{"id":13823075,"url":"https://github.com/aquasecurity/harbor-scanner-aqua","last_synced_at":"2025-10-13T07:22:31.635Z","repository":{"id":38032847,"uuid":"219491244","full_name":"aquasecurity/harbor-scanner-aqua","owner":"aquasecurity","description":"Aqua Enterprise scanner as a plug-in vulnerability scanner in the Harbor registry","archived":false,"fork":false,"pushed_at":"2024-10-04T16:50:19.000Z","size":34721,"stargazers_count":37,"open_issues_count":7,"forks_count":16,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-07-08T16:47:16.178Z","etag":null,"topics":["aqua-csp-scanner","aqua-scanner","harbor","harbor-registry","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://goharbor.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-04T12:00:20.000Z","updated_at":"2025-04-04T03:49:39.000Z","dependencies_parsed_at":"2022-09-11T19:32:03.052Z","dependency_job_id":"ad266ea2-2c7e-4a2a-a9fd-40af423a2009","html_url":"https://github.com/aquasecurity/harbor-scanner-aqua","commit_stats":null,"previous_names":[],"tags_count":33,"template":false,"template_full_name":null,"purl":"pkg:github/aquasecurity/harbor-scanner-aqua","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-aqua","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-aqua/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-aqua/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-aqua/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/harbor-scanner-aqua/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-aqua/sbom","scorecard":{"id":204670,"data":{"date":"2025-08-11","repo":{"name":"github.com/aquasecurity/harbor-scanner-aqua","commit":"085b02593caf650e701576c74da5d417d33f5695"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Code-Review","score":2,"reason":"Found 7/30 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1","Warn: no topLevel permission defined: .github/workflows/publish-helm-chart.yaml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-helm-chart.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/publish-helm-chart.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-helm-chart.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/publish-helm-chart.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-helm-chart.yaml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/publish-helm-chart.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/aquasecurity/harbor-scanner-aqua/release.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.14 to alpine:3.14@sha256:0f2d5c38dd7a4f4f733e688e3a6733cb5ab1ac6e3cb4603a5dd564e5bfb80eed","Info: 0 out of 5 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 7 third-party GitHubAction dependencies pinned","Info: 0 out of 1 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.18.0 not signed: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/178449216","Warn: release artifact v0.17.0 not signed: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/168264200","Warn: release artifact v0.16.1 not signed: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/123990058","Warn: release artifact v0.16.0 not signed: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/123975537","Warn: release artifact v0.15.0 not signed: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/101659112","Warn: release artifact v0.18.0 does not have provenance: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/178449216","Warn: release artifact v0.17.0 does not have provenance: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/168264200","Warn: release artifact v0.16.1 does not have provenance: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/123990058","Warn: release artifact v0.16.0 does not have provenance: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/123975537","Warn: release artifact v0.15.0 does not have provenance: https://api.github.com/repos/aquasecurity/harbor-scanner-aqua/releases/101659112"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"43 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0344 / GHSA-crp2-qrr5-8pq7","Warn: Project is vulnerable to: GO-2024-2846 / GHSA-c9cp-9c75-9v8c","Warn: Project is vulnerable to: GO-2022-0482 / GHSA-5ffw-gxpp-mxpf","Warn: Project is vulnerable to: GO-2022-1147 / GHSA-2qjp-425j-52j9","Warn: Project is vulnerable to: GO-2023-1573 / GHSA-259w-8hf6-59c2","Warn: Project is vulnerable to: GO-2023-1574 / GHSA-hmfx-3pcx-653p","Warn: Project is vulnerable to: GO-2023-2412 / GHSA-7ww5-4wqc-m92c","Warn: Project is vulnerable to: GO-2025-3528 / GHSA-265r-hfxg-fhmg","Warn: Project is vulnerable to: GO-2022-0379 / GHSA-qq97-vm5h-rrhg","Warn: Project is vulnerable to: GHSA-hqxw-f8mx-cpmw","Warn: Project is vulnerable to: GO-2022-0390 / GHSA-2mm7-x5h6-5pvq","Warn: Project is vulnerable to: GO-2022-0985 / GHSA-rc4r-wh2q-q6c4","Warn: Project is vulnerable to: GO-2022-1107 / GHSA-vp35-85q5-9f25","Warn: Project is vulnerable to: GO-2023-1699 / GHSA-232p-vwff-86mp","Warn: Project is vulnerable to: GO-2023-1700 / GHSA-33pg-m6jh-5237","Warn: Project is vulnerable to: GO-2023-1701 / GHSA-6wrf-mxfj-pf5p","Warn: Project is vulnerable to: GHSA-jq35-85cj-fj4p","Warn: Project is vulnerable to: GHSA-mq39-4gv4-mvpx","Warn: Project is vulnerable to: GO-2024-3005 / GHSA-v23v-6jw2-98fq","Warn: Project is vulnerable to: GO-2024-2512 / GHSA-xw73-rw38-6vjc","Warn: Project is vulnerable to: GO-2025-3829 / GHSA-4vq8-7jfc-9cvp","Warn: Project is vulnerable to: GO-2022-0274 / GHSA-v95c-p5hm-xq8f","Warn: Project is vulnerable to: GO-2022-0452 / GHSA-f3fp-gc8g-vw66","Warn: Project is vulnerable to: GO-2023-1683 / GHSA-g2j6-57v7-gm8c","Warn: Project is vulnerable to: GO-2023-1682 / GHSA-m8cg-xc2p-r3fc","Warn: Project is vulnerable to: GO-2023-1627 / GHSA-vpvm-3wq2-2wvm","Warn: Project is vulnerable to: GO-2024-2491 / GHSA-xr7r-f8xq-vfvv","Warn: Project is vulnerable to: GO-2024-3110 / GHSA-jfvp-7x6p-h2pv","Warn: Project is vulnerable to: GO-2022-0322 / GHSA-cg3q-j54f-5p7p","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2023-2153 / GHSA-m425-mq94-257g / GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37","Warn: Project is vulnerable to: GO-2022-0603 / GHSA-hp87-p4gw-j4gq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T23:27:42.202Z","repository_id":38032847,"created_at":"2025-08-16T23:27:42.202Z","updated_at":"2025-08-16T23:27:42.202Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279014111,"owners_count":26085463,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aqua-csp-scanner","aqua-scanner","harbor","harbor-registry","vulnerability-scanner"],"created_at":"2024-08-04T09:00:20.289Z","updated_at":"2025-10-13T07:22:31.617Z","avatar_url":"https://github.com/aquasecurity.png","language":"Go","funding_links":[],"categories":["Projects"],"sub_categories":[],"readme":"[![GitHub release][release-img]][release]\n[![GitHub Build Action][build-action-img]][actions]\n[![Go Report Card][report-card-img]][report-card]\n![Docker Pulls][docker-pulls]\n[![License][license-img]][license]\n\n# Harbor Scanner Adapter for Aqua Enterprise\n\n\u003e **NOTE**: This adapter is only required if you want Harbor to use Aqua Enterprise for its image scanning feature.\n\u003e If your objective is to use Aqua Enterprise to provide its own analysis reports against images stored in Harbor,\n\u003e that can be achieved without deploying this adapter.\n\nThe Harbor Scanner Adapter for Aqua Enterprise is a service that translates the Harbor scanning API into `scannercli`\ncommands and allows Harbor to use Aqua Enterprise ad hoc scanning for providing vulnerability reports on images stored\nin Harbor registry as part of its vulnerability scan feature.\n\nThe adapter service implements the [Pluggable Scanners API v1.0][harbor-pluggable-scanner-api] and communicates with\nthe Aqua API server to fulfil the contract required by Harbor scanning API. This contract is based on OS and application\nvulnerabilities, which implies that Harbor scanning API and Harbor Portal are **only capable of handling and displaying\nOS and application vulnerabilities**.