diff --git a/changelogs/unreleased/update-clair-version.yml b/changelogs/unreleased/update-clair-version.yml
new file mode 100644
index 00000000000..59b6e113fd5
--- /dev/null
+++ b/changelogs/unreleased/update-clair-version.yml
@@ -0,0 +1,6 @@
+---
+title: Extract clair version as CLAIR_EXECUTABLE_VERSION variable and update clair
+  executable from v8 to v11
+merge_request: 30396
+author:
+type: changed
diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
index d1a34c515fa..5ad624bb15f 100644
--- a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
@@ -23,6 +23,7 @@ container_scanning:
     DOCKER_HOST: tcp://${DOCKER_SERVICE}:2375/
     # https://hub.docker.com/r/arminc/clair-local-scan/tags
     CLAIR_LOCAL_SCAN_VERSION: v2.0.8_fe9b059d930314b54c78f75afe265955faf4fdc1
+    CLAIR_EXECUTABLE_VERSION: v11
     ## Disable the proxy for clair-local-scan, otherwise Container Scanning will
     ## fail when a proxy is used.
     NO_PROXY: ${DOCKER_SERVICE},localhost
@@ -41,7 +42,7 @@ container_scanning:
     - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:${CLAIR_LOCAL_SCAN_VERSION}
     - apk add -U wget ca-certificates
     - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+    - wget https://github.com/arminc/clair-scanner/releases/download/${CLAIR_EXECUTABLE_VERSION}/clair-scanner_linux_amd64
     - mv clair-scanner_linux_amd64 clair-scanner
     - chmod +x clair-scanner
     - touch clair-whitelist.yml