As customers depend more on Clair's results it is important that vulnerability scan results are able to be understood within the context of how Clair is configured and what image sources were given to it. It is important to give transparency into the rationale behind Clair's vulnerability report.

As two recent examples where this would have been helpful; Clair showing no vulnerabilities when given an Alpine version that it was not configured to understand, and when the JAR scanner was rate limited by CRDA occasionally causing the log4j vulnerability to come and go in subsequent results.

Ideally we have some simple mechanism built into Clair that allows an administrative system (or technical user) the ability to get a 'debug output' for a manifest that reveals how and why Clair provided the output it did.  This is especially critical for the upcoming plug-in mechanism whereby scan results will be influenced by code our team has not written.

The output should include enough information to indicate

• If one of the indexers or matchers were able to interpret what was in the image (e.g. the Windows example)
• If one or more of the indexers had a failure (either an error condition was raised or some external service/dependency was not available)
• Which indexers provided the data behind the results
• How many  indexers are currently configured in Clair and which ones are optional plug-ins

This information could be part of the regular vulnerability output (as an optional section) or provided thru some 'diagnostics api' instead- as long as it is easy to correlate the information with a scan result. It is not necessary to maintain this information for all scan results permanently- only a 'recent window' can be kept (however we want to define that).

Key goals here are to increase customer confidence in Clair results and decrease support tickets asking why Clair gave the results it did.