Harbor Container Registry
Harbor is an open-source, cloud-native registry that helps manage and secure container images. It integrates seamlessly with Anchore for vulnerability scanning and management.
For information on deploying Harbor, see the Harbor Project.
Integrating Harbor
The Harbor Scanner Adapter for Anchore can be used to integrate Harbor with Anchore Enterprise. This scanner provides a gateway for Harbor to communicate with your Anchore Enterprise deployment thereby making it possible for jobs to be scheduled for scans through Harbor.
The adapter’s configuration can be customized using environment variables defined in the harbor-adapter-anchore.yaml.
You can edit this file to adjust the environment variables as needed to fit your deployment. You must configure how the adapter connects to Anchore. The following variables are compulsory to be configured:
ANCHORE_ENDPOINT
ANCHORE_USERNAME
ANCHORE_PASSWORD
For full configuration options, see here
Once you have edited the value file, use the updated file to deploy the Harbor Scanner Adapter by executing:
kubectl apply -f harbor-adapter-anchore.yaml
Once the adapter has been configured as shown above, you will need to add Anchore as the scanner for Harbor. Details can be found here.
Image Tagging and Pushing to Harbor
Once Harbor and Anchore Enterprise are connected, you’re ready to add your first image to the Harbor registry and perform a vulnerability analysis. Follow these steps:
Login to Harbor using Docker CLI
On your host machine, log in to Harbor using the Docker CLI:
docker login -u <user_name> core.harbor.domain
Replace <user_name> with your Harbor username. Enter the password when prompted.
If your credentials and certificates are correct, you’ll see a “Login Succeeded” message.
Tag Your Image
Tag the image you want to push to Harbor with the appropriate format:
docker tag <IMAGE:TAG> core.harbor.domain/library/<IMAGE:TAG>
Replace IMAGE:TAG with the name and tag of your image (e.g. redis:4).
The library part refers to the project in Harbor. Adjust it if your image belongs to a different project.
Push Your Image to Harbor
Push the tagged image to your Harbor registry:
docker push core.harbor.domain/library/<IMAGE:TAG>
You can now see the pushed image in the Harbor UI by Navigating to the project under the project menu
Initiate a Vulnerability Scan
To scan your image for vulnerabilities select the image from the repository list. Click SCAN VULNERABILITY under the Actions menu:
During integration you will have configured Anchore Enterprise as your default scanner. This means vulnerability scan requests will be sent to your Anchore Enterprise deployment. Once the scan is complete, the results will appear in both Harbor and the Anchore Enterprise UI. You can view details about the vulnerabilities, including severity and remediation options.
Note
By default generating an SBOM is disabled in Harbor, you can enable this for individual projects by navigating to project->project_name->Configuration.
Scheduling a Vulnerability Scan
Harbor allows you to schedule automated vulnerability scans on your container images. These scans can be performed using the configured scanner (Anchore Enterprise) and will help identify vulnerabilities within the images.
Navigate to Interrogation Services. Under the Vulnerability tab you will see options on scheduling scans (Hourly, daily, weekly or custom). You can also initiate scan of all your images immediately by clicking the SCAN NOW button.
Information regarding scans progress will be provided on this page.
