Scan Docker images on a Harbor registry
Harbor defines REST API Scanner Adapter HTTP API that can be implemented by a vulnerability scanner. The registry can then connect to such a vulnerability scanner to get its Docker images analyzed. In particular, this allows the display of vulnerabilities detected on each image directly in the Harbor interface and the definition of a security policy for deploying images.
Cyberwatch implements this API and can therefore be used to scan images from a Harbor registry. We will see how to configure and use this feature.
Prerequisites
In order to be able to use this feature, you must have previously configured in Cyberwatch:
- a Docker engine,
- and the Harbor registry.
The procedure is explained here.
Configuring Harbor scanner
In order to allow your Harbor registry to connect to Cyberwatch, you must configure the Harbor scanner:
- Click on Admin
- Click on External tools
- Click on Harbor scanner
- Click on Create
- Choose the source and the Docker engine that will be used to scan the Docker images
- Save
You get the settings needed to add Cyberwatch as a vulnerability scanner in Harbor. Remember to save them, they will no longer be accessible later.
Adding Cyberwatch as a vulnerability scanner
You can now add Cyberwatch as a vulnerability scanner for your Harbor registry:
- Log in to your Harbor registry with an account with Admin rights.
- In Administration, click on
Interrogation Services
. - Click on the
New scanner
button. - Fill in the required information:
- for the endpoint field, add
/harbor
to the root url of your Cyberwatch instance, - for authentication, choose
Basic
and use the identifiers generated in the previous step.
- for the endpoint field, add
- Test your information by clicking on the
Test Connection
button. - If everything is OK, click on the
Add
button.
Cyberwatch is now added as an image scanner and is ready to use.
For additional explanations, you can refer to the official documentation.
Scanning a Docker image
To scan a Docker image from your Harbor interface:
- Go to the registry project where the image is located.
- Click on the image.
- Check, in the left column, the versions of this image that you want to scan.
- Click on the
Scan
button. - When the scan is complete, a brief report appears in the Vulnerabilities column.
- For a more detailed version, click on the analyzed version and scroll down the page to find the table of vulnerabilities.
For more details, refer to the Harbor documentation.
When an image scan is performed, if the image does not already exist locally in Cyberwatch, it is created and can be found in the list of Docker images as well as the comprehensive analysis performed by Cyberwatch.
For further information
Harbor allows you to:
- set up a security policy by preventing, for example, the deployment of images with vulnerabilities exceeding a certain criticality,
- scan all the images available on the registry,
- schedule scans.
These different features are detailed in Harbor’s documentation on vulnerability scans.