By Henry Zhang, Chief Architect of R&D, VMware China
The popular open source Harbor registry recently released its latest version, 1.2, which introduces a new feature called Vulnerability Scanning. This feature allows users to scan through the images stored in Harbor and report any vulnerability found in them. The vulnerability has several levels of severity: normal, low, medium and high. The administrator of Harbor can set a threshold (e.g. high) so that any images with vulnerabilities equal to or above that level will be rejected from pulling. This ensures that images with vulnerabilities cannot be used in a production or other environment.
Vulnerability scanning actually goes through all files of a container image and shows how many packages are found with problems, along with the level of security risk they pose. This provides a rather straightforward summary for an administrator to understand the risk inside an image.
The scanning happens when an image has been pushed to a Harbor private registry. It can also be scheduled at a specified time (e.g. midnight) to reduce the resource consumption during the peak hours of a day.
Harbor leverages Clair project for this vulnerability scanning feature. It automatically checks for updates from a few CVE sources. When an update in a CVE database is found, it downloads the data and uses it in the next scan.
Here is a demo of the vulnerability scanning feature.
If you are interested in this scanning feature, you can download the latest version of Harbor Registry and try it out. For more information about Project Harbor and what a container registry is, check out our blog post on the subject.