Skip to Content

Trivy Security Scanner

Last modified by DOaaS Operator on 2025/02/05 11:33

Harbor provides static analysis of vulnerabilities in images through the open source project Trivy (Aqua Security).

When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified.

Severity levels

CRITICALAt least one critical vulnerability found
HIGHAt least one high level vulnerability found
MEDIUMAt least one medium level vulnerability found
LOWAt least one low level vulnerability found
NEGLIGIBLE No vulnerabilities found
UNKNOWNUnknown vulnerabilities

Scan individual artifacts

  • Log in to Harbor with an account that has at least project admin privileges.

  • Go to Projects, select a project, and then click the Scanner tab.

image-2024-4-26_14-17-24.png

  • The Scanner tab shows Trivy details:

image-2024-4-26_14-20-8.png

  • To see the vulnerabilities detected in repository artifacts, click the Repositories tab and then click on a repository. For each artifact in the repository, the Vulnerabilities column displays the vulnerability scanning status and related information.

image-2024-4-26_14-24-22.png

  • To run a vulnerability scan, select the artifacts to scan and then click the Scan button. You can optionally select the checkbox at the top to select all artifacts in the repository.

image-2024-4-26_14-29-51.png

  • To see a summary of the vulnerability report, hover over the number of fixable vulnerabilities.
  • To see a detailed vulnerability report, click on the artifact digest. In addition to information about the artifact, all of the vulnerabilities found in the last scan are listed. You can sort or filter the list by the different columns. You can also click Scan in the report page to run a scan on this artifact.

Scan on push

With Harbor it is possible to scan images automatically after they have been pushed. This is automatically enabled at project level since DevOps Portal 1.7.0.

  • Log in to Harbor with an account that has at least project admin privileges.
  • Go to your project repository and select the tab ... > Configuration.

image-2024-5-3_10-24-21.png

image-2024-5-3_10-25-13.png

  • See the checkmark "Automatically scan images on push" which has been set by the DevOps Portal in the screenshot below.

1721401618586-112.png

CVE allowlist

You can create allowlists of CVEs to ignore them during vulnerability scanning.

  1. Log in to Harbor with an account that has at least project admin privileges.
  2. Go to your project repository and select the tab ... > Configuration.
  3. "CVE allowlist" and an expiration date can be configured by adding specific CVE ID's:

image-2024-5-17_14-16-19.png

https://goharbor.io/docs/2.7.0/working-with-projects/project-configuration/configure-project-allowlist/

Additional information

Further documentation about vulnerability scanning can be found at https://goharbor.io/docs/2.7.0/administration/vulnerability-scanning

© 2018-2025 T-Systems International GmbH