\n\n![HLD](docs/images/hld.png)\n\n\u003e **NOTE**: To see the whole report generated by the Aqua scanner, including detected malware and sensitive data,\n\u003e you have to navigate from Harbor Portal to Aqua Management Console. Similarly, Harbor does not have support for\n\u003e displaying or enforcing Aqua's image assurance policies. You will need to use the Aqua Management Console to view\n\u003e and configure these policies.\n\n## TOC\n\n- [Requirements](#requirements)\n- [How does it work?](#how-does-it-work)\n- [Deployment](#deployment)\n - [Docker](#docker)\n - [Kubernetes](#kubernetes)\n - [OpenShift Container Platform](#openshift-container-platform)\n - [Configuring Harbor Scanner](#configuring-harbor-scanner)\n- [Configuration](#configuration)\n- [Troubleshooting](#troubleshooting)\n - [Error: Failed getting image manifest: 412 Precondition Failed](#error-failed-getting-image-manifest-412-precondition-failed)\n - [Error: Failed scanning image: image was not found in registry](#error-failed-scanning-image-image-was-not-found-in-registry)\n - [Error: Failed scanning image: no such registry](#error-failed-scanning-image-no-such-registry)\n - [Scans are not displayed in the CI/CD Scans page](#scans-are-not-displayed-in-the-cicd-scans-page)\n- [Contributing](#contributing)\n\n## Requirements\n\n1. Harbor \u003e= 1.10\n2. This adapter service requires Aqua Enterprise \u003e= 4.5 deployment to operate. The adapter can be deployed before the\n Aqua Enterprise installation, but the Aqua Management Console URL and credentials must be known to configure the\n adapter with the [environment variables](#configuration).\n3. The adapter service also requires the `scannercli` executable binary, in version matching the Aqua Enterprise, to be\n mounted at `/usr/local/bin/scannercli`. The provided Helm chart mounts the `scannercli` executable automatically by\n pulling the `registry.aquasec.com/scanner:$AQUA_VERSION` image from Aqua Registry and running it as an\n [init container][k8s-init-containers]. The init container's command is configured to copy the executable from the\n container's filesystem to an [emptyDir][k8s-volume-emptyDir] volume, which is shared with the main container. This\n makes the `scannercli` executable available to the main container at `/usr/local/bin/scannercli`.\n\n \u003e **NOTE**: Make sure that you provide valid Aqua Registry credentials received from Aqua Security as Helm values\n \u003e in order to create the corresponding image pull secret.\n\n If you're not using Kubernetes to run the adapter service, you have to download the `scannercli` executable from the\n Aqua downloads page manually and mount it at `/usr/local/bin/scannercli`.\n See [Aqua Scanner Executable Binary][aqua-docs-scanner-binary] for more details on manual download.\n4. It is highly recommended to create a new user in the Aqua Management Console with credentials dedicated to the\n Harbor adapter, e.g. `harbor_scanner`. The adapter does not need full access to Aqua: the `Scanner` role is the only\n permission required for the `scannercli` executable binary which is run by the adapter service on each scan request.\n Therefore, create your `harbor_scanner` user and assign it only the `Scanner` role.\n\n ![](docs/images/aqua_user_for_harbor.png)\n5. It is also highly recommended to create a new user in Harbor for the Aqua Enterprise scanner, with permission only to\n pull images from Harbor, e.g. `aqua_scanner`. Please remember to add this user as a member of the project in Harbor\n that you intend to scan the images from.\n\n ![](docs/images/harbor_user_for_aqua.png)\n6. Finally, add a new Harbor registry integration in Aqua Management Console and use the credentials of the user\n created in the previous step. Please note that the value of the **Registry Name** field corresponds to the\n `SCANNER_AQUA_REGISTRY` [configuration](#configuration) variable.\n\n ![](docs/images/adding_harbor_registry_in_aqua.png)\n\n## How does it work?