Vulnerability Scanning

Harbor provides static analysis of vulnerabilities in images through the open source projects Trivy and Clair.

To use Trivy or Clair or both, you must enable Trivy, Clair, or both when you install your Harbor instance (by appending installation options --with-trivy, --with-clair, or both).

Currently, Harbor supports only one system-default scanner. The following principles are applied to determine the system-default scanner among the installed scanners.

For a brand new installation:

  • If no scanner is installed, no system-default scanner is set.
  • If only one scanner (either Trivy or Clair) is installed, the installed scanner is the system-default scanner.
  • If both Trivy and Clair are installed, Trivy is the system-default scanner.

For upgrades:

  • If the upgrading path is from a version that is >=v1.10 to current version (v2.0) and there was an existing system-default scanner set in the previous version, then that scanner is kept as system-default scanner.
  • Otherwise, Harbor determines the system-default scanner according to the brand new installation case.

You can also connect Harbor to your own instance of Trivy or Clair, or to other vulnerability scanners, through Harbor’s embedded interrogation service. These scanners can be configured in the Harbor interface at any time after installation. For the list of additional scanners that are currently supported, see the Harbor Compatibility List.

It might be necessary to connect Harbor to other scanners for corporate compliance reasons, or because your organization already uses a particular scanner. Different scanners also use different vulnerability databases, capture different CVE sets, and apply different severity thresholds. By connecting Harbor to more than one vulnerability scanner, you broaden the scope of your protection against vulnerabilities.

For information about installing Harbor with Clair, see Run the Installer Script.

You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can set a policy to scan all images at specific intervals.

Pages in this section