The popular open source Harbor registry has released a new version 1.2. In this version, it introduces a new feature called Vulnerability Scanning. It can scan through the images stored in Harbor and report any vulnerability found in images. The vulnerability has a few level of severity: normal, low, medium and high. The administrator of Harbor can set a threshold, e.g. High, so that any images with vulnerabilities equal to or above that level will be rejected from pulling. This ensure the images with vulnerability cannot be used in a production or other environment.
The scanning actually goes through all files of a container image and shows how many packages are found with problems and the level of security risk. This is quite straightforward for an administrator to understand the risk inside an image.
The scanning happens when an image has been pushed to a Harbor private registry. The scanning can also be scheduled at a specified time, e.g. at the mid night everyday, to reduce the resource consumption during the peak hours of a day.
Harbor leverages Clair project for this vulnerability scanning feature. It automatically checks for update from a few CVE sources. When an update in CVE database is found, it downloads the data and use it in the next scan.
Here is a demo of the vulnerability scanning feature.
If you are interested in this scanning feature, you can download the latest version of Harbor Registry and try it out.