{"id":13416505,"url":"https://github.com/goharbor/harbor","last_synced_at":"2026-06-17T09:01:40.747Z","repository":{"id":37318799,"uuid":"50613991","full_name":"goharbor/harbor","owner":"goharbor","description":"An open source trusted cloud native registry project that stores, signs, and scans content.","archived":false,"fork":false,"pushed_at":"2026-06-12T07:53:59.000Z","size":264180,"stargazers_count":28685,"open_issues_count":831,"forks_count":5255,"subscribers_count":518,"default_branch":"main","last_synced_at":"2026-06-12T09:24:32.459Z","etag":null,"topics":["cloud-native","cncf","cncf-project","container","container-management","container-registry","containers","docker","hacktoberfest","helm","kubernetes","registry"],"latest_commit_sha":null,"homepage":"https://goharbor.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/goharbor.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-01-28T21:10:28.000Z","updated_at":"2026-06-12T09:08:15.000Z","dependencies_parsed_at":"2026-03-08T08:08:27.152Z","dependency_job_id":"04a9cebd-acfd-403b-8971-a9ffccb82bf3","html_url":"https://github.com/goharbor/harbor","commit_stats":{"total_commits":7756,"total_committers":384,"mean_commits":"20.197916666666668","dds":0.8750644662197009,"last_synced_commit":"8bf710a4059415096a2fe882af1ab019eb0079b6"},"previous_names":["vmware/harbor"],"tags_count":367,"template":false,"template_full_name":null,"purl":"pkg:github/goharbor/harbor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goharbor%2Fharbor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goharbor%2Fharbor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goharbor%2Fharbor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goharbor%2Fharbor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/goharbor","download_url":"https://codeload.github.com/goharbor/harbor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goharbor%2Fharbor/sbom","scorecard":{"id":433997,"data":{"date":"2025-08-11","repo":{"name":"github.com/goharbor/harbor","commit":"e80b940942314b38be586d73bcfe108acc06a9df"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.8,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/CI.yml:1","Warn: no topLevel permission defined: .github/workflows/auto_assign_prs.yml:1","Warn: no topLevel permission defined: .github/workflows/build-package.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/conformance_test.yml:1","Warn: no topLevel permission defined: .github/workflows/housekeeping-stale-issues-prs.yaml:1","Warn: no topLevel permission defined: .github/workflows/label_check.yaml:1","Warn: no topLevel permission defined: .github/workflows/nightly-trivy-scan.yml:1","Warn: no topLevel permission defined: .github/workflows/pass-CI.yml:1","Warn: no topLevel permission defined: .github/workflows/publish_release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":7,"reason":"badge detected: Silver","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.13.2 not signed: https://api.github.com/repos/goharbor/harbor/releases/236521335","Warn: release artifact v2.13.2-rc1 not signed: https://api.github.com/repos/goharbor/harbor/releases/236453680","Warn: release artifact v2.13.1 not signed: https://api.github.com/repos/goharbor/harbor/releases/220908046","Warn: release artifact v2.13.1-rc3 not signed: https://api.github.com/repos/goharbor/harbor/releases/220276669","Warn: release artifact v2.12.4 not signed: https://api.github.com/repos/goharbor/harbor/releases/220555570","Warn: release artifact v2.13.2 does not have provenance: https://api.github.com/repos/goharbor/harbor/releases/236521335","Warn: release artifact v2.13.2-rc1 does not have provenance: https://api.github.com/repos/goharbor/harbor/releases/236453680","Warn: release artifact v2.13.1 does not have provenance: https://api.github.com/repos/goharbor/harbor/releases/220908046","Warn: release artifact v2.13.1-rc3 does not have provenance: https://api.github.com/repos/goharbor/harbor/releases/220276669","Warn: release artifact v2.12.4 does not have provenance: https://api.github.com/repos/goharbor/harbor/releases/220555570"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: a command can only contain words and redirects; encountered (: tools/notary-migration-fix.sh:51","Info: Possibly incomplete results: error parsing shell code: a command can only contain words and redirects; encountered (: tools/notary-migration-fix.sh:55","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:226: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:230: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:270: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:288: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:335: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:338: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/CI.yml:349: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/CI.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:106: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:152: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/CI.yml:212: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/CI.