\n\nIn essence, a scan request payload sent by Harbor to the adapter:\n\n```json\n{\n \"registry\": {\n \"url\": \"https://core.harbor.domain\",\n \"authorization\": \"Basic BASE64_ENCODED_CREDENTIALS\"\n },\n \"artifact\": {\n \"repository\": \"library/mongo\",\n \"tag\": \"3.4-xenial\",\n \"digest\": \"sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b\",\n \"mime_type\": \"application/vnd.docker.distribution.manifest.v2+json\"\n }\n}\n```\n\nis translated to the following `scannercli` command:\n\n```\n$ scannercli scan \\\n --checkonly \\\n --dockerless \\\n --user=$SCANNER_AQUA_USERNAME \\\n --password=$SCANNER_AQUA_PASSWORD \\\n --host=$SCANNER_AQUA_HOST \\\n --registry=$SCANNER_AQUA_REGISTRY \\\n --robot-username=$HARBOR_ROBOT_ACCOUNT_NAME \\\n --robot-password=$HARBOR_ROBOT_ACCOUNT_PASSWORD \\\n --no-verify=$SCANNER_CLI_NO_VERIFY \\\n --show-negligible=$SCANNER_CLI_SHOW_NEGLIGIBLE \\\n --jsonfile /var/lib/scanner/reports/aqua_scan_report_0123456789.json \\\n library/mongo@sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b\n```\n\nFinally, the output report is transformed to Harbor's model and displayed in the Harbor interface.\n\n\u003e **NOTE:** The `SCANNER_AQUA_USE_IMAGE_TAG` env determines whether the image tag (`library/mongo:3.4-xenial`)\n\u003e or digest (`library/mongo@sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b`) is used as\n\u003e the image identifier passed to the `scannercli` command.\n\n\u003e **NOTE:** Harbor version \u003e= 2.0 \u0026\u0026 version \u003c 2.3 no longer set the `tag` property in the scan request.\n\u003e Thus, the `SCANNER_AQUA_USE_IMAGE_TAG` env must be set to `false`.\n\n## Deployment\n\nHarbor can be [installed as a Docker service][harbor-docs-installer] or deployed with [high availability via Helm][harbor-docs-helm].\nThis section describes how to perform a new installation of the adapter service in both cases.\n\nIt's also possible to deploy Harbor on Docker (outside the Kubernetes environment) to work with Aqua Enterprise on\nKubernetes, and you should be able to figure it out based on the following instructions.\n\n### Docker\n\nThis section shows how to install the adapter service by [extending the Docker Compose file](https://docs.docker.com/compose/extends/)\ncreated by the Harbor \u003e= 1.10 installer in the `$HARBOR_HOME` directory. We assume that the internal\n[TLS communication between Harbor components][harbor-docs-internal-tls] is enabled and internal certificate files are\nstored in the `$HARBOR_PKI_DIR` directory. The default Harbor data volume path is referred to as `$HARBOR_DATA`. We also\nassume that you installed Aqua Enterprise \u003e= 4.5, and the Aqua Management Console is accessible at\nhttps://aqua-console:8443, and you have valid credentials with permission to scan container images.\n\n1. Export environment variables that are used throughout the installation scripts.\n\n Review and adapt the values to reflect your installation paths and credentials.\n ```\n export HARBOR_HOME=\"/opt/harbor\"\n export HARBOR_DATA=\"/data\"\n export HARBOR_PKI_DIR=\"/etc/harbor/pki/internal\"\n\n export AQUA_VERSION=\"6.5\"\n export AQUA_CONSOLE_HOST=\"https://aqua-console:8443\"\n export AQUA_CONSOLE_USERNAME=\u003cyour username\u003e\n export AQUA_CONSOLE_PASSWORD=\u003cyour password\u003e\n\n export HARBOR_SCANNER_AQUA_VERSION=\"0.14.0\"\n ```\n ```\n export AQUA_REGISTRY_USERNAME=\u003cyour username\u003e\n export AQUA_REGISTRY_PASSWORD=\u003cyour password\u003e\n ```\n2. Create the config and data directories for the adapter service.\n ```\n mkdir -p $HARBOR_HOME/common/config/aqua-adapter\n mkdir -p $HARBOR_DATA/aqua-adapter/reports\n mkdir -p $HARBOR_DATA/aqua-adapter/opt\n ```\n3. Download the `scannercli` executable binary.\n 1. You can download the binary from the [docs][download-scannercli] page and save it to\n `$HARBOR_HOME/common/config/aqua-adapter/scannercli`.\n 2. Alternatively you can use the `registry.aquasec.com/scanner:$AQUA_VERSION` image to copy the `scannercli` binary\n from the container's file system.\n ```\n echo $AQUA_REGISTRY_PASSWORD | docker login registry.aquasec.com \\\n --username $AQUA_REGISTRY_USERNAME --password-stdin\n ```\n ```\n docker run --rm --entrypoint \"\" \\\n --volume $HARBOR_HOME/common/config/aqua-adapter:/out registry.aquasec.com/scanner:$AQUA_VERSION \\\n cp /opt/aquasec/scannercli /out\n ```\n4. Generate certificate files.