Light

sysdiglabs / harbor-scanner-sysdig-secure Goto Github PK

View Code? Open in Web Editor NEW

5.0 9.0 5.0 4.85 MB

Use Sysdig Secure as a plug-in vulnerability scanner in the Harbor registry

Home Page: https://sysdig.com/secure

License: Apache License 2.0

Go 99.28% Makefile 0.26% Dockerfile 0.47%

sysdig-secure harbor harbor-registry scanner-adapter harbor-pluggable-scanners

harbor-scanner-sysdig-secure's Introduction

Harbor Scanner Adapter for Sysdig Secure

The Sysdig Secure Harbor Scanner Adapter enables Harbor to use Sysdig Secure scanning engine to analyze the container images managed by the platform.

See Pluggable Scanner API Spec for more details.

This adapter also provides a service that translates the Harbor scanning API requests into Sysdig Secure API calls, allowing Harbor to retrieve vulnerability reports and additional information from the scanning adapter. This information will be presented in the Harbor UI, transparently for the user.

Getting Started

You can follow a detailed guide to deploy the Scanner Adapter.

CLI Scanning

Using CLI scanning, the scanning operation itself will be triggered and performed on your own infrastructure. It spawns a Kubernetes job when a new image is pushed, this job will communicate only the container metadata to the Sysdig Secure Backend, which will perform the evaluation based on the configured image scanning policies.

Configuration

Configuration of the adapter is done via environment variables at startup.

Name	Default	Description
`SECURE_URL`	`https://secure.sysdig.com`	Sysdig Secure URL
`SECURE_API_TOKEN`		Sysdig Secure API Token
`CLI_SCANNING`		Enable CLI Scanning instead of Backend
`NAMESPACE_NAME`		Namespace where CLI Scanning will spawn jobs
`CONFIGMAP_NAME`		ConfigMap name where Harbor Certificate is available
`SECRET_NAME`		Secret name where Sysdig Secure API Token and Robot Account are available

harbor-scanner-sysdig-secure's People

Contributors

Stargazers

Watchers

Forkers

devopstoday11 clix-dev-llc jianfuyang marcuzzuu aaronm-sysdig

harbor-scanner-sysdig-secure's Issues

Implementation not working when Kubernetes cluster is behind proxy

When the Kubernetes cluster is behind a proxy with authentication the current connector does not work. External connection to the sysdig SaaS API needs to be routed through a proxy. This can be achieved by adding the proxy to the pod env variables.

Limit the number of Jobs

Hi sysdiglabs team,

Currently we are trying to use this harbor adapter of sysdig in our stack. There are couple of questions when implementing this.

We are currently using inline scanning for scanning our images. We are planning to setup our harbor in such a way whenever a image gets pulled through the proxy cache, a scan needs to happened on the image. As a result of this at a certain time even 20-25 images can be pulled through the harbor proxy. This will create 25 jobs(25 pods) for inline scanning. Is it possible for us to increase the queue length and restrict the number of job scans that can happen at a time. Say like putting a hard restriction on the number of jobs it can spin up at one time(say like 10) and anything after that would be put in queue till the job which are being scanned gets completed.
Also would it be possible to introduce a third mode(offline-scan), where we would be able to do offline scan with db being updated something like once a day(or whatever the time period the user wants to update the DB of vulnerabilities)

Harbor robo account key vs password

Just wondering if the inline processing needs to change the robo account password to token as Harbor is not creating passwords for the robo accounts but the Token.

inlineScanning:
  enabled: false
  harbor:
    CA: ""
    robotAccount:
      name: ""
      password: ""

additional information from the scanning adapter

Whether to support sensitive information and Trojan virus scanning

Add this project to the awesome-harbor list

This is an outstanding project. I would be a perfect candidate for the https://github.com/container-registry/awesome-harbor list.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.