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto_assign_prs.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/auto_assign_prs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-package.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-package.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-package.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-package.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-package.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-package.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/build-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/codeql-analysis.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/conformance_test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/conformance_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/conformance_test.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/conformance_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/conformance_test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/conformance_test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/housekeeping-stale-issues-prs.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/housekeeping-stale-issues-prs.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/label_check.yaml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/label_check.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-trivy-scan.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/nightly-trivy-scan.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/nightly-trivy-scan.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/nightly-trivy-scan.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/nightly-trivy-scan.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/nightly-trivy-scan.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish_release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/publish_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish_release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/publish_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish_release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/publish_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish_release.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/publish_release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish_release.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/goharbor/harbor/publish_release.yml/main?enable=pin","Warn: containerImage not pinned by hash: make/photon/core/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/core/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/db/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/db/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/exporter/Dockerfile:5","Warn: containerImage not pinned by hash: make/photon/exporter/Dockerfile:15","Warn: containerImage not pinned by hash: make/photon/exporter/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/jobservice/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/jobservice/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/log/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/log/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/nginx/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/nginx/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/portal/Dockerfile:4","Warn: containerImage not pinned by hash: make/photon/portal/Dockerfile:25","Warn: containerImage not pinned by hash: make/photon/portal/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/prepare/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/prepare/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/redis/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/redis/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/registry/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/registry/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/registry/Dockerfile.binary:2","Warn: containerImage not pinned by hash: make/photon/registryctl/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/registryctl/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/standalone-db-migrator/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/trivy-adapter/Dockerfile:3","Warn: containerImage not pinned by hash: make/photon/trivy-adapter/Dockerfile.base:1: pin your Docker image by updating photon:5.0 to photon:5.0@sha256:6c69a0137a38940451994541c7d3a03800700b5cebcd2ede301118ea14185b44","Warn: containerImage not pinned by hash: make/photon/trivy-adapter/Dockerfile.binary:2","Warn: containerImage not pinned by hash: src/portal/docker-build/Dockerfile:1","Warn: containerImage not pinned by hash: src/portal/docker-build/Dockerfile:19: pin your Docker image by updating nginx:1.17 to nginx:1.17@sha256:6fff55753e3b34e36e24e37039ee9eae1fe38a6420d8ae16ef37c92d1eb26699","Warn: containerImage not pinned by hash: tests/robot-cases/Group2-Longevity/Dockerfile.longevity:1: pin your Docker image by updating busybox:1.26 to busybox:1.26@sha256:be3c11fdba7cfe299214e46edc642e09514dbb9bbefcd0d3836c05a1e0cd0642","Warn: containerImage not pinned by hash: tests/test-engine-image/Dockerfile.api_test:2: pin your Docker image by updating photon:4.0 to photon:4.0@sha256:b2432183336c534c85d2ef93affa004665b126dec1ac6735543088ded3b5df11","Warn: containerImage not pinned by hash: tests/test-engine-image/Dockerfile.common:1","Warn: containerImage not pinned by hash: tests/test-engine-image/Dockerfile.ui_test:2: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214","Warn: containerImage not pinned by hash: tools/migrate_chart/Dockerfile:1: pin your Docker image by updating python:3.8.5-slim to python:3.8.5-slim@sha256:502cd057453744145010eceb5a4af1e4f04ebed54f6e1e8d23d29ebe2afdbe6d","Warn: containerImage not pinned by hash: tools/mockery/Dockerfile:2","Warn: containerImage not pinned by hash: tools/spectral/Dockerfile:2","Warn: containerImage not pinned by hash: tools/swagger/Dockerfile:2","Warn: npmCommand not pinned by hash: make/photon/portal/Dockerfile:14","Warn: npmCommand not pinned by hash: make/photon/portal/Dockerfile:17-18","Warn: npmCommand not pinned by hash: make/photon/portal/Dockerfile:22","Warn: pipCommand not pinned by hash: make/photon/prepare/Dockerfile.base:4","Warn: npmCommand not pinned by hash: src/portal/docker-build/Dockerfile:11","Warn: npmCommand not pinned by hash: src/portal/docker-build/Dockerfile:16","Warn: pipCommand not pinned by hash: tests/test-engine-image/Dockerfile.api_test:12-31","Warn: pipCommand not pinned by hash: tests/test-engine-image/Dockerfile.ui_test:35-37","Warn: pipCommand not pinned by hash: tests/test-engine-image/Dockerfile.ui_test:39-43","Warn: pipCommand not pinned by hash: tools/migrate_chart/Dockerfile:9-13","Warn: pipCommand not pinned by hash: tools/migrate_chart/Dockerfile:9-13","Warn: pipCommand not pinned by hash: tools/migrate_chart/Dockerfile:9-13","Warn: npmCommand not pinned by hash: tests/ci/ui_ut_run.sh:6","Warn: npmCommand not pinned by hash: tests/ci/ui_ut_run.sh:7","Warn: npmCommand not pinned by hash: tests/ci/ui_ut_run.sh:8","Warn: goCommand not pinned by hash: tests/ci/ut_install.sh:14","Warn: goCommand not pinned by hash: tests/ci/ut_install.sh:15","Warn: goCommand not pinned by hash: tests/ci/ut_install.sh:16","Warn: downloadThenRun not pinned by hash: tests/ci/ut_install.sh:21","Info:   0 out of  27 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  13 third-party GitHubAction dependencies pinned","Info:   0 out of  39 containerImage dependencies pinned","Info:   0 out of   8 npmCommand dependencies pinned","Info:   0 out of   7 pipCommand dependencies pinned","Info:   0 out of   3 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":0,"reason":"33 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3460","Warn: Project is vulnerable to: GO-2025-3607 / GHSA-rq77-p4h8-4crw","Warn: Project is vulnerable to: GHSA-9h84-qmv7-982p","Warn: Project is vulnerable to: GHSA-f9f8-9pmf-xv68","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh","Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w","Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf","Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674","Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-cg87-wmx4-v546","Warn: Project is vulnerable to: GHSA-m4gq-x24j-jpmf","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6","Warn: Project is vulnerable to: GHSA-x574-m823-4x7w","Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8","Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x","Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4","Warn: Project is vulnerable to: GHSA-859w-5945-r5v3"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T04:08:42.960Z","repository_id":37318799,"created_at":"2025-08-19T04:08:42.961Z","updated_at":"2025-08-19T04:08:42.961Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34441285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-17T02:00:05.408Z","response_time":127,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","cncf","cncf-project","container","container-management","container-registry","containers","docker","hacktoberfest","helm","kubernetes","registry"],"created_at":"2024-07-30T21:00:59.889Z","updated_at":"2026-06-17T09:01:38.660Z","avatar_url":"https://github.com/goharbor.png","language":"Go","funding_links":[],"categories":["Infrastructure","Docker Images","HarmonyOS","Go","Misc","Containers","Container Tools","Image registry:","网络服务","工具","Tools","Platform Engineering","kubernetes","Application Recommendation","Docker-Tools","Storage \u0026 Data Management","docker","\u003ca id=\"1d9dec1320a5d774dc8e0e7604edfcd3\"\u003e\u003c/a\u003e工具-新添加的","Identity, signing and provenance","Image Lifecycle","Repos"],"sub_categories":["Registry","Windows Manager","MultiCloud Governance","网络服务_其他","容器扫描","Container Scanning","Artifact Management","🛠️ DevOps","\u003ca id=\"8f1b9c5c2737493524809684b934d49a\"\u003e\u003c/a\u003e文章\u0026\u0026视频","Supply chain beyond libraries"],"readme":"# Harbor\n[![CI](https://github.com/goharbor/harbor/actions/workflows/CI.yml/badge.svg)](https://github.com/goharbor/harbor/actions/workflows/CI.yml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/goharbor/harbor)](https://goreportcard.com/report/github.com/goharbor/harbor)\n[![Coverage