\n \u003e **NOTE**: Self signed certificates without SAN were deprecated in Go, therefore you must add the SAN\n \u003e extension to your certificate files. The DNS name in SAN extension should be the same as CN field.\n 1. Generate a private key.\n ```\n openssl genrsa -out $HARBOR_PKI_DIR/aqua_adapter.key 4096\n ```\n 2. Generate a certificate signing request (CSR).\n\n Adapt the values in the `-subj` option to reflect your organization.\n ```\n openssl req -sha512 -new \\\n -subj \"/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=aqua-adapter\" \\\n -key $HARBOR_PKI_DIR/aqua_adapter.key \\\n -out $HARBOR_PKI_DIR/aqua_adapter.csr\n ```\n 3. Generate an x509 v3 extension file.\n\n You must create this file so that you can generate a certificate for adapter service host that complies with the\n Subject Alternative Name (SAN) and x509 v3 extension requirements.\n ```\n cat \u003c\u003c EOF \u003e $HARBOR_PKI_DIR/aqua_adapter_v3.ext\n authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n extendedKeyUsage = serverAuth\n subjectAltName = @alt_names\n\n [alt_names]\n DNS.1=aqua-adapter\n EOF\n ```\n 4. Use the `aqua_adapter_v3.ext` file to generate a certificate for adapter service host.\n \u003e **NOTE**: The certificate must be signed by the internal Harbor CA.\n ```\n openssl x509 -req -sha512 -days 365 \\\n -extfile $HARBOR_PKI_DIR/aqua_adapter_v3.ext \\\n -CA $HARBOR_PKI_DIR/harbor_internal_ca.crt \\\n -CAkey $HARBOR_PKI_DIR/harbor_internal_ca.key \\\n -CAcreateserial \\\n -in $HARBOR_PKI_DIR/aqua_adapter.csr \\\n -out $HARBOR_PKI_DIR/aqua_adapter.crt\n ```\n5. Create the `env` file to configure the adapter service:\n ```\n cat \u003c\u003c EOF \u003e $HARBOR_HOME/common/config/aqua-adapter/env\n SCANNER_LOG_LEVEL=info\n SCANNER_API_ADDR=:8443\n SCANNER_API_TLS_KEY=/etc/pki/aqua_adapter.key\n SCANNER_API_TLS_CERTIFICATE=/etc/pki/aqua_adapter.crt\n SCANNER_AQUA_HOST=$AQUA_CONSOLE_HOST\n SCANNER_AQUA_USERNAME=$AQUA_CONSOLE_USERNAME\n SCANNER_AQUA_PASSWORD=$AQUA_CONSOLE_PASSWORD\n SCANNER_AQUA_REGISTRY=Harbor\n SCANNER_AQUA_USE_IMAGE_TAG=false\n SCANNER_AQUA_REPORTS_DIR=/var/lib/scanner/reports\n SCANNER_REDIS_URL=redis://redis:6379\n EOF\n ```\n6. Create `docker-compose.override.yml` file in the `$HARBOR_HOME` directory to install the adapter service:\n ```\n cat \u003c\u003c EOF \u003e $HARBOR_HOME/docker-compose.override.yml\n version: '2.3'\n services:\n aqua-adapter:\n networks:\n - harbor\n container_name: aqua-adapter\n image: docker.io/aquasec/harbor-scanner-aqua:$HARBOR_SCANNER_AQUA_VERSION\n restart: always\n cap_drop:\n - ALL\n depends_on:\n - redis\n env_file:\n $HARBOR_HOME/common/config/aqua-adapter/env\n volumes:\n - type: bind\n source: $HARBOR_HOME/common/config/aqua-adapter/scannercli\n target: /usr/local/bin/scannercli\n - type: bind\n source: $HARBOR_PKI_DIR/aqua_adapter.key\n target: /etc/pki/aqua_adapter.key\n - type: bind\n source: $HARBOR_PKI_DIR/aqua_adapter.crt\n target: /etc/pki/aqua_adapter.crt\n - type: bind\n source: $HARBOR_DATA/aqua-adapter/reports\n target: /var/lib/scanner/reports\n - type: bind\n source: $HARBOR_DATA/aqua-adapter/opt\n target: /opt/aquascans\n logging:\n driver: \"syslog\"\n options:\n syslog-address: \"tcp://127.0.0.1:1514\"\n tag: \"aqua-scanner\"\n EOF\n ```\n7. For some Docker drivers you must explicitly set ownership of config files and data directories to user and\n group which runs the adapter process, i.e. `1000:1000`:\n ```\n chown 1000:1000 $HARBOR_HOME/common/config/aqua-adapter/scannercli\n chown 1000:1000 $HARBOR_PKI_DIR/aqua_adapter.key\n chown 1000:1000 $HARBOR_PKI_DIR/aqua_adapter.crt\n chown 1000:1000 $HARBOR_DATA/aqua-adapter/reports\n chown 1000:1000 $HARBOR_DATA/aqua-adapter/opt\n ```\n8. Start the adapter service:\n ```\n cd $HARBOR_HOME\n docker-compose up --detach\n ```\n The adapter service will be accessible at https://aqua-adapter:8443 from within the `harbor` Docker network.