search

goharbor / harbor-scanner-clair

Use Clair as a plug-in vulnerability scanner in the Harbor registry
https://goharbor.io/
Apache License 2.0
35 stars 26 forks source link

readme

GitHub release Build Status Coverage Status Go Report Card License

Harbor Scanner Adapter for Clair

The Harbor Scanner Adapter for Clair is a service that translates the Harbor scanning API into Clair API calls and allows Harbor to use Clair for providing vulnerability reports on images stored in Harbor registry as part of its vulnerability scan feature.

See Proposal: Pluggable Image Vulnerability Scanning for more details.

TOC

Configuration

Configuration of the adapter is done via environment variables at startup.

Name Default Value Description
SCANNER_LOG_LEVEL info The log level of trace, debug, info, warn, warning, error, fatal or panic. The standard logger logs entries with that level or anything above it.
SCANNER_API_SERVER_ADDR :8080 Binding address for the API HTTP server.
SCANNER_API_SERVER_TLS_CERTIFICATE The absolute path to the x509 certificate file.
SCANNER_API_SERVER_TLS_KEY The absolute path to the x509 private key file.
SCANNER_TLS_INSECURE_SKIP_VERIFY false Controls whether an HTTP client verifies the server's certificate chain and host name.
SCANNER_TLS_CLIENTCAS An array of absolute paths to x509 CA files that will be added to host's root CA set.
SCANNER_API_SERVER_READ_TIMEOUT 15s The maximum duration for reading the entire request, including the body.
SCANNER_API_SERVER_WRITE_TIMEOUT 15s The maximum duration before timing out writes of the response.
SCANNER_API_SERVER_IDLE_TIMEOUT 60s The maximum amount of time to wait for the next request when keep-alives are enabled.
SCANNER_CLAIR_URL http://harbor-harbor-clair:6060 Clair URL
SCANNER_CLAIR_DATABASE_URL The Clair database URL, it is used to fetch vulnerability database updated time of the Clair. Its format is postgresql://user:password@host/db?sslmode=disable
SCANNER_STORE_REDIS_URL redis://harbor-harbor-redis:6379 Redis server URI for a Redis store. The URI supports schemas to connect to a standalone Redis server, i.e. redis://user:password@standalone_host:port/db-number and Redis Sentinel deployment, i.e. redis+sentinel://user:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number.
SCANNER_STORE_REDIS_POOL_MAX_ACTIVE 5 The max number of connections allocated by the pool for a Redis store.
SCANNER_STORE_REDIS_POOL_MAX_IDLE 5 The max number of idle connections in the pool for a Redis store.
SCANNER_STORE_REDIS_POOL_IDLE_TIMEOUT 5m Close connections after remaining idle for this duration.
SCANNER_STORE_REDIS_POOL_CONNECTION_TIMEOUT 1s The timeout for connecting to the Redis server.
SCANNER_STORE_REDIS_POOL_READ_TIMEOUT 1s The timeout for reading a single Redis command reply.
SCANNER_STORE_REDIS_POOL_WRITE_TIMEOUT 1s The timeout for writing a single Redis command.
SCANNER_STORE_REDIS_NAMESPACE harbor.scanner.clair:store A namespace for keys in a redis store.
SCANNER_STORE_REDIS_SCAN_JOB_TTL 1h The time to live for persisting scan jobs and associated scan reports.

Deploy to minikube

  1. Configure Docker client with Docker Engine in minikube: 
    eval $(minikube docker-env -p harbor)
  2. Build Docker container: 
    make container
  3. Configure adapter to handle TLS traffic:
    1. Generate certificate and private key files: 
      $ openssl genrsa -out tls.key 2048
$ openssl req -new -x509 \
-key tls.key \
-out tls.crt \
-days 365 \
-subj /CN=harbor-scanner-clair
    2. Create a tls secret from the two generated files: 
      $ kubectl create secret tls harbor-scanner-clair-tls \
--cert=tls.crt \
--key=tls.key
  4. Create harbor-scanner-clair deployment and service: 
    kubectl apply -f kube/harbor-scanner-clair.yaml
  5. If everything is fine you should be able to get scanner's metadata: 
    kubectl port-forward service/harbor-scanner-clair 8443:8443 &> /dev/null &
curl -vk https://localhost:8443/api/v1/metadata | jq