Status](https://codecov.io/gh/goharbor/harbor/branch/main/graph/badge.svg)](https://codecov.io/gh/goharbor/harbor)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2095/badge)](https://bestpractices.coreinfrastructure.org/projects/2095)\n[![Codacy Badge](https://app.codacy.com/project/badge/Grade/792fe1755edc4d6e91f4c3469f553389)](https://www.codacy.com/gh/goharbor/harbor/dashboard?utm_source=github.com\u0026amp;utm_medium=referral\u0026amp;utm_content=goharbor/harbor\u0026amp;utm_campaign=Badge_Grade)\n![Code scanning - action](https://github.com/goharbor/harbor/workflows/Code%20scanning%20-%20action/badge.svg)\n![OCI Distribution Conformance Tests](https://github.com/goharbor/harbor/workflows/CONFORMANCE_TEST/badge.svg)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor?ref=badge_shield)\n[![Helm Chart on Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/harbor)](https://artifacthub.io/packages/helm/harbor/harbor)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/goharbor/harbor/badge)](https://scorecard.dev/viewer/?uri=github.com/goharbor/harbor)\n\u003c/br\u003e\n\n|![notification](https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/bell-outline-badged.svg)Community Meeting|\n|------------------|\n|The Harbor Project holds bi-weekly community calls in two different timezones. To join the community calls or to watch previous meeting notes and recordings, please visit the [meeting schedule](https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md).|\n\n\u003c/br\u003e \u003c/br\u003e\n\n**Note**: The `main` branch may be in an *unstable or even broken state* during development.\nPlease use [releases](https://github.com/goharbor/harbor/releases) instead of the `main` branch in order to get a stable set of binaries.\n\n\u003cimg alt=\"Harbor\" src=\"https://raw.githubusercontent.com/goharbor/website/master/docs/img/readme/harbor_logo.png\"\u003e\n\nHarbor is an open source trusted cloud native registry project that stores, signs, and scans content. Harbor extends the open source Docker Distribution by adding the functionalities usually required by users such as security, identity and management. Having a registry closer to the build and run environment can improve the image transfer efficiency. Harbor supports replication of images between registries, and also offers advanced security features such as user management, access control and activity auditing.\n\nHarbor is hosted by the [Cloud Native Computing Foundation](https://cncf.io) (CNCF). If you are an organization that wants to help shape the evolution of cloud native technologies, consider joining the CNCF. For details about who is involved and how Harbor plays a role, read the CNCF\n[announcement](https://www.cncf.io/blog/2018/07/31/cncf-to-host-harbor-in-the-sandbox/).\n\n## Features\n\n* **Cloud native registry**: With support for both container images and [Helm](https://helm.sh) charts, Harbor serves as registry for cloud native environments like container runtimes and orchestration platforms.\n* **Role based access control**: Users access different repositories through 'projects' and a user can have different permission for images or Helm charts under a project.\n* **Policy based replication**: Images and charts can be replicated (synchronized) between multiple registry instances based on policies with using filters (repository, tag and label). Harbor automatically retries a replication if it encounters any errors. This can be used to assist loadbalancing, achieve high availability, and facilitate multi-datacenter deployments in hybrid and multi-cloud scenarios.\n* **Vulnerability Scanning**: Harbor scans images regularly for vulnerabilities and has policy checks to prevent vulnerable images from being deployed.\n* **LDAP/AD support**: Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor that can then be given permissions to specific projects.\n* **OIDC support**: Harbor leverages OpenID Connect (OIDC) to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.\n* **Image deletion \u0026 garbage collection**: System administrators can run garbage collection jobs so that images (dangling manifests and unreferenced blobs) can be deleted and their space can be freed up periodically.\n* **Notary**: Support signing container images using Docker Content Trust (leveraging Notary) for guaranteeing authenticity and provenance.  In addition, policies that prevent unsigned images from being deployed can also be activated.\n* **Graphical user portal**: User can easily browse, search repositories and manage projects.\n* **Auditing**: All the operations to the repositories are tracked through logs.\n* **RESTful API**: RESTful APIs are provided to facilitate administrative operations, and are easy to use for integration with external systems. An embedded Swagger UI is available for exploring and testing the API.\n* **Easy deployment**: Harbor can be deployed via Docker compose as well Helm Chart, and a Harbor Operator was added recently as well.\n\n## Architecture\n\nFor learning the architecture design of Harbor, check the document [Architecture Overview of Harbor](https://github.com/goharbor/harbor/wiki/Architecture-Overview-of-Harbor).