Aqua Blog

Pluggable Image Vulnerability Scanners for Harbor

Pluggable Image Vulnerability Scanners for Harbor

Harbor is an open source cloud native artifact registry, sponsored by the CNCF, that you can use as a repository for your container images. Harbor provides support for vulnerability scanning of images to make sure they are safe to deploy. We’ve been working with the Harbor team to extend its capabilities with support for pluggable image vulnerability scanners.

This feature was recently released in Harbor 1.10, giving users the ability to choose which vulnerability scanner to use.

There are many container image scanners available today, with varying levels of capabilities, speed and accuracy. To use a scanner with Harbor, you’ll need to install a scanner adapter that translates scan requests for your choice of scanner. Aqua provides two such adapters—for Trivy, our open source vulnerability scanner, and for our commercially available Aqua CSP scanner.

In this blog post I’ll describe how to set up Harbor to use these scanners.

Harbor Adapter for Trivy Open Source Vulnerability Scanner

Trivy is Aqua’s open source vulnerability scanner. Trivy is an easy to use scanner that quickly scans your containers in CI and identifies vulnerabilities.

If you already have Harbor deployed in Kubernetes, the easiest way to install the adapter for Trivy is with Helm:

$ git clone [email protected]:aquasecurity/harbor-scanner-trivy.git
$ cd harbor-scanner-trivy
$ helm install harbor-scanner-trivy ./helm/harbor-scanner-trivy -n harbor

Next, add a new scanner registration in the Harbor user interface. Navigate to the Interrogation Services option, and specify the following URL: http://harbor-scanner-trivy.harbor:8080.

Open Source Image Vulnerbility scanner

Scanner registration for Trivy

Set the Trivy scanner registration as the default scanner, so that Harbor delegates subsequent scan requests, both manual and scheduled, to Trivy. When you scan an image the scan report generated by Trivy is displayed under the image tag details, as shown in the following screenshot.

2-Container image Vulnerability scanning in Harbor

Watch the Harbor Trivy Integration Video:

Harbor Adapter for Aqua CSP Scanner

You can install the Aqua CSP scanner adapter using the following Helm chart command:

$ git clone [email protected]:aquasecurity/harbor-scanner-aqua.git
$ cd harbor-scanner-aqua
$ helm install harbor-scanner-aqua ./helm/harbor-scanner-aqua
               --namespace harbor               
               --set scanner.aqua.user=$AQUA_USER
               --set scanner.aqua.password=$AQUA_PASSWORD  
               --set scanner.aqua.host=http://csp-console-svc.aqua:8080

3-Container image Vulnerability scanning in Harbor

Scanner registration for Aqua CSP

Next, you specify the following URL: http://harbor-scanner-aqua.harbor:8080 when you create a scanner registration, and set it as the default scanner.

Going forward, every scan request is delegated to the Aqua CSP scanner.

Note: The adapter service is only needed if you want Harbor to use Aqua CSP for its image scanning capability and display the results in the Harbor UI. If you want to use Aqua CSP to generate analytical reports for images that are stored in Harbor, you do not need to install the adapter.

Using Harbor to Protect from Vulnerable Images

Whether you use the open source Trivy scanner, or the commercially available Aqua CSP scanner, make sure to enable the scanning capability on your instance of Harbor. To protect workloads in production, you can also enable deployment security at the Harbor project settings, to prevent images with a specified vulnerability severity (and above) from being deployed.

Prevent vulnerable images from running

Prevent vulnerable images from running

We recommend that you schedule regular rescans to make sure that containers running in production are not vulnerable to exploits that are discovered after deployment.

Container image Vulnerability scanning in Harbor

Scheduled scans enabled in Harbor settings

Summary

With the new pluggable scanner feature, Harbor users can now use a scanner from their vendor of choice. We’re happy to offer Helm charts that make it easy for you to integrate with the fast and accurate scanning capabilities from Trivy and Aqua CSP. It has been a pleasure working with the Harbor team to offer this flexibility. We also look forward for further contributions to interrogation services and enhancements to pluggable scanners.

Not already using a vulnerability scanner?
Try Trivy today!

Daniel Pacak
Daniel Pacak is an Open Source Engineer at Aqua Security. He works on Kubernetes and container security related projects, while also taking part in maintaining the CNCF's project, Harbor.