Currently, Quay has two states for image security information. Either an image is entirely unsupported (no packages are identified, and no vulnerability information is presented), or it appears to be supported (packages are identified, and a vulnerability scanning result is presented).

However, in the latter case, it can happen that packages are identified, but vulnerability metadata isn’t known. In such circumstances the information presented is accurate (“Quay Security Scanner has detected no vulnerabilities in this manifest.”) but ultimately misleading: the scanner has detected no vulnerabilities not because there are none (or no known ones), but because it doesn’t know how to check for vulnerabilities!

This can happen for at least two reasons: the base distribution might be entirely unsupported (Fedora), or Clair might need more information than the image provides to find vulnerability information (buildinfo in RPM-based images).

Whatever the cause, it would be great if Quay could indicate that while it has identified packages, it doesn’t know whether they are vulnerable or not. See https://redhat-internal.slack.com/archives/CFM9X5L8N/p1738677859451539 for context and discussion.