Harbor Pluggable Scanner Module

Scanning Harbor Registries Using the Pluggable Scanner

SUSE® Security supports invoking the SUSE® Security scanner from Harbor registries through the pluggable scanner interface. This requires configuration of the connection to the controller (exposed API). The Harbor adapter calls controller endpoint to trigger a scan, which can scan automatically on push. Interrogation services can be used for periodic scans. Scan results from Federation Primary controllers ARE propagated to remote clusters.

There is an issue with the HTTPS based adapter endpoint error: please ignore Test Connection error, it does work even though an error is shown (skip certificate validation).

Deploying the SUSE® Security Registry Adapter

The 5.2 Helm chart contains options to deploy the registry adapter for Harbor. It can also be pulled manually from the neuvector/registry-adapter repo on Docker Hub. Options also include setting the Harbor registry request protocol and the basic authentication secret name.

After deployment of the adapter, it is necessary to configure this in Harbor.

Harbor

The adapter endpoint must be entered, and the adapter connects to the controller, which is typically exposed as a service externally so the adapter can connect to it. In addition, authentication credentials for a valid SUSE® Security user must be entered.

Scanning Images from a Harbor Registry

After successful deployment and connection to a controller, an image scan can be manually or automatically triggered from Harbor.

Harbor

Periodic scans (scheduled) can be configured through Interrogation Services in Harbor, to make sure the latest CVE database is used to rescan images in registries.

Harbor

Scan results can be viewed directly in Harbor.

results

Sample Deployment Yaml

Samples for Kubernetes and OpenShift