{"id":13823074,"url":"https://github.com/aquasecurity/harbor-scanner-trivy","last_synced_at":"2025-07-08T16:30:55.300Z","repository":{"id":39380507,"uuid":"196574686","full_name":"aquasecurity/harbor-scanner-trivy","owner":"aquasecurity","description":"Use Trivy as a plug-in vulnerability scanner in the Harbor registry","archived":false,"fork":false,"pushed_at":"2024-04-11T06:54:15.000Z","size":29895,"stargazers_count":196,"open_issues_count":39,"forks_count":68,"subscribers_count":14,"default_branch":"main","last_synced_at":"2024-04-14T01:01:51.363Z","etag":null,"topics":["harbor","harbor-pluggable-scanners","harbor-registry","scanner-adapter","trivy","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://goharbor.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aquasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2019-07-12T12:21:40.000Z","updated_at":"2024-06-26T09:01:48.257Z","dependencies_parsed_at":"2024-01-09T07:45:01.032Z","dependency_job_id":"3676f77a-afd3-4ff0-aa00-38a770a24c1a","html_url":"https://github.com/aquasecurity/harbor-scanner-trivy","commit_stats":null,"previous_names":[],"tags_count":67,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-trivy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-trivy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-trivy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aquasecurity%2Fharbor-scanner-trivy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aquasecurity","download_url":"https://codeload.github.com/aquasecurity/harbor-scanner-trivy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225449288,"owners_count":17476069,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["harbor","harbor-pluggable-scanners","harbor-registry","scanner-adapter","trivy","vulnerability-scanner"],"created_at":"2024-08-04T09:00:20.259Z","updated_at":"2024-11-20T00:30:51.791Z","avatar_url":"https://github.com/aquasecurity.png","language":"Go","funding_links":[],"categories":["Projects","Go"],"sub_categories":[],"readme":"[![GitHub Release][release-img]][release]\n[![GitHub Build Actions][build-action-img]][actions]\n[![Go Report Card][report-card-img]][report-card]\n[![License][license-img]][license]\n![Docker Pulls / Aqua][docker-pulls-aqua]\n![Docker Pulls / Harbor][docker-pulls-harbor]\n\n# IMPORTANT: This repository is no longer maintained. Future development in this project will happen in the repository: https://github.com/goharbor/harbor-scanner-trivy\n\n# Harbor Scanner Adapter for Trivy\n\nThe Harbor [Scanner Adapter][harbor-pluggable-scanners] for [Trivy] is a service that translates the [Harbor] scanning\nAPI into Trivy commands and allows Harbor to use Trivy for providing vulnerability reports on images stored in Harbor\nregistry as part of its vulnerability scan feature.\n\nHarbor Scanner Adapter for Trivy is the default static vulnerability scanner in Harbor \u003e= 2.2.\n\n![Vulnerabilities](docs/images/vulnerabilities.png)\n\nFor compliance with core components Harbor builds the adapter service binaries into Docker images based on Photos OS\n(`goharbor/trivy-adapter-photon`), whereas in this repository we build Docker images based on Alpine\n(`aquasec/harbor-scanner-trivy`). There is no difference in functionality though.\n\n## TOC\n\n- [Version Matrix](#version-matrix)\n- [Deployment](#deployment)\n - [Harbor \u003e= 2.0 on Kubernetes](#harbor--20-on-kubernetes)\n - [Harbor 1.10 on Kubernetes](#harbor-110-on-kubernetes)\n- [Configuration](#configuration)\n- [Documentation](#documentation)\n- [Troubleshooting](#troubleshooting)\n- [Contributing](#contributing)\n\n## Version Matrix\n\nThe following matrix indicates the version of Trivy and Trivy adapter installed in each Harbor\n[release](https://github.com/goharbor/harbor/releases).