Scan Docker images on a Harbor registry

Harbor defines REST API Scanner Adapter HTTP API that can be implemented by a vulnerability scanner. The registry can then connect to such a vulnerability scanner to get its Docker images analyzed. In particular, this allows the display of vulnerabilities detected on each image directly in the Harbor interface and the definition of a security policy for deploying images.

Cyberwatch implements this API and can therefore be used to scan images from a Harbor registry. We will see how to configure and use this feature.

Prerequisites

In order to be able to use this feature, you must have previously configured a Docker engine in Cyberwatch. The procedure is explained here.

Configuring Harbor scanner

In order to allow your Harbor registry to connect to Cyberwatch, you must configure the Harbor scanner:

  1. Click on Admin
  2. Click on External tools
  3. Click on Harbor scanner
  4. Click on Add
  5. Choose the source and the Docker engine that will be used to scan the Docker images
  6. Save

You get the settings needed to add Cyberwatch as a vulnerability scanner in Harbor. Remember to save them, they will no longer be accessible later.

It is possible to create several credentials and thus define several scanners in Harbor. This allows you to configure the scanner to use for each project. We can thus distribute Docker image scans between nodes in a multi-node instance or add concurrency on the same node.

Associating a registry with the Harbor scanner in the Credentials field allows you to use its credentials during image scan requests, the Docker images created can be scanned again from the Cyberwatch interface. The default behavior is to use ephemeral credentials provided by Harbor. Please note that these credentials expire after the initial analysis.

It is also possible to adjust the delay between two Harbor API requests. This value corresponds at the interval between two API requests when creating the vulnerability report of a Docker image.

A value too small can cause API overload problems, whereas a value too big will unnecessarily extend the time needed to scan an image. The default is 30 seconds.

Adding Cyberwatch as a vulnerability scanner

You can now add Cyberwatch as a vulnerability scanner for your Harbor registry:

  1. Log in to your Harbor registry with an account with Admin rights.
  2. In Administration, click on Interrogation Services.
  3. Click on the New scanner button.
  4. Fill in the required information using the data generated in the previous step.
  5. Test your information by clicking on the Test Connection button.
  6. If everything is OK, click on the Add button.

Cyberwatch is now added as an image scanner and is ready to use.

For additional explanations, you can refer to the official documentation.

Scanning a Docker image

To scan a Docker image from your Harbor interface:

  1. Go to the registry project where the image is located.
  2. Click on the image.
  3. Check, in the left column, the versions of this image that you want to scan.
  4. Click on the Scan button.
  5. When the scan is complete, a brief report appears in the Vulnerabilities column.
  6. For a more detailed version, click on the analyzed version and scroll down the page to find the table of vulnerabilities.

For more details, refer to the Harbor documentation.

When an image scan is performed, if the image does not already exist locally in Cyberwatch, it is created and can be found in the list of Docker images as well as the comprehensive analysis performed by Cyberwatch.

Workflow for a Harbor registry

To make it easier to track Docker images in a Harbor registry, we suggest the following workflow.

In the Cyberwatch interface:

  1. Configure the Harbor registry.
  2. Create a Harbor registry discovery. In the settings, select the option Delete only assets unlinked from all discoveries or Delete all assets unlinked from this discovery for the Delete unlinked assets field and a launch period appropriate to the use case.
  3. Configure Harbor Scanner by associating the Harbor registry created previously.

In the Harbor interface:

  1. Add Cyberwatch as a vulnerability scanner with the data you just generated during Harbor scanner configuration.
  2. Run a scan of the Docker images: in Administration > Interrogation Services > Vulnerability, click on the Scan now button.
  3. Check the Automatically scan images on push option in the Configuration tab of each project in the registry.

Once you have completed these steps, the Docker images in the registry have been scanned and future new images will be scanned automatically. And the Harbor registry discovery allows to keep the Docker images of the registry up to date in Cyberwatch.

For further information

Harbor allows you to:

  • set up a security policy by preventing, for example, the deployment of images with vulnerabilities exceeding a certain criticality,
  • scan all the images available on the registry,
  • schedule scans.

These different features are detailed in Harbor’s documentation on vulnerability scans.