{"id":14637814,"url":"https://github.com/anchore/harbor-scanner-adapter","last_synced_at":"2025-04-23T15:30:45.049Z","repository":{"id":57511238,"uuid":"214296862","full_name":"anchore/harbor-scanner-adapter","owner":"anchore","description":"Harbor Scanner Adapter for Anchore Engine and Enterprise","archived":false,"fork":false,"pushed_at":"2025-03-20T16:52:50.000Z","size":918,"stargazers_count":37,"open_issues_count":22,"forks_count":17,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-04-02T16:50:37.587Z","etag":null,"topics":["docker","harbor","vulnerabilities","vulnerability-scanner"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anchore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-10T22:29:42.000Z","updated_at":"2025-02-19T18:32:15.000Z","dependencies_parsed_at":"2023-10-21T10:09:23.924Z","dependency_job_id":"fc68f45e-d50f-49ba-abdf-98b6f5420577","html_url":"https://github.com/anchore/harbor-scanner-adapter","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fharbor-scanner-adapter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fharbor-scanner-adapter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fharbor-scanner-adapter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anchore%2Fharbor-scanner-adapter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anchore","download_url":"https://codeload.github.com/anchore/harbor-scanner-adapter/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250460242,"owners_count":21434229,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","harbor","vulnerabilities","vulnerability-scanner"],"created_at":"2024-09-10T02:01:16.751Z","updated_at":"2025-04-23T15:30:45.038Z","avatar_url":"https://github.com/anchore.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"[![CI][ci-img]][ci]\n[![Go Reportcard][report-card-img]][report-card]\n\n# Harbor Scanner Adapter for Anchore Engine/Enterprise\n\n## Overview\n\nThe Harbor Scanner Adapter for Anchore is a service that translates the Harbor scanning API into the Anchore API\nand allows Harbor to utilize Anchore Enterprise for providing vulnerability reports on images stored in Harbor as\npart of its vulnerability scan feature.\n\nThis Adapter is only required if you want Harbor to use Anchore for its 'Scan' feature. If your objective is to use Anchore in a CI/CD\nworkflow or to provide its own analysis reports against images stored in Harbor, that can be achieved without this Adapter.\n\n\n\n\u003e**:construction: Note:** \n\u003e \n\u003e This sequence diagram is no longer quite accurate. The calls are correct, but in recent updates they are done asynchronously and are stored by a result store that is not yet added to this diagram\n\n![Interaction Overview](assets/AnchoreHarborAdapter.png)\n\n### Authentication\n\n#### Harbor-to-Adapter\n\nAPI requests between Harbor and the adapter should be protected by TLS/HTTPS at the channel level, but can also use a shared secret for authentication.\nSee the configuration section below on setting an API key for the Adapter. Then, when adding the adapter to Harbor via the UI, use the 'Bearer' auth type\nand set the value to the value set in the adapter configuration. This will cause harbor to send they token as a Bearer token to the adapter, which will verify\nthe HTTP Authorization header against the expected value.\n\n#### Adapter-To-Anchore\n\nAPI calls between the Adapter and Anchore should also be protected by TLS/HTTPS and also require a username/password for HTTP Basic authentication to Anchore. For this, it \nis highly recommended to create a specific harbor user in Anchore and use those credentials in the auth secret presented to the Adapter as described below in the configuration section.\n\nNote that these are not credentials use to pull images from Harbor, only to authenticate API calls between the adapter service and the Anchore API service.\n\n#### Anchore-To-Harbor\n\nAPI requests from Anchore services to Harbor to fetch the image data for analysis are protected by short-lived credentials generated by Harbor and passed to the Adapter service on each\nnew scan request. The Adapter service automatically configures Anchore to use the supplied credentials for the data fetch operations as part of requesting an image analysis to Anchore.\n\nThe adapter never makes requests to Harbor and never reads any image content, only Anchore services access any Harbor image data.\n\n## Building the Adapter service\n\nRun `make` to run test and get the binary in dist/\u003cplatform\u003e/anchore-adapter\n```\nmake\n```\n\nTo build into a container: \n```\nmake snapshot\n```\n\n\n## Configuration\n\nConfiguration of the adapter is done via environment variables at startup or via a configuration file. If both are used,\nenvironment variable values take precedent over values from the file.\n\n### Environment Variables\n\nAdapter configuration values. These cannot be set in the client config file, only via environment variables.