\n9. [Connect Harbor to Aqua scanner.](#configuring-harbor-scanner)\n\n### Kubernetes\n\n\u003e I assume that you installed Aqua Enterprise \u003e= 4.5 with [Aqua Security Helm charts][aqua-helm-chart] in the `aqua`\n\u003e namespace, and the Aqua Management Console is accessible at http://aqua-console-svc.aqua:8080 from within the cluster.\n\n1. Export environment variables that are used throughout the installation scripts.\n\n Review and adapt the values to reflect your installation paths and credentials.\n ```\n export AQUA_VERSION=\"6.5\"\n export AQUA_CONSOLE_HOST=\"http://aqua-console-svc.aqua:8080\"\n export AQUA_CONSOLE_USERNAME=\u003cyour username\u003e\n export AQUA_CONSOLE_PASSWORD=\u003cyour password\u003e\n\n export AQUA_REGISTRY_USERNAME=\u003cyour username\u003e\n export AQUA_REGISTRY_PASSWORD=\u003cyour password\u003e\n ```\n2. Install the `harbor-scanner-aqua` chart:\n ```\n helm repo add aqua https://aquasecurity.github.io/helm-charts/\n helm repo update\n ```\n ```\n helm install harbor-scanner-aqua aqua/harbor-scanner-aqua \\\n --namespace harbor \\\n --set aqua.version=$AQUA_VERSION \\\n --set aqua.registry.server=registry.aquasec.com \\\n --set aqua.registry.username=$AQUA_REGISTRY_USERNAME \\\n --set aqua.registry.password=$AQUA_REGISTRY_PASSWORD \\\n --set scanner.aqua.host=$AQUA_CONSOLE_HOST \\\n --set scanner.aqua.username=$AQUA_CONSOLE_USERNAME \\\n --set scanner.aqua.password=$AQUA_CONSOLE_PASSWORD\n ```\n The scanner service should be accessible at http://harbor-scanner-aqua.harbor:8080 from within the cluster.\n3. [Connect Harbor to Aqua scanner.](#configuring-harbor-scanner)\n\n### OpenShift Container Platform\n\nSimilar to the way that RBAC resources control user access, administrators can use Security Context Constraints (SCCs)\nto control permissions for pods. These permissions include actions that a pod can perform and what resources it can\naccess. You can use SCCs to define a set of conditions that a pod must run with in order to be accepted into the system.\n\nIn particular, SCCs allow an administrator to control:\n* The container user ID\n* The allocation of an fsGroup that owns the pod's volumes\n\nThe harbor-scanner-aqua’s Helm chart deployment template:\n* Runs the underlying pod with a dedicated service account (named after a Helm release)\n* Requires that the pod's containers run as user with ID `1000`\n* Requires that fsGroup that owns the pod's volumes has ID `1000`\n\nTherefore, the harbor-scanner-aqua deployment will be accepted by OpenShift Container Platform only when a service\naccount is granted access to a SCC that:\n* Allows container user with ID `1000`\n* Allows fsGroup with ID `1000`\n\nFor example, if the scanner adapter installed as the Helm release called `harbor-scanner-aqua` in the `harbor` namespace,\nthe following command has to be run by the administrator to accept the pods:\n\n```\n$ oc adm policy add-scc-to-user \u003cscc name\u003e system:serviceaccount:harbor:harbor-scanner-aqua\n```\n\nwhere `\u003cscc name\u003e` is one of the predefined SCCs or a custom SCC created by the administrator.\n\n### Configuring Harbor Scanner\n\n1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.\n2. Expand **Administration**, and select **Interrogation Services**.\n ![Scanners config](docs/images/harbor_ui_scanners_config.png)\n3. Click the **NEW SCANNER** button.\n4. Enter the information to identify the scanner.\n 1. A unique name for this scanner instance to display in the Harbor interface, e.g. **Aqua Enterprise 6.5**.\n 2. The API endpoint URL of the adapter service.\n\n \u003e **NOTE**: For the adapter deployed on Kubernetes the default URL is http://harbor-scanner-aqua.harbor:8080,\n \u003e whereas for Docker, it's https://aqua-adapter:8443.\n\n ![Add scanner](docs/images/harbor_ui_add_scanner.png)\n5. Click **TEST CONNECTION** to make sure that Harbor can connect successfully to the adapter service.