Scan for vulnerabilities

Every Harbor instance created in Harbor-as-a-Service connects to a Trivy vulnerability scanner to help you identify and address security risks in your container images. Trivy is the default scanner in Harbor versions 2.2 and later. Trivy analyzes the contents of your container images, comparing them against known vulnerability databases, like the National Vulnerability Database, to identify potential issues.For more information, see https://github.com/aquasecurity/trivy.

Before you begin

You must have the following to scan for vulnerabilities:

You can scan individual artifacts in Harbor, or configure vulnerability settings in Harbor projects.

Scan individual artifacts in Harbor

Follow these steps to scan individual artifacts in Harbor:

  1. Sign in to the Harbor interface with an account that has the ProjectAdmin role.
  2. Go to Projects and select a project.
  3. Click the Scanner tab. The Scanner tab shows the current scanner in use for this project.
  4. Click Edit to select a different scanner from the list of scanners that are connected to this Harbor instance, and click OK.
  5. Click the Repositories tab and select a repository.
  6. For each artifact in the repository, the Vulnerabilities column displays the vulnerability scanning status and related information.
  7. Select an artifact, or use the checkbox at the top to select all artifacts in the repository, and click Scan to run the vulnerability scan on this artifact.

  8. Hold the pointer over the number of fixable vulnerabilities to see a summary of the vulnerability report.

  9. Click the artifact digest to see a detailed vulnerability report.

For more information, see the Harbor documentation: https://goharbor.io/docs/2.8.0/administration/vulnerability-scanning/scan-individual-artifact/.

Configure vulnerability settings in Harbor projects

Integrate vulnerability scanning into your Harbor workflow to proactively manage the security of your containerized applications and protect your organization from potential threats. Configure projects so that images with vulnerabilities cannot be run, and to automatically scan images as soon as they are pushed into the project.

Follow these steps to configure vulnerability settings for a Harbor project:

  1. Sign in to the Harbor interface with an account that has the ProjectAdmin role.
  2. Go to Projects and select a project.
  3. Click the Configuration tab.
  4. To prevent vulnerable images under the project from being pulled, enable the Prevent vulnerable images from running checkbox.
  5. Select the severity level of vulnerabilities to prevent images from running.

  6. To activate an immediate vulnerability scan on new images that are pushed to the project, select the Automatically scan images on push checkbox.

For more information, see the Harbor documentation: https://goharbor.io/docs/2.8.0/working-with-projects/project-configuration/.