Deployment security

Starting in version 2.0, Harbor has added capabilities to check for supported artifact types in the pluggable scanners. Harbor uses the consumes_mime_types metadata of the scanner to decide whether a requested artifact is supported by this scanner. For example, Helm charts cannot be scanned for vulnerabilities by any of the supported scanners like Clair or Aqua Trivy.

Harbor v2.0 supports OCI image index, which is a higher-level manifest that points to specific image manifests, ideal for one or more platform. Scanning for OCI image index is also supported, with the scan result of the index being an aggregation of the scan results of the artifacts referenced within.

Harbor has ‘deployment security’ which can prevent artifacts from being pulled if vulnerabilities are discovered. For pulling indexes, ‘deployment security’ skips this policy checking for the index artifact itself and only applies policy checking on the referenced artifacts and at the individual artifact level and not on the index as a whole. This means when pulling Redis for ARM for example, it only checks to see if whether Redis for ARM has vulnerabilities, and is not impacted by whether amd64 has CVEs. This applies to CNABs as well.