diff --git a/cmd/clairctl/clair/analyze.go b/cmd/clairctl/clair/analyze.go
index 930646e5..4e6ff092 100644
--- a/cmd/clairctl/clair/analyze.go
+++ b/cmd/clairctl/clair/analyze.go
@@ -47,11 +47,10 @@ func analyzeLayer(id string) (v1.LayerEnvelope, error) {
 
 	lURI := fmt.Sprintf("%v/layers/%v?vulnerabilities", uri, id)
 	response, err := http.Get(lURI)
-	defer response.Body.Close()
-
 	if err != nil {
 		return v1.LayerEnvelope{}, fmt.Errorf("analysing layer %v: %v", id, err)
 	}
+	defer response.Body.Close()
 
 	var analysis v1.LayerEnvelope
 	err = json.NewDecoder(response.Body).Decode(&analysis)
diff --git a/cmd/clairctl/clair/health.go b/cmd/clairctl/clair/health.go
index 87e05c59..565cff37 100644
--- a/cmd/clairctl/clair/health.go
+++ b/cmd/clairctl/clair/health.go
@@ -10,12 +10,11 @@ import (
 func IsHealthy() bool {
 	logrus.Debugln("requesting health on: " + healthURI)
 	response, err := http.Get(healthURI)
-	defer response.Body.Close()
-
 	if err != nil {
 		logrus.Errorf("requesting Clair health: %v", err)
 		return false
 	}
+	defer response.Body.Close()
 
 	if response.StatusCode != http.StatusOK {
 		return false
diff --git a/cmd/clairctl/clair/push.go b/cmd/clairctl/clair/push.go
index f001e821..4ff93aa9 100644
--- a/cmd/clairctl/clair/push.go
+++ b/cmd/clairctl/clair/push.go
@@ -89,11 +89,11 @@ func pushLayer(layer v1.LayerEnvelope) error {
 	request.Header.Set("Content-Type", "application/json")
 
 	response, err := (&http.Client{}).Do(request)
-	defer response.Body.Close()
 
 	if err != nil {
 		return fmt.Errorf("pushing layer to clair: %v", err)
 	}
+	defer response.Body.Close()
 
 	if response.StatusCode != 201 {
 		if response.StatusCode == 422 {
diff --git a/cmd/clairctl/clair/versions.go b/cmd/clairctl/clair/versions.go
index 65eeed37..f0d4ba5e 100644
--- a/cmd/clairctl/clair/versions.go
+++ b/cmd/clairctl/clair/versions.go
@@ -9,10 +9,10 @@ import (
 func Versions() (interface{}, error) {
 	Config()
 	response, err := http.Get(uri + "/versions")
-	defer response.Body.Close()
 	if err != nil {
 		return nil, fmt.Errorf("requesting Clair version: %v", err)
 	}
+	defer response.Body.Close()
 
 	var versionBody interface{}
 	err = json.NewDecoder(response.Body).Decode(&versionBody)
diff --git a/cmd/clairctl/docker/dockerdist/auth.go b/cmd/clairctl/docker/dockerdist/auth.go
index 78b0d2bb..116f0638 100644
--- a/cmd/clairctl/docker/dockerdist/auth.go
+++ b/cmd/clairctl/docker/dockerdist/auth.go
@@ -52,11 +52,11 @@ func AuthenticateResponse(client *http.Client, dockerResponse *http.Response, re
 	req.SetBasicAuth(authConfig.Username, authConfig.Password)
 
 	response, err := client.Do(req)
-	defer response.Body.Close()
 
 	if err != nil {
 		return err
 	}
+	defer response.Body.Close()
 
 	if response.StatusCode == http.StatusUnauthorized {
 		return ErrUnauthorized