\n\n| Environment Variable | Description | Default Value |\n|----------|-------------|---------------|\n| SCANNER_ADAPTER_LISTEN_ADDR | The address for the adapter to listen on for HTTP traffice | \":8080\" |\n| SCANNER_ADAPTER_LOG_LEVEL | Log verbosity | \"info\" |\n| SCANNER_ADAPTER_LOG_FORMAT | Format of the log, either text or json | \"text\" |\n| SCANNER_ADAPTER_APIKEY | Secret that must be presented by client (harbor) to authenticate calls to the adapter itself | null |\n| SCANNER_ADAPTER_FULL_VULN_DESCRIPTIONS | Add full vulnerability descriptions, but will make scans slower | true |\n| SCANNER_ADAPTER_TLS_KEY_FILE | Path to the private key for the API to listen with HTTPS | null |\n| SCANNER_ADAPTER_TLS_CERT_FILE | Path to the public cert file for the API to listen with HTTPS | null |\n| SCANNER_ADAPTER_FILTER_VENDOR_IGNORED | If set, any vulnerabilities marked as ignored or will-not-fix by vendor (e.g. Debian's No-DSA flag will not be returned in the scan result. This can help reduce noise in scans if you accept the distro vendor's fix assessment. | False |\n| SCANNER_ADAPTER_REGISTRY_VALIDATE_CREDS | If set, the adapter will ask Anchore to validate the credentials passed to it by Harbor for the image fetch. If false, then the validation is skipped and credentials are used without being checked first. | True |\n| SCANNER_ADAPTER_REGISTRY_TLS_VERIFY | If set to False, the adapter will set a flag in Anchore to ensure Anchore skips validation of the TLS certificate when it contacts Harbor to pull the image. This is primarily for use when your Harbor install uses self-signed certificates | True |\n| SCANNER_ADAPTER_DESCRIPTION_CACHE_ENABLED | Boolean to enable a vulnerability cache to improve performance of the scan by caching vulnerability descriptions | True |\n| SCANNER_ADAPTER_DESCRIPTION_CACHE_COUNT | Number of cache entries to keep in memory in the adapter. This is the number of description strings to cache | 10000 | \n| SCANNER_ADAPTER_DESCRIPTION_CACHE_TTL | The timeout value for entries in the description cache. Descriptions can be updated, so larger values give better performance but may have stale descriptions. | 86400 (24 hours) |\n| SCANNER_ADAPTER_REPORT_CACHE_ENABLED | Boolean to enable caching of the raw vulnerability reports from Anchore within the Adapter. This reduces the call volume to Anchore for different report types requested by Harbor or scans that are close-together and result in the same report from Anchore between Anchore's vuln db updates | True |\n| SCANNER_ADAPTER_REPORT_CACHE_COUNT |  The number of raw Anchore image vulnerability reports to cache in memory to avoid repeated calls to Anchore for the same result. | 100 |\n| SCANNER_ADAPTER_REPORT_CACHE_TTL | The ttl, in seconds, for raw Anchore vulnerability reports in the adapter, which are re-used for the Harbor format and raw format responses. A good value here is at least 10 seconds. | 180 |\n| SCANNER_ADAPTER_DB_UPDATE_CACHE_ENABLED | Boolean to enable caching of the Anchore vulnerability db updated timestamp to reduce call volume between the adapter and Anchore. Harbor tends to check the update timestamp often so this reduces calls to Anchore. | True |\n| SCANNER_ADAPTER_DB_UPDATE_CACHE_TTL | The number of seconds to keep the last db update timestamp before checking the Anchore service again. The service check to Anchore is a bit resource intensive so this value helps reduce load on Anchore from the Adapter | 60 | \n| SCANNER_ADAPTER_ENABLE_RAW_MIME_TYPE | Enable/Disable the RAW MIME type from the adapter | True | \n| ANCHORE_ENDPOINT | The url to reach the Anchore API (e.g https://anchore.mydomain.com) | null |\n| ANCHORE_USERNAME | The username the Adapter will use to authenticate API calls against Anchore itself. This must be a username within Anchore, not a Harbor user. | null | \n| ANCHORE_PASSWORD | The password the Adapter will use to authenticate API calls against Anchore itself. This is not a Harbor credential. | null |\n| ANCHORE_CLIENT_TIMEOUT_SECONDS | Timeout (in seconds) for API calls to Anchore from the Adapter | 60 |\n| ANCHORE_AUTHFILE_PATH | A path to a json file with any of the properties \"username\", \"password\", \"endpoint\", \"timeoutseconds\", and \"tlsverify\" to enable passing Anchore credentials to the Adapter without environment variables (e.g. for secrets in k8s mounted as a file) | null |\n  \n\n### Configuration file format\n\nThe configuration file must be json formatted and may contain all or some of the below fields. The config file is loaded first, and any values also present in the environment will override the file values.\n\n```\n{\n  \"username\": \"harbor\",\n  \"password\": \"harboruserpass123\",\n  \"endpoint\": \"http://somehost\",\n  \"timeoutseconds\": 60,\n  \"tlsverify\": false\n} \n```\n\n## Deployment\n\n### Requirements\n\nThis adapter requires both a Harbor deployment and an Anchore Enterprise deployment to operate. The adapter can be deployed before the Anchore installation,\nbut the endpoint url and credentials must be known to pass to the adapter.