Advertisement
Security

Harbor

4.5/5
100K+ downloads
Visit Website GitHub Documentation
Overview Key Features Integration Best Practices

What is Harbor?

Harbor is an open source container registry that secures artifacts with policies and role-based access control. It ensures that images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.

Key Features

  • Security and Vulnerability Analysis: Integrates with multiple vulnerability scanners (including Trivy, Clair, and more) to scan images for known vulnerabilities.
  • Content Trust and Validation: Ensures that images are signed and verified, preventing the use of tampered or unauthorized images.
  • Role-Based Access Control: Provides fine-grained access control to repositories based on user roles and permissions.
  • Replication and Distribution: Supports image replication between Harbor instances and other registries for high availability and geographic distribution.
  • Image Retention Policy: Automatically cleans up old and unused images based on configurable policies.
  • Helm Chart Repository: Serves as a Helm chart repository, providing the same security features for Helm charts as for container images.
  • Audit Logging: Tracks all operations performed in the registry for compliance and troubleshooting.

Integration with DevOps Pipeline

Harbor can be integrated into your DevOps pipeline to provide a secure registry for your container images. Here's how you can integrate Harbor into your pipeline:

1. Setting Up Harbor

You can deploy Harbor using Helm or Docker Compose. Here's an example of deploying Harbor using Helm:

# Add the Harbor Helm repository
helm repo add harbor https://helm.goharbor.io

# Install Harbor
helm install harbor harbor/harbor \
  --namespace harbor \
  --create-namespace \
  --set expose.type=ingress \
  --set expose.tls.enabled=true \
  --set externalURL=https://harbor.example.com \
  --set harborAdminPassword=Harbor12345

2. Pushing Images to Harbor

Once Harbor is set up, you can push images to it as part of your CI/CD pipeline:

# Example GitHub Actions workflow
name: Build and Push

on:
  push:
    branches: [ main ]

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        
      - name: Build and tag image
        run: |
          docker build -t harbor.example.com/project/image:${{ github.sha }} .
          
      - name: Login to Harbor
        uses: docker/login-action@v2
        with:
          registry: harbor.example.com
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}
          
      - name: Push image to Harbor
        run: |
          docker push harbor.example.com/project/image:${{ github.sha }}

3. Implementing Image Scanning

Configure Harbor to automatically scan images for vulnerabilities when they are pushed:

# Example of checking scan results before deployment
name: Deploy

on:
  workflow_run:
    workflows: ["Build and Push"]
    types:
      - completed

jobs:
  check-vulnerabilities:
    runs-on: ubuntu-latest
    steps:
      - name: Check vulnerability scan results
        run: |
          # Wait for scan to complete
          sleep 30
          
          # Check scan results using Harbor API
          SCAN_RESULT=$(curl -X GET -u ${{ secrets.HARBOR_USERNAME }}:${{ secrets.HARBOR_PASSWORD }} \
            https://harbor.example.com/api/v2.0/projects/project/repositories/image/artifacts/${{ github.sha }}/scan)
            
          # Check if there are any high or critical vulnerabilities
          if [[ $SCAN_RESULT == *"HIGH"* || $SCAN_RESULT == *"CRITICAL"* ]]; then
            echo "High or critical vulnerabilities found. Deployment aborted."
            exit 1
          fi
          
  deploy:
    needs: check-vulnerabilities
    runs-on: ubuntu-latest
    steps:
      - name: Deploy application
        run: |
          echo "Deploying application..."

Best Practices

  • Enable vulnerability scanning for all repositories and configure automatic scanning for newly pushed images.
  • Implement content trust to ensure that only signed images can be pulled and deployed.
  • Set up appropriate RBAC to control access to repositories based on user roles and responsibilities.
  • Configure image retention policies to automatically clean up old and unused images.
  • Set up replication between Harbor instances for high availability and disaster recovery.
  • Regularly update Harbor to ensure you have the latest security features and bug fixes.
  • Monitor Harbor's audit logs for suspicious activities and compliance reporting.

Conclusion

Harbor is a powerful container registry that provides security, compliance, and governance for your container images. By integrating Harbor into your DevOps pipeline, you can ensure that only secure and trusted images are deployed to your production environment.

Related Security Tools

Trivy

Container vulnerability scanner

OWASP Dependency Check

Software composition analysis

TruffleHog

Secret scanning tool

Advertisement