Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-09-14 06:58:16 +02:00
Code Issues Projects Releases Wiki Activity
7d642c3d60
harbor/docs/harbor-doc-reorg/administration/vulnerability_scanning_clair.md
Stuart Clements 6645d02a45 More doc reorg
2019-10-17 16:59:01 +02:00

5.1 KiB
Raw Blame History

Vulnerability Scanning with Clair

CAUTION: Clair is an optional component, please make sure you have already installed it in your Harbor instance before you go through this section.

Static analysis of vulnerabilities is provided through open source project Clair. You can initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to scan all the images at a specified time everyday.

Vulnerability metadata

Clair depends on the vulnerability metadata to complete the analysis process. After the first initial installation, Clair will automatically start to update the metadata database from different vulnerability repositories. The updating process may take a while based on the data size and network connection. If the database has not been fully populated, there is a warning message at the footer of the repository datagrid view. browse project

The 'database not fully ready' warning message is also displayed in the 'Vulnerability' tab of 'Configuration' section under 'Administration' for your awareness. browse project

Once the database is ready, an overall database updated timestamp will be shown in the 'Vulnerability' tab of 'Configuration' section under 'Administration'. browse project

Scanning an image

Enter your project, select the repository. For each tag there will be an 'Vulnerability' column to display vulnerability scanning status and related information. You can select the image and click the "SCAN" button to trigger the vulnerability scan process. browse project NOTES: Only the users with 'Project Admin' role have the privilege to launch the analysis process.

The analysis process may have the following status that are indicated in the 'Vulnerability' column:

  • Not Scanned: The tag has never been scanned.
  • Queued: The scanning task is scheduled but not executed yet.
  • Scanning: The scanning process is in progress.
  • Error: The scanning process failed to complete.
  • Complete: The scanning process was successfully completed.

For the 'Not Scanned' and 'Queued' statuses, a text label with status information is shown. For the 'Scanning', a progress bar will be displayed. If an error occurred, you can click on the 'View Log' link to view the related logs. browse project

If the process was successfully completed, a result bar is created. The width of the different colored sections indicates the percentage of features with vulnerabilities for a particular severity level.

  • Red: High level of vulnerabilities
  • Orange: Medium level of vulnerabilities
  • Yellow: Low level of vulnerabilities
  • Grey: Unknown level of vulnerabilities
  • Green: No vulnerabilities browse project

Move the cursor over the bar, a tooltip with summary report will be displayed. Besides showing the total number of features with vulnerabilities and the total number of features in the scanned image tag, the report also lists the counts of features with vulnerabilities of different severity levels. The completion time of the last analysis process is shown at the bottom of the tooltip. browse project

Click on the tag name link, the detail page will be opened. Besides the information about the tag, all the vulnerabilities found in the last analysis process will be listed with the related information. You can order or filter the list by columns. browse project

NOTES: You can initiate the vulnerability analysis for a tag at anytime you want as long as the status is not 'Queued' or 'Scanning'.

Scanning all images

In the 'Vulnerability' tab of 'Configuration' section under 'Administration', click on the 'SCAN NOW' button to start the analysis process for all the existing images.

NOTES: The scanning process is executed via multiple concurrent asynchronous tasks. There is no guarantee on the order of scanning or the returned results. browse project

To avoid frequently triggering the resource intensive scanning process, the availability of the button is restricted. It can be only triggered once in a predefined period. The next available time will be displayed besides the button. browse project

Scheduled Scan by Policy

You can set policies to control the vulnerability analysis process. Currently, two options are available:

  • None: No policy is selected.
  • Daily: Policy is activated daily. It means an analysis job is scheduled to be executed at the specified time everyday. The scheduled job will scan all the images in Harbor. browse project

NOTES: Once the scheduled job is executed, the completion time of scanning all images will be updated accordingly. Please be aware that the completion time of the images may be different because the execution of analysis for each image may be carried out at different time.