Scanning Harbor registry images for vulnerabilities with Snyk
It’s official! Snyk Container offers support for scanning container images stored in the popular open source container registry, Harbor. Snyk Container helps you find and fix vulnerabilities in your container images, and now it integrates with Harbor as a container registry, enabling you to import your projects and monitor your containers for vulnerabilities. Snyk tests the projects you’ve imported for any known security vulnerabilities found, testing at a frequency you control.
Snyk Container provides base image upgrade recommendations which accelerates your efforts to harden your application images by surfacing better options to build off of. It also includes image layer identification features, enabling you to focus your efforts on the problematic lines in your Dockerfile.
Optimize base images
Snyk helps you identify and select alternate base images to help reduce the overall number of vulnerabilities in your container images. Often there are a number of base image alternatives available, especially for popular official Docker images. Snyk Container can determine the base image you’re currently using and provide recommendations for upgrades with fewer vulnerabilities.
The following shows base image recommendations for an image that is based on the tomcat:7.0.100 base image:
Snyk Container offers various recommendations based on your project and the curated information supplied by the Snyk Vulnerability Database, enabling you to control how you fix vulnerabilities:
- Minor upgrades – with the general idea that smaller upgrades are faster and easier to use and less likely to break your build, these are minor upgrade recommendations, enabling you to keep the same major versions of the framework and the same operating system distribution.
- Major upgrades – require a move to a newer major version of the framework or operating system distribution.
- Alternative upgrades – offer alternative suggestions for different images that can be used instead, but which may change both the framework and the distribution. While these alternative options may greatly reduce the number of vulnerabilities, as in the example above, they might also require more testing and consideration to ensure they don’t break your code.
Identify problematic Dockerfile statements
Snyk Container also helps you discover where you might be introducing vulnerabilities in your containers by analyzing your Dockerfile instructions and pinpointing the specific paths through which vulnerabilities are introduced. Use this information to decide whether to install newer packages or even further optimize the container image, when possible, by removing instructions altogether.
In the example below, you can see a vulnerability in a library introduced in the Dockerfile by the instruction
apt-get install -y git. Armed with this information, you can determine if
git is really something you need in this container or if an alternative version of that library is available.
Snyk Container & Harbor: Centralized code and container vulnerability scanning
Snyk’s integration with Harbor enables you to find and fix vulnerabilities in both your open source dependencies and your container images all within the Harbor repositories. Going beyond simply reporting on the number of vulnerabilities, Snyk Container speeds up your efforts to fix container vulnerabilities by providing recommended fix options and prioritized vulnerability details. In this example, Snyk has detected an NPM application in a Harbor image vulnerability scan and has automatically scanned for open source library vulnerabilities as well.
Harbor integration is available now for Snyk Pro and Enterprise plans and works with both on-prem and cloud-based Harbor repositories. It’s easy to get started. You can start securing your containers for free with Snyk and if you want to see the Harbor integration please contact us with the link below or use the Integrations page after you’ve set up your account to reach us.
Book a demo
Book a demo today to see Harbor registry scanning for yourself.