\n\n \u003e **NOTE**: When you click the **TEST CONNECTION** button Harbor only pings the adapter service. It does not validate\n \u003e connection to the Aqua Management Console, which is configured with `SCANNER_AQUA_USERNAME`, `SCANNER_AQUA_PASSWORD`,\n \u003e and `SCANNER_AQUA_HOST` environment variables. If the connection to the Aqua Management Console is misconfigured\n \u003e you will see an error message in the scan logs accessible from the Harbor interface.\n6. If everything is fine click **ADD** to save the configuration and connect Harbor to the adapter service.\n7. If you configured multiple scanners, you can designate the Aqua Enterprise scanner as the default one by selecting it\n and clicking **SET AS DEFAULT**.\n ![Set default scanner](docs/images/harbor_ui_default_scanner.png)\n Make sure the **Default** label is displayed next to the Aqua scanner's name.\n\n## Configuration\n\nConfiguration of the adapter is done via environment variables at startup.\n\n| Name | Default | Description |\n|---------------------------------------------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. |\n| `SCANNER_API_ADDR` | `:8080` | Binding address for the API HTTP server |\n| `SCANNER_API_TLS_CERTIFICATE` | | The absolute path to the x509 certificate file |\n| `SCANNER_API_TLS_KEY` | | The absolute path to the x509 private key file |\n| `SCANNER_API_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body |\n| `SCANNER_API_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response |\n| `SCANNER_API_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled |\n| `SCANNER_AQUA_USERNAME` | N/A | Aqua management console username (required) |\n| `SCANNER_AQUA_PASSWORD` | N/A | Aqua management console password (required) |\n| `SCANNER_AQUA_HOST` | `http://csp-console-svc.aqua:8080` | Aqua management console address |\n| `SCANNER_AQUA_REGISTRY` | `Harbor` | The name of the Harbor registry configured in Aqua management console |\n| `SCANNER_AQUA_REPORTS_DIR` | `/var/lib/scanner/reports` | Directory to save temporary scan reports |\n| `SCANNER_AQUA_USE_IMAGE_TAG` | `false` | The flag to determine whether the image tag or digest is used in the image reference passed to `scannercli` |\n| `SCANNER_CLI_NO_VERIFY` | `false` | The flag passed to `scannercli` to skip verifying TLS certificates |\n| `SCANNER_CLI_SHOW_NEGLIGIBLE` | `true` | The flag passed to `scannercli` to show negligible/unknown severity vulnerabilities |\n| `SCANNER_CLI_OVERRIDE_REGISTRY_CREDENTIALS` | `false` | The flag to enable passing `--robot-username` and `--robot-password` flags to the `scannercli` executable binary |\n| `SCANNER_CLI_DIRECT_CC` | `false` | The flag passed to `scannercli` to contact CyberCenter directly (rather than through the Aqua server) |\n| `SCANNER_CLI_REGISTER_IMAGES` | `Never` | The flag to determine whether images are registered in Aqua management console: `Never` - skips registration; `Compliant` - registers only compliant images; `Always` - registers compliant and non-compliant images. |\n| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.aqua:store` | The namespace for keys in the Redis store |\n| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports |\n| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. |\n| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the pool for the Redis store |\n| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the pool for the Redis store |\n| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. |\n| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server |\n| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply |\n| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command |\n\n## Troubleshooting\n\n### Error: Failed getting image manifest: 412 Precondition Failed\n\nCurrently, there's a limitation of `scannercli` in Aqua Enterprise versions \u003c **4.6.20181 (4.6 update 16)** which do not\naccept Harbor robot account credentials passed by a Harbor scan job to the adapter service. This effectively means that\nthe Aqua Enterprise scanner is using the credentials provided in Aqua Management Console under the\n**Integrations** / **Image Registries** section. However, these credentials do not have enough permissions to bypass the\ndeployment security checker when it's enabled in the Harbor project configuration. In other words, the deployment\nsecurity checker prevents the Aqua Enterprise scanner from pulling an image, which it needs to be able to do in order\nto scan it.