mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-28 11:37:42 +01:00
0c96111f82
Signed-off-by: Steven Zou <szou@vmware.com>
33 lines
2.4 KiB
Markdown
33 lines
2.4 KiB
Markdown
---
|
|
title: Vulnerability Scanning
|
|
weight: 35
|
|
---
|
|
|
|
Harbor provides static analysis of vulnerabilities in images through the open source projects [Trivy](https://github.com/aquasecurity/trivy) and [Clair](https://github.com/coreos/clair). To be able to use Trivy, Clair or both you must have enabled Trivy, Clair or both when you installed your Harbor instance (by appending installation options `--with-trivy`, `--with-clair` or both).
|
|
|
|
{{< important >}}
|
|
Currently, Harbor supports only one system default scanner. The following principles will be applied to determine the system default scanner among the default installed scanners.
|
|
|
|
For a brand new installation:
|
|
|
|
If no scanner is installed, no system default scanner will be set then;
|
|
|
|
If only one scanner (either Trivy or Clair) is installed, the installed one will become the system default scanner automatically;
|
|
|
|
If both Trivy and Clair are installed, Trivy will be the system default scanner then.
|
|
|
|
For upgrades:
|
|
|
|
If the upgrading path is from the version that is >=V1.10 to current version (V2.0) and there was an existing system default scanner “ABC” is set in the previous version, that scanner "ABC" will be kept as system default scanner;
|
|
|
|
Otherwise, Harbor will do the similar operation to the above brand new installation case.
|
|
{{< /important >}}
|
|
|
|
You can also connect Harbor to your own instance of Trivy/Clair or to other additional vulnerability scanners through Harbor's embedded interrogation service. These scanners can be configured in the Harbor UI at any time after installation. For the list of additional scanners that are currently supported, see the [Harbor Compatibility List](../../install-config/harbor-compatibility-list.md#scanner-adapters).
|
|
|
|
It might be necessary to connect Harbor to other scanners for corporate compliance reasons, or because your organization already uses a particular scanner. Different scanners also use different vulnerability databases, capture different CVE sets, and apply different severity thresholds. By connecting Harbor to more than one vulnerability scanner, you broaden the scope of your protection against vulnerabilities.
|
|
|
|
For information about installing Harbor with Clair, see the [Run the Installer Script](../../install-config/run-installer-script.md).
|
|
|
|
You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals.
|