Open SDBrett opened 4 years ago
xaleeks
commented
4 years ago vulnerability information are readily available to users on UI whenever they perform image scan. There is also a webhook (in next release) to send notification after image scan performed. So I'm not sure I don't the need to further package CVEs related things into syslog export. Can you check with customer to see if webhook is enough? @SDBrett
SDBrett
commented
4 years ago Can you please provide some more information about how the webhook will operate?
The UI option doesn't provide the capability for the client to forward information about vulnerabilities to their SEIM logging platform. That approach also assumes that people will be interacting with the UI regularly enough to detect a vulnerability within a reasonable time.
Ideally the client would like to have a notification sent to their project owner(s) and security team to ensure visibility.
xaleeks
commented
4 years ago The webhook notification from running a scan is instantaneous, he(project owner) just needs to configure an action listener (permission'ed by the security team).
https://goharbor.io/docs/1.10/working-with-projects/project-configuration/configure-webhooks/
SDBrett
commented
4 years ago Thanks for webhook info, it doesn't quite meet the client requirements though.
The client needs to be able to configure scan reporting at a Harbor system level, not project. This is because the service consumers will be given a project and require permissions which will give them the ability to change the webhook configuration.
It would be ideal if a System level webhook could be configured for scans as well as the per project implementation.
I have build a workflow using the API to run periodically to get scan information, but I am having issue getting the scan report with the API, raised new issue for this #11775
lindhe
commented
2 years ago It seems like Harbor has prepared support for using an e-mail server to send messages to users, but it is never used. Maybe that could be used for sending vulnerability warnings to at least admins?
github-actions[bot]
commented
2 years ago This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
onderilkesever
commented
1 year ago I wonder if there is a way to do it by now? I mean getting notified about found vulnerabilities after a scan..
It would be very helpful to receive Syslog messages when Clair detects a vulnerability within a container image.
Syslog notifications would help platform / security teams have visibility on container images which have known vulnerabilities.
E-mail / Webhook notifications would be helpful to raise awareness of a detected vulnerabilities with application / project owners