\n\n## API\n\n* Harbor RESTful API: The APIs for most administrative operations of Harbor and can be used to perform integrations with Harbor programmatically.\n  * Part 1: [New or changed APIs](https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/harbor/main/api/v2.0/swagger.yaml)\n\n## Install \u0026 Run\n**System requirements:**\n\n**On a Linux host:** docker 20.10.10-ce+ and docker-compose 1.18.0+ .\n\nDownload binaries of **[Harbor release ](https://github.com/goharbor/harbor/releases)** and follow **[Installation \u0026 Configuration Guide](https://goharbor.io/docs/latest/install-config/)** to install Harbor.\n\nIf you want to deploy Harbor on Kubernetes, please use the **[Harbor chart](https://github.com/goharbor/harbor-helm)**.\n\nRefer to the **[documentation](https://goharbor.io/docs/)** for more details on how to use Harbor.\n### Verifying Release Signatures\nStarting with v2.15.0, Harbor release artifacts are cryptographically signed using Cosign to ensure authenticity and integrity.\n\nDownload the installers and signature bundles from the Harbor releases page.\n\n#### Quick Verification\n```bash\n# Install Cosign (v2.0+)\nbrew install sigstore/tap/cosign\n\n# Verify signature\ncosign verify-blob \\\n  --bundle harbor-offline-installer-v2.15.0.tgz.sigstore.json \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  --certificate-identity-regexp '^https://github.com/goharbor/harbor/.github/workflows/publish_release.yml@refs/tags/v.*$' \\\n  harbor-offline-installer-v2.15.0.tgz\n```\n- *Expected output:* Verified OK\n\n- *Full verification guide:* [docs/signature-verification.md](docs/signature-verification.md)\n\n## OCI Distribution Conformance Tests\n\nCheck the OCI distribution conformance tests [report](https://storage.googleapis.com/harbor-conformance-test/report.html) of Harbor.\n\n## Compatibility\n\nThe [compatibility list](https://goharbor.io/docs/edge/install-config/harbor-compatibility-list/) document provides compatibility information for the Harbor components.\n\n* [Replication adapters](https://goharbor.io/docs/edge/install-config/harbor-compatibility-list/#replication-adapters)\n* [OIDC adapters](https://goharbor.io/docs/edge/install-config/harbor-compatibility-list/#oidc-adapters)\n* [Scanner adapters](https://goharbor.io/docs/edge/install-config/harbor-compatibility-list/#scanner-adapters)\n\n## Community\n\n* **Twitter:** [@project_harbor](https://twitter.com/project_harbor)\n* **User Group:** Join Harbor user email group: [harbor-users@lists.cncf.io](https://lists.cncf.io/g/harbor-users) to get update of Harbor's news, features, releases, or to provide suggestion and feedback.\n* **Developer Group:** Join Harbor developer group: [harbor-dev@lists.cncf.io](https://lists.cncf.io/g/harbor-dev) for discussion on Harbor development and contribution.\n* **Slack:** Join Harbor's community for discussion and ask questions: [Cloud Native Computing Foundation](https://slack.cncf.io/), channel: [#harbor](https://cloud-native.slack.com/messages/harbor/) and [#harbor-dev](https://cloud-native.slack.com/messages/harbor-dev/)\n\n## Demos\n\n* **[Live Demo](https://demo.goharbor.io)** - A demo environment with the latest Harbor stable build installed. For additional information please refer to [this page](https://goharbor.io/docs/latest/install-config/demo-server/).\n* **[Video Demos](https://github.com/goharbor/harbor/wiki/Video-demos-for-Harbor)** - Demos for Harbor features and continuously updated.\n\n## Partners and Users\n\nFor a list of users, please refer to [ADOPTERS.md](ADOPTERS.md).\n\n## Security\n\n### Security Audit\n\nA third party security audit was performed by Cure53 in October 2019. You can see the full report [here](https://goharbor.io/docs/2.0.0/security/Harbor_Security_Audit_Oct2019.pdf).\n\n### Reporting security vulnerabilities\n\nIf you've found a security related issue, a vulnerability, or a potential vulnerability in Harbor please let the [Harbor Security Team](mailto:cncf-harbor-security@lists.cncf.io) know with the details of the vulnerability. We'll send a confirmation\nemail to acknowledge your report, and we'll send an additional email when we've identified the issue\npositively or negatively.\n\nFor further details please see our complete [security release process](SECURITY.md).\n\n## License\n\nHarbor is available under the [Apache 2 license](LICENSE).\n\nThis project uses open source components which have additional licensing terms.  The official docker images and licensing terms for these open source components can be found at the following locations:\n\n* Photon OS 1.0: [docker image](https://hub.docker.com/_/photon/), [license](https://github.com/vmware/photon/blob/master/COPYING)\n\n\n## Fossa Status\n\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fgoharbor%2Fharbor?ref=badge_large)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoharbor%2Fharbor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoharbor%2Fharbor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoharbor%2Fharbor/lists"}