Scan Docker images on a Harbor registry
Harbor defines REST API Scanner Adapter HTTP API that can be implemented by a vulnerability scanner. The registry can then connect to such a vulnerability scanner to obtain a vulnerability report or a SBOM (Software Bill of Materials) file of its Docker images. In particular, this allows to display of the vulnerabilities detected on each image directly in the Harbor interface and the definition of a security policy for deploying images.
Cyberwatch implements this API and can therefore be used to scan images from a Harbor registry or generate the SBOM file of its images. We will see how to configure and use this feature.
Prerequisites
In order to be able to use this feature, you must have previously configured a Docker engine in Cyberwatch. The procedure is explained here.
Configuring Harbor scanner
In order to allow your Harbor registry to connect to Cyberwatch, you must configure the Harbor scanner:
- Click on Admin
- Click on External tools
- Click on Harbor scanner
- Click on Add
- Choose the source and the Docker engine that will be used to scan the Docker images
- Save
You get the settings needed to add Cyberwatch as a vulnerability scanner in Harbor. Remember to save them, they will no longer be accessible later.
It is possible to create several credentials and thus define several scanners in Harbor. This allows you to configure the scanner to use for each project. We can thus distribute Docker image scans between nodes in a multi-node instance or add concurrency on the same node.
Associating a registry with the Harbor scanner in the Credentials
field allows you to use its credentials during image scan requests, the Docker images created can be scanned again from the Cyberwatch interface. The default behavior is to use ephemeral credentials provided by Harbor. Please note that these credentials expire after the initial analysis.
It is also possible to adjust the delay between two Harbor API requests. This value corresponds at the interval between two API requests when creating the vulnerability report of a Docker image.
A value too small can cause API overload problems, whereas a value too big will unnecessarily extend the time needed to scan an image. The default is 30 seconds.
Adding Cyberwatch as a vulnerability scanner
You can now add Cyberwatch as a vulnerability scanner for your Harbor registry:
- Log in to your Harbor registry with an account with Admin rights.
- In Administration, click on
Interrogation Services
. - Click on the
New scanner
button. - Fill in the required information using the data generated in the previous step.
- Test your information by clicking on the
Test Connection
button. - If everything is OK, click on the
Add
button.
Cyberwatch is now added as an image scanner and is ready to use.
For additional explanations, you can refer to the official documentation.
Scanning a Docker image
To scan a Docker image from your Harbor interface:
- Go to the registry project where the image is located.
- Click on the image.
- Check, in the left column, the versions of this image you want to get the SBOM for.
- Click on the
Scan Vulnerabibilty
button. - When the scan is complete, a brief report appears in the Vulnerabilities column.
- For a more detailed version, click on the analyzed version and scroll down the page to find the table of vulnerabilities.
For more details, refer to the Harbor documentation.
When an image scan is performed or a SBOM file is generated, if the image does not already exist locally in Cyberwatch, it is created and can be found in the list of Docker images as well as the comprehensive analysis performed by Cyberwatch.
Generating a SBOM file
To scan a Docker image from your Harbor interface:
- Go to the registry project where the image is located.
- Click on the image.
- Check, in the left column, the versions of this image that you want to scan.
- Click on the
Generate SBOM
button. - When the SBOM is generated, a link appears in the SBOM column.
- Click on the link, at the bottom of the page in the SBOM tab you can download the file.
Workflow for a Harbor registry
To make it easier to track Docker images in a Harbor registry, we suggest the following workflow.
In the Cyberwatch interface:
- Configure the Harbor registry.
- Create a Harbor registry discovery. In the settings, select the option
Delete only assets unlinked from all discoveries
orDelete all assets unlinked from this discovery
for theDelete unlinked assets
field and a launch period appropriate to the use case. - Configure Harbor Scanner by associating the Harbor registry created previously.
In the Harbor interface:
- Add Cyberwatch as a vulnerability scanner with the data you just generated during Harbor scanner configuration.
- Run a scan of the Docker images: in
Administration > Interrogation Services > Vulnerability
, click on theScan now
button. - Check the
Automatically scan images on push
option in theConfiguration
tab of each project in the registry. - It is also possible to automate the generation of SBOMs by checking the
Automatically generate SBOM on push
option in theConfiguration
tab of each project in the registry.
Once you have completed these steps, the Docker images in the registry have been scanned and future new images will be scanned automatically. And the Harbor registry discovery allows to keep the Docker images of the registry up to date in Cyberwatch.
For further information
Harbor allows you to:
- set up a security policy by preventing, for example, the deployment of images with vulnerabilities exceeding a certain criticality,
- scan all the images available on the registry,
- schedule scans.
These different features are detailed in Harbor’s documentation on vulnerability scans.