\n\n| Harbor | Trivy Adapter | Trivy |\n|------------------|---------------|-----------------|\n| - | v0.31.4 | [trivy v0.54.1] |\n| - | v0.31.3 | [trivy v0.52.2] |\n| - | v0.31.2 | [trivy v0.51.2] |\n| - | v0.31.1 | [trivy v0.50.4] |\n| - | v0.31.0 | [trivy v0.50.1] |\n| - | v0.30.23 | [trivy v0.50.1] |\n| - | v0.30.22 | [trivy v0.49.1] |\n| - | v0.30.21 | [trivy v0.48.3] |\n| - | v0.30.20 | [trivy v0.48.1] |\n| - | v0.30.19 | [trivy v0.47.0] |\n| - | v0.30.18 | [trivy v0.46.1] |\n| - | v0.30.17 | [trivy v0.46.0] |\n| - | v0.30.16 | [trivy v0.45.0] |\n| - | v0.30.15 | [trivy v0.44.0] |\n| - | v0.30.14 | [trivy v0.43.0] |\n| - | v0.30.13 | [trivy v0.43.0] |\n| - | v0.30.12 | [trivy v0.42.0] |\n| - | v0.30.11 | [trivy v0.40.0] |\n| - | v0.30.10 | [trivy v0.39.0] |\n| - | v0.30.9 | [trivy v0.38.2] |\n| - | v0.30.8 | [trivy v0.38.2] |\n| - | v0.30.7 | [trivy v0.37.2] |\n| - | v0.30.6 | [trivy v0.35.0] |\n| - | v0.30.5 | [trivy v0.35.0] |\n| - | v0.30.4 | [trivy v0.35.0] |\n| - | v0.30.3 | [trivy v0.35.0] |\n| - | v0.30.2 | [trivy v0.32.1] |\n| - | v0.30.0 | [trivy v0.29.2] |\n| - | v0.29.0 | [trivy v0.28.1] |\n| [harbor v2.5.1] | v0.28.0 | [trivy v0.26.0] |\n| - | v0.27.0 | [trivy v0.25.0] |\n| [harbor v2.5.0] | v0.26.0 | [trivy v0.24.2] |\n| - | v0.25.0 | [trivy v0.22.0] |\n| [harbor v2.4.1] | v0.24.0 | [trivy v0.20.1] |\n| [harbor v2.4.0] | v0.24.0 | [trivy v0.20.1] |\n| - | v0.23.0 | [trivy v0.20.0] |\n| - | v0.22.0 | [trivy v0.19.2] |\n| - | v0.21.0 | [trivy v0.19.2] |\n| - | v0.20.0 | [trivy v0.18.3] |\n| [harbor v2.3.3] | v0.19.0 | [trivy v0.17.2] |\n| [harbor v2.3.0] | v0.19.0 | [trivy v0.17.2] |\n| [harbor v2.2.3] | v0.18.0 | [trivy v0.16.0] |\n| [harbor v2.2.0] | v0.18.0 | [trivy v0.16.0] |\n| [harbor v2.1.6] | v0.14.1 | [trivy v0.9.2] |\n| [harbor v2.1.0] | v0.14.1 | [trivy v0.9.2] |\n\n[harbor v2.5.1]: https://github.com/goharbor/harbor/releases/tag/v2.5.1\n[harbor v2.5.0]: https://github.com/goharbor/harbor/releases/tag/v2.5.0\n[harbor v2.4.1]: https://github.com/goharbor/harbor/releases/tag/v2.4.1\n[harbor v2.4.0]: https://github.com/goharbor/harbor/releases/tag/v2.4.0\n[harbor v2.3.3]: https://github.com/goharbor/harbor/releases/tag/v2.3.3\n[harbor v2.3.0]: https://github.com/goharbor/harbor/releases/tag/v2.3.0\n[harbor v2.2.3]: https://github.com/goharbor/harbor/releases/tag/v2.2.3\n[harbor v2.2.0]: https://github.com/goharbor/harbor/releases/tag/v2.2.0\n[harbor v2.1.6]: https://github.com/goharbor/harbor/releases/tag/v2.1.6\n[harbor v2.1.0]: https://github.com/goharbor/harbor/releases/tag/v2.1.0\n\n[trivy v0.48.1]: https://github.com/aquasecurity/trivy/releases/tag/v0.48.1\n[trivy v0.47.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.47.0\n[trivy v0.46.1]: https://github.com/aquasecurity/trivy/releases/tag/v0.46.1\n[trivy v0.46.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.46.0\n[trivy v0.45.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.45.0\n[trivy v0.44.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.44.0\n[trivy v0.43.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.43.0\n[trivy v0.42.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.42.0\n[trivy v0.40.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.40.0\n[trivy v0.39.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.39.0\n[trivy v0.38.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.38.2\n[trivy v0.37.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.37.2\n[trivy v0.35.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.35.0\n[trivy v0.32.1]: https://github.com/aquasecurity/trivy/releases/tag/v0.32.1\n[trivy v0.29.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.29.2\n[trivy v0.28.1]: https://github.com/aquasecurity/trivy/releases/tag/v0.28.1\n[trivy v0.26.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.26.0\n[trivy v0.25.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.25.0\n[trivy v0.24.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.24.2\n[trivy v0.22.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.22.0\n[trivy v0.20.1]: https://github.com/aquasecurity/trivy/releases/tag/v0.20.1\n[trivy v0.20.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.20.0\n[trivy v0.19.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.19.2\n[trivy v0.18.3]: https://github.com/aquasecurity/trivy/releases/tag/v0.18.3\n[trivy v0.17.