Vulnerability Scanning
Harbor provides static analysis of vulnerabilities in images through the open source projects
Trivy. To be able to use Trivy you must have enabled Trivy when you installed your Harbor instance (by appending installation options --with-trivy
). For information about installing Harbor with Trivy, see the
Run the Installer Script.
If the upgrading path is from the version that is >=V1.10 to current version (V2.0) and there was an existing system default scanner “ABC” is set in the previous version, that scanner “ABC” will be kept as system default scanner;
You can also connect Harbor to your own instance of Trivy or to other additional vulnerability scanners through Harbor’s embedded interrogation service. These scanners can be configured in the Harbor UI at any time after installation.
It might be necessary to connect Harbor to other scanners for corporate compliance reasons, or because your organization already uses a particular scanner. Different scanners also use different vulnerability databases, capture different CVE sets, and apply different severity thresholds. By connecting Harbor to more than one vulnerability scanner, you broaden the scope of your protection against vulnerabilities. For the list of additional scanners that are currently supported, see the Harbor Compatibility List.
You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals. Vulnerability scans of Cosign signatures are not supported.
You can also export scans for an image using the Harbor API endpoint /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities
. See more information about using this endpoint in the
Harbor Swagger file.
Pages in this section
- Connect Harbor to Additional Vulnerability Scanners
- Scan Individual Artifacts
- Stop Scan & Stop Scan All
- Deployment security
- Scan All Artifacts
- Schedule Scans
- Import Vulnerability Data to an Offline Harbor instance
- Configure System-Wide CVE Allowlists
- Configure custom Certification Authorities for trivy
Contributing