\n\n![](docs/images/harbor_deployment_security.png)\n\nThe available solution depends on the version of your Aqua Enterprise deployment. In `scannercli` version \u003e= **4.6.20181 (4.6 update 16)**\nwe've introduced new `--robot-username` and `--robot-password` flags to respect credentials provided by Harbor.\n\n- For Aqua Enterprise version \u003c **4.6.20181 (4.6 update 16)** you can only disable deployment security checks in the Harbor\n interface under the project configuration.\n- For Aqua Enterprise version \u003e= **4.6.20181 (4.6 update 16)** set the value of the `SCANNER_CLI_OVERRIDE_REGISTRY_CREDENTIALS`\n env to `true`.\n\n### Error: Failed scanning image: image was not found in registry\n\nFor Harbor version \u003e= 2.0 \u0026\u0026 version \u003c 2.3, which do not set the `tag` property in a scan request anymore, the value of the\n`SCANNER_AQUA_USE_IMAGE_TAG` env must be set to `false`. This informs the adapter service to use digest rather than tag\nas the image identifier.\n\n### Error: Failed scanning image: no such registry\n\nMake sure the value of the `SCANNER_AQUA_REGISTRY` env is the same as the **Registry Name** entered in Aqua Management\nConsole.\n\n### Scans are not displayed in the CI/CD Scans page\n\nNormally, scans performed via the `scannercli` scan command (not through the daemon mode) are only saved if the images\nare also registered in Aqua Enterprise. To store and display all `scannercli` scans in the **CI/CD Scans** page,\naccessible from within the **Images** page, enable the **Save CI/CD scans** option in the Aqua Management Console.\n\n![](docs/images/aqua_settings_save_cicd_scans.png)\n\nNow, even if the images stored in Harbor were not registered in Aqua Enterprise, you'd see them in the **CI/CD Scans** page.\n\n![](docs/images/aqua_cicd_scans_page.png)\n\n## Contributing\n\nPlease read [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your development environment, and the\ncontribution workflow that we expect.\n\n[release-img]: https://img.shields.io/github/release/aquasecurity/harbor-scanner-aqua.svg?logo=github\n[release]: https://github.com/aquasecurity/harbor-scanner-aqua/releases\n[build-action-img]: https://github.com/aquasecurity/harbor-scanner-aqua/workflows/build/badge.svg\n[actions]: https://github.com/aquasecurity/harbor-scanner-aqua/actions\n[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/harbor-scanner-aqua\n[report-card]: https://goreportcard.com/report/github.com/aquasecurity/harbor-scanner-aqua\n[docker-pulls]: https://img.shields.io/docker/pulls/aquasec/harbor-scanner-aqua\n[license-img]: https://img.shields.io/github/license/aquasecurity/harbor-scanner-aqua.svg\n[license]: https://github.com/aquasecurity/harbor-scanner-aqua/blob/main/LICENSE\n[harbor-url]: https://github.com/goharbor/harbor\n[harbor-helm-chart]: https://github.com/goharbor/harbor-helm\n[harbor-docs-installer]: https://goharbor.io/docs/2.3.0/install-config/download-installer/\n[harbor-docs-internal-tls]: https://goharbor.io/docs/2.3.0/install-config/configure-internal-tls/\n[harbor-docs-helm]: https://goharbor.io/docs/2.3.0/install-config/harbor-ha-helm/\n[harbor-pluggable-scanner-api]: https://github.com/goharbor/pluggable-scanner-spec\n[k8s-init-containers]: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/\n[k8s-volume-emptyDir]: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir\n[aqua-docs-scanner-binary]: https://read.aquasec.com/docs/aqua-scanner-executable-binary\n[aqua-helm-chart]: https://github.com/aquasecurity/aqua-helm\n[download-scannercli]: https://read.aquasec.com/docs/aqua-scanner-command-line#section-obtain-the-scanner-executable-binary\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fharbor-scanner-aqua","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fharbor-scanner-aqua","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fharbor-scanner-aqua/lists"}