Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Scan Docker images on a Harbor registry

Harbor defines REST API Scanner Adapter HTTP API that can be implemented by a vulnerability scanner. The registry can then connect to such a vulnerability scanner to get its Docker images analyzed. In particular, this allows the display of vulnerabilities detected on each image directly in the Harbor interface and the definition of a security policy for deploying images.

Cyberwatch implements this API and can therefore be used to scan images from a Harbor registry. We will see how to configure and use this feature.

Prerequisites

In order to be able to use this feature, you must have previously configured in Cyberwatch:

  • a Docker engine,
  • and the Harbor registry.

The procedure is explained here.

Configuring Harbor scanner

In order to allow your Harbor registry to connect to Cyberwatch, you must configure the Harbor scanner:

  1. Click on Admin
  2. Click on External tools
  3. Click on Harbor scanner
  4. Click on Create
  5. Choose the source and the Docker engine that will be used to scan the Docker images
  6. Save

You get the settings needed to add Cyberwatch as a vulnerability scanner in Harbor. Remember to save them, they will no longer be accessible later.

Adding Cyberwatch as a vulnerability scanner

You can now add Cyberwatch as a vulnerability scanner for your Harbor registry:

  1. Log in to your Harbor registry with an account with Admin rights.
  2. In Administration, click on Interrogation Services.
  3. Click on the New scanner button.
  4. Fill in the required information:
    • for the endpoint field, add /harbor to the root url of your Cyberwatch instance,
    • for authentication, choose Basic and use the identifiers generated in the previous step.
  5. Test your information by clicking on the Test Connection button.
  6. If everything is OK, click on the Add button.

Cyberwatch is now added as an image scanner and is ready to use.

For additional explanations, you can refer to the official documentation.

Scanning a Docker image

To scan a Docker image from your Harbor interface:

  1. Go to the registry project where the image is located.
  2. Click on the image.
  3. Check, in the left column, the versions of this image that you want to scan.
  4. Click on the Scan button.
  5. When the scan is complete, a brief report appears in the Vulnerabilities column.
  6. For a more detailed version, click on the analyzed version and scroll down the page to find the table of vulnerabilities.

For more details, refer to the Harbor documentation.

When an image scan is performed, if the image does not already exist locally in Cyberwatch, it is created and can be found in the list of Docker images as well as the comprehensive analysis performed by Cyberwatch.

For further information

Harbor allows you to:

  • set up a security policy by preventing, for example, the deployment of images with vulnerabilities exceeding a certain criticality,
  • scan all the images available on the registry,
  • schedule scans.

These different features are detailed in Harbor’s documentation on vulnerability scans.