\n\nInstall Harbor:\n```\nhelm install --name harbor harbor/harbor\n```\n\nInstall Anchore Enterprise:\n[Installation docs](https://docs.anchore.com/current/docs/deployment/)\n\n### Create Credentials\n\nIt is highly recommended to create a new account in the Anchore deployment and a new user with credentials dedicated to the Harbor adapter. \nWhen using Enterprise 5+, you can also utilize api keys. Learn how to generate them here - https://docs.anchore.com/current/docs/configuration/user_authentication/api_keys/#generating-api-keys\n\nCreate a harbor account and user in Anchore for the adapter to use for authenticating calls to Anchore. \n\n_This is not required, but recommended as it will limit the scope of the adapter's credentials within Anchore to a \nnon-admin account and keep all Harbor image data in one account for easy management. This step can be skipped for demo environments where the Anchore deployment is not shared, but is strongly encouraged for all production use and all cases where\nHarbor will be integrated with an existing Anchore deployment._\n\nFor example with anchorectl, you could create a new account in Anchore, _harbor_ with a single user _harbor_ and password for this example (use a much stronger password in your install)\n```\nanchorectl account add harbor\nanchorectl account user add --account harbor harbor harboruserpass123\n```\n\nNow you need to store the credentials in a secret for use by the adapter.\nIf you created a custom user:\n```\nkubectl create secret generic anchore-creds --from-literal=username=harbor --from-literal=password=harboruserpass123\n```\nYou can use the default admin user/pass for a fresh test/dev install of Anchore (DO NOT DO THIS FOR PRODUCTION!):\n```\nkubectl create secret generic anchore-creds --from-literal=username=admin --from-literal=password=foobar\n```\nPlease ensure the secret is stored in the same namespace as the deployed Harbor adapter.\n\n###  Install Adapter\n\nTake a copy of the yaml manifest and edit to your specific deployment requirements. If you created a secret for the username and password then these will be used.\nInstall the adapter:\n```\nkubectl apply -f ./k8s/harbor-adapter-anchore.yaml\n```\n\nPlease note: You can install multiple adapters and configure each of these to work differently. This would allow you to map each adapter/scanner instance to the desired project in Harbor.\n\n###  Configure Adapter\n\nConfigure the scanner in Harbor:\n\nIn the Harbor UI login as an admin and navigate to Administration-\u003eInterrogation Services-\u003eScanners and click \"+ New Scanner\".\nIn older versions of Harbor, this can be found under Configuration-\u003eScanners.\n\n![Add Scanner UI](assets/scanner-config-new.png)\n\nIn 'Endpoint', use the adapter hostname of your instance. The default is the following:\n```\nhttp://harbor-scanner-anchore:8080\"\n```\nLeave authorization empty since in this example we did not set an API key in the adapter deployment environment.\n\nClick \"Test Connection\" and should work. \nYou can now click \"Add\" to add the scanner\n\nNow for each project in Harbor, we must add and set the Anchore Scanner.\nIn the Harbor UI, navigate to the project-\u003escanner and click \"Select Scanner\". You might want to make Anchore the default scanner for a project.\n![Add Scanner to Project UI](assets/scanner-project-select.png)\n\n###  Test Scanning\n\nNavigate to a project and repository, then select an image and push the scan vulnerability button at the top of the page.\n\nAlso under the Administration-\u003eInterrogation Services page you can perform bulk scans.\n\nFinally, under a Project goto the 'Configuration' page where you can 'scan images on push' and 'prevent vulnerable images from running'. \nThe last option will require you to enable 'Use internal registry address' so that Anchore can access the image in Harbor to scan it.\n\n## Development\n\nIf you have skaffold installed it can be used against a local k8s install for\ndev. Running `skaffold dev` will build the adapter with ko and deploy using the\nmanifest file at k8s/harbor-adapter-anchore-skaffold.yaml. Any changes will\nthen be live deployed to local k8s for testing.\n\n\n## Special Thanks\n\nSpecial thanks to the following for their help with the prototype adapter implementation that inspired this work:\n\n* [cafeliker](https://github.com/cafeliker)\n* [MaGaoJU](http://github.com/MaGaoJu)\n\n[ci]: https://circleci.com/gh/anchore/harbor-scanner-adapter/tree/master\n[ci-img]: https://circleci.com/gh/anchore/harbor-scanner-adapter/tree/master.svg\n[report-card]: https://goreportcard.com/report/github.com/anchore/harbor-scanner-adapter\n[report-card-img]: https://goreportcard.com/badge/github.com/anchore/harbor-scanner-adapter\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fharbor-scanner-adapter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanchore%2Fharbor-scanner-adapter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanchore%2Fharbor-scanner-adapter/lists"}