Pluggable Image Vulnerability Scanners for Harbor
Harbor is an open source cloud native artifact registry, sponsored by the CNCF, that you can use as a repository for your container images. Harbor provides support for vulnerability scanning of images to make sure they are safe to deploy. We’ve been working with the Harbor team to extend its capabilities with support for pluggable image vulnerability scanners.
This feature was recently released in Harbor 1.10, giving users the ability to choose which vulnerability scanner to use.
There are many container image scanners available today, with varying levels of capabilities, speed and accuracy. To use a scanner with Harbor, you’ll need to install a scanner adapter that translates scan requests for your choice of scanner. Aqua provides two such adapters—for Trivy, our open source vulnerability scanner, and for our commercially available Aqua CSP scanner.
In this blog post I’ll describe how to set up Harbor to use these scanners.
Harbor Adapter for Trivy Open Source Vulnerability Scanner
Trivy is Aqua’s open source vulnerability scanner. Trivy is an easy to use scanner that quickly scans your containers in CI and identifies vulnerabilities.
If you already have Harbor deployed in Kubernetes, the easiest way to install the adapter for Trivy is with Helm:
|$ git clone firstname.lastname@example.org:aquasecurity/harbor-scanner-trivy.git
$ cd harbor-scanner-trivy
$ helm install harbor-scanner-trivy ./helm/harbor-scanner-trivy -n harbor
Next, add a new scanner registration in the Harbor user interface. Navigate to the Interrogation Services option, and specify the following URL: http://harbor-scanner-trivy.harbor:8080.
Scanner registration for Trivy
Set the Trivy scanner registration as the default scanner, so that Harbor delegates subsequent scan requests, both manual and scheduled, to Trivy. When you scan an image the scan report generated by Trivy is displayed under the image tag details, as shown in the following screenshot.
Watch the Harbor Trivy Integration Video:
Harbor Adapter for Aqua CSP Scanner
You can install the Aqua CSP scanner adapter using the following Helm chart command:
$ git clone email@example.com:aquasecurity/harbor-scanner-aqua.git
Scanner registration for Aqua CSP
Going forward, every scan request is delegated to the Aqua CSP scanner.
Note: The adapter service is only needed if you want Harbor to use Aqua CSP for its image scanning capability and display the results in the Harbor UI. If you want to use Aqua CSP to generate analytical reports for images that are stored in Harbor, you do not need to install the adapter.
Using Harbor to Protect from Vulnerable Images
Whether you use the open source Trivy scanner, or the commercially available Aqua CSP scanner, make sure to enable the scanning capability on your instance of Harbor. To protect workloads in production, you can also enable deployment security at the Harbor project settings, to prevent images with a specified vulnerability severity (and above) from being deployed.
Prevent vulnerable images from running
We recommend that you schedule regular rescans to make sure that containers running in production are not vulnerable to exploits that are discovered after deployment.
With the new pluggable scanner feature, Harbor users can now use a scanner from their vendor of choice. We’re happy to offer Helm charts that make it easy for you to integrate with the fast and accurate scanning capabilities from Trivy and Aqua CSP. It has been a pleasure working with the Harbor team to offer this flexibility. We also look forward for further contributions to interrogation services and enhancements to pluggable scanners.
Not already using a vulnerability scanner?
Try Trivy today!