Stay organized with collections
Save and categorize content based on your preferences.
Every Harbor instance created in Harbor-as-a-Service connects to a Trivy
vulnerability scanner to help you identify and address security risks in your
container images. Trivy is the default scanner in Harbor versions 2.2 and later.
Trivy analyzes the contents of your container images, comparing them against
known vulnerability databases, like the National Vulnerability Database, to
identify potential issues.For more information, see
https://github.com/aquasecurity/trivy.
Before you begin
You must have the following to scan for vulnerabilities:
You can scan individual artifacts in Harbor, or configure vulnerability
settings in Harbor projects.
Scan individual artifacts in Harbor
Follow these steps to scan individual artifacts in Harbor:
Sign in to the Harbor interface with an account that has the
ProjectAdmin role.
Go to Projects and select a project.
Click the Scanner tab. The Scanner tab shows the current scanner
in use for this project.
Click Edit to select a different scanner from the list of scanners
that are connected to this Harbor instance, and click OK.
Click the Repositories tab and select a repository.
For each artifact in the repository, the Vulnerabilities column
displays the vulnerability scanning status and related information.
Select an artifact, or use the checkbox at the top to select all
artifacts in the repository, and click Scan to run the
vulnerability scan on this artifact.
Hold the pointer over the number of fixable vulnerabilities to see a summary of
the vulnerability report.
Click the artifact digest to see a detailed vulnerability report.
Configure vulnerability settings in Harbor projects
Integrate vulnerability scanning into your Harbor workflow to proactively manage
the security of your containerized applications and protect your organization
from potential threats. Configure projects so that images with vulnerabilities
cannot be run, and to automatically scan images as soon as they are pushed into
the project.
Follow these steps to configure vulnerability settings for a Harbor project:
Sign in to the Harbor interface with an account that has the
ProjectAdmin role.
Go to Projects and select a project.
Click the Configuration tab.
To prevent vulnerable images under the project from being pulled, enable
the Prevent vulnerable images from running checkbox.
Select the severity level of vulnerabilities to prevent images from running.
To activate an immediate vulnerability scan on new images that are
pushed to the project, select the Automatically scan images on push
checkbox.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Scan for vulnerabilities\n\nEvery Harbor instance created in Harbor-as-a-Service connects to a Trivy\nvulnerability scanner to help you identify and address security risks in your\ncontainer images. Trivy is the default scanner in Harbor versions 2.2 and later.\nTrivy analyzes the contents of your container images, comparing them against\nknown vulnerability databases, like the National Vulnerability Database, to\nidentify potential issues.For more information, see\n\u003chttps://github.com/aquasecurity/trivy\u003e.\n\nBefore you begin\n----------------\n\nYou must have the following to scan for vulnerabilities:\n\n- Trivy. You must have enabled Trivy when you installed your Harbor instance by appending installation options `--with-trivy`. For information about installing Harbor with Trivy, see \u003chttps://goharbor.io/docs/2.8.0/install-config/run-installer-script/\u003e.\n- An account with the `ProjectAdmin` role from Harbor's role-based access controls. For more information, see [Configure access for APIs and within a Harbor instance](/distributed-cloud/hosted/docs/latest/appliance/platform-application/pa-ao-operations/configure-access-control#configure-access-within-harbor-instance).\n- An existing Harbor project. For more information, see [Create Harbor projects](/distributed-cloud/hosted/docs/latest/appliance/platform-application/pa-ao-operations/create-harbor-projects).\n\nYou can scan individual artifacts in Harbor, or configure vulnerability\nsettings in Harbor projects.\n\nScan individual artifacts in Harbor\n-----------------------------------\n\nFollow these steps to scan individual artifacts in Harbor:\n\n1. Sign in to the Harbor interface with an account that has the `ProjectAdmin` role.\n2. Go to **Projects** and select a project.\n3. Click the **Scanner** tab. The **Scanner** tab shows the current scanner in use for this project.\n4. Click **Edit** to select a different scanner from the list of scanners that are connected to this Harbor instance, and click **OK**.\n5. Click the **Repositories** tab and select a repository.\n6. For each artifact in the repository, the **Vulnerabilities** column displays the vulnerability scanning status and related information.\n7. Select an artifact, or use the checkbox at the top to select all\n artifacts in the repository, and click **Scan** to run the\n vulnerability scan on this artifact.\n\n | **Note:** You can start a scan at any time, unless the status is Queued or Scanning.\n8. Hold the pointer over the number of fixable vulnerabilities to see a summary of\n the vulnerability report.\n\n9. Click the artifact digest to see a detailed vulnerability report.\n\nFor more information, see the Harbor documentation:\n\u003chttps://goharbor.io/docs/2.8.0/administration/vulnerability-scanning/scan-individual-artifact/\u003e.\n\nScan all artifacts in Harbor\n----------------------------\n\nFollow these steps to scan all of the artifacts in your Harbor instance:\n\n1. Sign in to the Harbor interface with an account that has the `ProjectAdmin` role.\n2. In the **Administration** menu, click **Interrogation Services**.\n3. To perform a scan of all artifacts in your Harbor instance, select the **Vulnerability** tab and click **Scan now**.\n\n | **Note:** **Scan now** becomes unavailable while the scan is in progress.\n\nFor more information, see the Harbor documentation:\n\u003chttps://goharbor.io/docs/2.8.0/administration/vulnerability-scanning/scan-all-artifacts/\u003e.\n\nConfigure vulnerability settings in Harbor projects\n---------------------------------------------------\n\nIntegrate vulnerability scanning into your Harbor workflow to proactively manage\nthe security of your containerized applications and protect your organization\nfrom potential threats. Configure projects so that images with vulnerabilities\ncannot be run, and to automatically scan images as soon as they are pushed into\nthe project.\n\nFollow these steps to configure vulnerability settings for a Harbor project:\n\n1. Sign in to the Harbor interface with an account that has the `ProjectAdmin` role.\n2. Go to **Projects** and select a project.\n3. Click the **Configuration** tab.\n4. To prevent vulnerable images under the project from being pulled, enable the **Prevent vulnerable images from running** checkbox.\n5. Select the severity level of vulnerabilities to prevent images from running.\n\n | **Note:** Images cannot be pulled if their level is equal to or higher than the selected level of severity. Harbor does not prevent images with a vulnerability severity of negligible from running.\n6. To activate an immediate vulnerability scan on new images that are\n pushed to the project, select the **Automatically scan images on push**\n checkbox.\n\nFor more information, see the Harbor documentation:\n\u003chttps://goharbor.io/docs/2.8.0/working-with-projects/project-configuration/\u003e."]]