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.17.2\n[trivy v0.16.0]: https://github.com/aquasecurity/trivy/releases/tag/v0.16.0\n[trivy v0.9.2]: https://github.com/aquasecurity/trivy/releases/tag/v0.9.2\n\n## Deployment\n\n### Harbor \u003e= 2.0 on Kubernetes\n\nIn Harbor \u003e= 2.0 Trivy can be configured as the default vulnerability scanner, therefore you can install it with the\nofficial [Harbor Helm chart], where `HARBOR_CHART_VERSION` \u003e= 1.4:\n\n```\nhelm repo add harbor https://helm.goharbor.io\n```\n\n```\nhelm install harbor harbor/harbor \\\n --create-namespace \\\n --namespace harbor\n```\n\nThe adapter service is automatically registered under the **Interrogation Service** in the Harbor interface and\ndesignated as the default scanner.\n\n### Harbor 1.10 on Kubernetes\n\n1. Install the `harbor-scanner-trivy` chart:\n\n ```\n helm repo add aqua https://aquasecurity.github.io/helm-charts\n ```\n\n ```\n helm install harbor-scanner-trivy aqua/harbor-scanner-trivy \\\n --namespace harbor --create-namespace\n ```\n\n2. Configure the scanner adapter in the Harbor interface.\n 1. Navigate to **Interrogation Services** and click **+ NEW SCANNER**.\n ![Interrogation Services](docs/images/interrogation_services.png)\n 2. Enter \u003chttp://harbor-scanner-trivy.harbor:8080\u003e as the **Endpoint** URL and click **TEST CONNECTION**.\n ![Add scanner](docs/images/add_scanner.png)\n 3. If everything is fine click **ADD** to save the configuration.\n3. Select the **Trivy** scanner and set it as default by clicking **SET AS DEFAULT**.\n ![Set Trivy as default scanner](docs/images/default_scanner.png)\n Make sure the **Default** label is displayed next to the **Trivy** scanner's name.\n\n## Configuration\n\nConfiguration of the adapter is done via environment variables at startup.\n\n| Name | Default | Description |\n|-----------------------------------------|------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. |\n| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server |\n| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file |\n| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file |\n| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate |\n| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body |\n| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response |\n| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled |\n| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics |\n| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory |\n| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory |\n| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode |\n| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. |\n| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. |\n| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed |\n| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities |\n| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file |\n| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. |\n| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. |\n| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. |\n| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) |\n| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate |\n| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion |\n| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store |\n| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports |\n| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis |\n| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue |\n| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. |\n| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool |\n| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool |\n| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. |\n| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server |\n| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply |\n| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. |\n| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server |\n| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server |\n| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to |\n\n## Documentation\n\n- [Architecture](./docs/ARCHITECTURE.md) - architectural decisions behind designing harbor-scanner-trivy.