In the Clair team's discussion with the FedRAMP compliance team, we were supplied with list of investigated and confirmed false-positives. Upon our investigation, we determined that the bugs causing those results had been identified, fixed, and deployed to the quay.io Clair instance for months.

Is the resubmission process proceeding apace? What sort of latency is there between a Clair update and all manifests being resubmitted?