Scan for vulnerabilities

Every Harbor instance created in Harbor-as-a-Service connects to a Trivy vulnerability scanner to help you identify and address security risks in your container images. Trivy is the default scanner in Harbor versions 2.2 and later. Trivy analyzes the contents of your container images, comparing them against known vulnerability databases, like the National Vulnerability Database, to identify potential issues.For more information, see https://github.com/aquasecurity/trivy.

Before you begin

You must have the following to scan for vulnerabilities:

Trivy. You must have enabled Trivy when you installed your Harbor instance by appending installation options --with-trivy. For information about installing Harbor with Trivy, see https://goharbor.io/docs/2.8.0/install-config/run-installer-script/.
An account with the ProjectAdmin role from Harbor's role-based access controls. For more information, see Configure access for APIs and within a Harbor instance.
An existing Harbor project. For more information, see Create Harbor projects.

You can scan individual artifacts in Harbor, or configure vulnerability settings in Harbor projects.

Scan individual artifacts in Harbor

Follow these steps to scan individual artifacts in Harbor:

Sign in to the Harbor interface with an account that has the ProjectAdmin role.
Go to Projects and select a project.
Click the Scanner tab. The Scanner tab shows the current scanner in use for this project.
Click Edit to select a different scanner from the list of scanners that are connected to this Harbor instance, and click OK.
Click the Repositories tab and select a repository.
For each artifact in the repository, the Vulnerabilities column displays the vulnerability scanning status and related information.
Select an artifact, or use the checkbox at the top to select all artifacts in the repository, and click Scan to run the vulnerability scan on this artifact.

Note: You can start a scan at any time, unless the status is Queued or Scanning.
Hold the pointer over the number of fixable vulnerabilities to see a summary of the vulnerability report.
Click the artifact digest to see a detailed vulnerability report.

For more information, see the Harbor documentation: https://goharbor.io/docs/2.8.0/administration/vulnerability-scanning/scan-individual-artifact/.

Configure vulnerability settings in Harbor projects

Integrate vulnerability scanning into your Harbor workflow to proactively manage the security of your containerized applications and protect your organization from potential threats. Configure projects so that images with vulnerabilities cannot be run, and to automatically scan images as soon as they are pushed into the project.

Follow these steps to configure vulnerability settings for a Harbor project:

Sign in to the Harbor interface with an account that has the ProjectAdmin role.
Go to Projects and select a project.
Click the Configuration tab.
To prevent vulnerable images under the project from being pulled, enable the Prevent vulnerable images from running checkbox.
Select the severity level of vulnerabilities to prevent images from running.

Note: Images cannot be pulled if their level is equal to or higher than the selected level of severity. Harbor does not prevent images with a vulnerability severity of negligible from running.
To activate an immediate vulnerability scan on new images that are pushed to the project, select the Automatically scan images on push checkbox.

For more information, see the Harbor documentation: https://goharbor.io/docs/2.8.0/working-with-projects/project-configuration/.