harbor/docs/harbor-doc-reorg/administration/vulnerability_scanning/_index.md

Vulnerability Scanning with Clair

CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.

Static analysis of vulnerabilities is provided through open source project Clair. You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday.

• Scan an Individual Image
• Scan All Images
• Schedule Scans

Vulnerability metadata

Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view.

The 'database not fully ready' warning message is also displayed in the 'Vulnerability' tab of 'Configuration' section under 'Administration' for your awareness.

Once the database is ready, an overall database updated timestamp will be shown in the 'Vulnerability' tab of 'Configuration' section under 'Administration'.

If your Harbor instance is not connected to the external internet, you must manually update the vulnerability metadata. For information about how to update Clair manually, see Import Vulnerability Data to an Offline Harbor instance.