base images are usually minimalistic I regularly run containerized applications with a lot of dependencies which can introduce security vulnerabilities. Desired coverages include Python, Node, Golang, Python, PHP, Ruby and Java.

Goal: Clair support scanning language packages manager (python pip, npm, ruby gems, etc...) and reporting vulnerabilities for these packages. This features covers all related epics to deliver these these features.

Background: CodeReady Dependency Analytics provides additional feeds for CVE matching. In order for those to be usable by Clair we first need to understand what language packages / application dependencies can be found inside a container image.