\n- [Releases](./docs/RELEASES.md) - how to release a new version of harbor-scanner-trivy.\n\n## Troubleshooting\n\n### Error: database error: --skip-db-update cannot be specified on the first run\n\nIf you set the value of the `SCANNER_TRIVY_SKIP_UPDATE` to `true`, make sure that you download the [Trivy DB]\nand mount it in the `/home/scanner/.cache/trivy/db/trivy.db` path.\n\n### Error: failed to list releases: Get \u003chttps://api.github.com/repos/aquasecurity/trivy-db/releases\u003e: dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:39070-\u003e127.0.0.11:53: i/o timeout\n\nMost likely it's a Docker DNS server or network firewall configuration issue. Trivy requires internet connection to\nperiodically download vulnerability database from GitHub to show up-to-date risks.\n\nTry adding a DNS server to `docker-compose.yml` created by Harbor installer.\n\n```yaml\nversion: 2\nservices:\n trivy-adapter:\n # NOTE Adjust IPs to your environment.\n dns:\n - 8.8.8.8\n - 192.168.1.1\n```\n\nAlternatively, configure Docker daemon to use the same DNS server as host operating system. See [DNS services][docker-dns]\nsection in the Docker container networking documentation for more details.\n\n### Error: failed to list releases: GET \u003chttps://api.github.com/repos/aquasecurity/trivy-db/releases\u003e: 403 API rate limit exceeded\n\nTrivy DB downloads from GitHub are subject to [rate limiting][gh-rate-limit]. Make sure that the Trivy DB is mounted\nand cached in the `/home/scanner/.cache/trivy/db/trivy.db` path. If, for any reason, it's not enough you can set the\nvalue of the `SCANNER_TRIVY_GITHUB_TOKEN` environment variable (authenticated requests get a higher rate limit).\n\n## Contributing\n\nPlease read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, and the process for submitting pull\nrequests.\n\n---\nHarbor Scanner Adapter for Trivy is an [Aqua Security](https://aquasec.com) open source project. \nLearn about our open source work and portfolio [here](https://www.aquasec.com/products/open-source-projects/).\n\n[release-img]: https://img.shields.io/github/release/aquasecurity/harbor-scanner-trivy.svg?logo=github\n[release]: https://github.com/aquasecurity/harbor-scanner-trivy/releases\n[build-action-img]: https://github.com/aquasecurity/harbor-scanner-trivy/workflows/build/badge.svg\n[actions]: https://github.com/aquasecurity/harbor-scanner-trivy/actions\n[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/harbor-scanner-trivy\n[report-card]: https://goreportcard.com/report/github.com/aquasecurity/harbor-scanner-trivy\n[docker-pulls-aqua]: https://img.shields.io/docker/pulls/aquasec/harbor-scanner-trivy?logo=docker\u0026label=docker%20pulls%20%2F%20aquasec\n[docker-pulls-harbor]: https://img.shields.io/docker/pulls/goharbor/trivy-adapter-photon?logo=docker\u0026label=docker%20pulls%20%2F%20goharbor\n[license-img]: https://img.shields.io/github/license/aquasecurity/harbor-scanner-trivy.svg\n[license]: https://github.com/aquasecurity/harbor-scanner-trivy/blob/main/LICENSE\n\n[Harbor]: https://github.com/goharbor/harbor\n[Harbor Helm chart]: https://github.com/goharbor/harbor-helm\n[Trivy]: https://github.com/aquasecurity/trivy\n[Trivy DB]: https://github.com/aquasecurity/trivy-db\n[harbor-pluggable-scanners]: https://github.com/goharbor/community/blob/master/proposals/pluggable-image-vulnerability-scanning_proposal.md\n[gh-rate-limit]: https://github.com/aquasecurity/trivy#github-rate-limiting\n[docker-dns]: https://docs.docker.com/config/containers/container-networking/#dns-services\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fharbor-scanner-trivy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faquasecurity%2Fharbor-scanner-trivy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faquasecurity%2Fharbor-scanner-trivy/lists"}