doc(default scanners):how to determine the system default scanner

Signed-off-by: Steven Zou <szou@vmware.com>
This commit is contained in:
Steven Zou 2020-05-11 10:24:38 +08:00
parent a8cfb40cc2
commit 0c96111f82

View File

@ -3,13 +3,27 @@ title: Vulnerability Scanning
weight: 35
---
Harbor provides static analysis of vulnerabilities in images through the open source [Clair](https://github.com/coreos/clair) project.
Harbor provides static analysis of vulnerabilities in images through the open source projects [Trivy](https://github.com/aquasecurity/trivy) and [Clair](https://github.com/coreos/clair). To be able to use Trivy, Clair or both you must have enabled Trivy, Clair or both when you installed your Harbor instance (by appending installation options `--with-trivy`, `--with-clair` or both).
{{< important >}}
Clair is an optional component. To be able to use Clair you must have enabled Clair when you installed your Harbor instance.
Currently, Harbor supports only one system default scanner. The following principles will be applied to determine the system default scanner among the default installed scanners.
For a brand new installation:
If no scanner is installed, no system default scanner will be set then;
If only one scanner (either Trivy or Clair) is installed, the installed one will become the system default scanner automatically;
If both Trivy and Clair are installed, Trivy will be the system default scanner then.
For upgrades:
If the upgrading path is from the version that is >=V1.10 to current version (V2.0) and there was an existing system default scanner “ABC” is set in the previous version, that scanner "ABC" will be kept as system default scanner;
Otherwise, Harbor will do the similar operation to the above brand new installation case.
{{< /important >}}
You can also connect Harbor to your own instance of Clair or to additional vulnerability scanners by using an interrogation service. You configure additional scanners in the Harbor interface, after you have installed Harbor. For the list of additional scanners that are currently supported, see the [Harbor Compatibility List](../../install-config/harbor-compatibility-list.md#scanner-adapters).
You can also connect Harbor to your own instance of Trivy/Clair or to other additional vulnerability scanners through Harbor's embedded interrogation service. These scanners can be configured in the Harbor UI at any time after installation. For the list of additional scanners that are currently supported, see the [Harbor Compatibility List](../../install-config/harbor-compatibility-list.md#scanner-adapters).
It might be necessary to connect Harbor to other scanners for corporate compliance reasons, or because your organization already uses a particular scanner. Different scanners also use different vulnerability databases, capture different CVE sets, and apply different severity thresholds. By connecting Harbor to more than one vulnerability scanner, you broaden the scope of your protection against vulnerabilities.