How to Secure Container Images: Integrating Trivy with Harbor for Seamless Vulnerability Scanning

Introduction

As software supply‑chain security gains attention, developers and operations teams increasingly focus on the safety of container images. Harbor is an open‑source, cloud‑native registry for storing, signing, and scanning images, while Trivy is a lightweight, popular vulnerability scanner that can be integrated into Harbor to create a more secure delivery workflow.

Trivy Workflow Overview

Trivy relies on a complete toolchain that gathers CVE data, processes it, and performs vulnerability identification. The following components work together to keep the scanner up‑to‑date.

Toolchain Components

vuln-list-update – Responsibility : Collect threat intelligence from OS vendors, NVD, etc., and convert it into a unified JSON format. Purpose : Ensure Trivy accesses the latest vulnerability information.

vuln-list – Responsibility : Same as vuln‑list‑update, providing the unified JSON data. Purpose : Keep the vulnerability feed current for accurate scans.

trivy-db – Responsibility : Download JSON data from the vuln‑list project and convert it into an optimized bbolt database. Purpose : Offer a faster, space‑efficient database for Trivy queries.

fanal – Responsibility : Build bbolt database files from the data obtained by vuln‑list. Purpose : Package the database and publish it via the

upload

command to GitHub Releases.

Trivy – Responsibility : The end‑user CLI tool that downloads the latest bbolt database from the trivy‑db release and scans container images. Purpose : Provide an easy‑to‑use interface that reports discovered vulnerabilities.

Deploy Trivy

Download and install the Trivy binary:

<code>$ curl -LO https://github.com/aquasecurity/trivy/releases/download/v0.54.1/trivy_0.54.1_Linux-64bit.tar.gz
$ TEMP_DIR=$(mktemp -d)
$ tar xvf trivy_0.54.1_Linux-64bit.tar.gz -C ${TEMP_DIR}
$ sudo cp ${TEMP_DIR}/trivy /usr/local/bin/
$ trivy version
Version: 0.54.1</code>

Test Image Scan

Run Trivy against a sample Harbor image:

<code>$ sudo trivy image goharbor/redis-photon:v2.10.3
2024-08-26T09:41:40+08:00       INFO    [db] Need to update DB
2024-08-26T09:41:40+08:00       INFO    [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
... (output truncated) ...
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 2)
... (vulnerability table) ...</code>

Tip: Each scan requires up‑to‑date vulnerability data, which means the host must have internet access. In production environments without external connectivity, download the database once and reuse it offline.

Obtain Offline Database

Vulnerability Database (updates every 6 hours)

Download the DB to a temporary directory:

<code>$ TRIVY_TEMP_DIR=$(mktemp -d)
$ trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
$ tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
$ rm -rf $TRIVY_TEMP_DIR</code>

Optionally accelerate the download with ORAS:

<code>$ oras pull ghcr.io/aquasecurity/trivy-db:2</code>

Java Index Database (updates weekly)

Download the Java index DB:

<code>$ TRIVY_TEMP_DIR=$(mktemp -d)
$ trivy --cache-dir $TRIVY_TEMP_DIR image --download-java-db-only
$ tar -cf ./javadb.tar.gz -C $TRIVY_TEMP_DIR/java-db metadata.json trivy-java.db
$ rm -rf $TRIVY_TEMP_DIR</code>

Accelerated download with ORAS:

<code>$ oras pull ghcr.io/aquasecurity/trivy-java-db:1</code>

Tip: Use the following mirrors for faster ORAS downloads:

ghcr.nju.edu.cn/aquasecurity/trivy-db:2

and

ghcr.nju.edu.cn/aquasecurity/trivy-java-db:1

.

Verification

Extract the offline databases and run a scan without contacting the internet:

<code>$ mkdir -p trivy-db/{db,java-db}
$ tar xvf db.tar.gz -C trivy-db/db/
$ tar xvf javadb.tar.gz -C trivy-db/java-db/
$ sudo trivy --cache-dir ./trivy-db image goharbor/nginx-photon:v2.10.3 --skip-db-update
... (output similar to the online scan) ...</code>

Reference Articles

https://aquasecurity.github.io/trivy/v0.54/docs/

https://github.com/aquasecurity/trivy

Conclusion

This article introduced the Trivy tool and its complete toolchain, demonstrating the end‑to‑end process from CVE collection to vulnerability detection. By leveraging Trivy’s tightly integrated components, users obtain timely and accurate security scan results. The next article will cover how to embed Trivy into Harbor for a fully automated pipeline.