When Clair's indexing processes are updated, image manifests need to be resubmitted. Quay's securityworker should be doing this in a timely manner but evidently is not.

To the best of my knowledge, there's no instrumentation on the set of manifests that need to be resubmitted such as count and latency. Without these, it's impossible to say how long the re-submission process takes and whether the current submission process works as intended.

This problem logically exists in all Quay installations, but may not be noticed until at a quay.io scale.