Secure Your Container Images: Integrate Trivy Scanning into Harbor
This guide explains how to secure container images by integrating the Trivy vulnerability scanner into the Harbor registry, covering Helm configuration, offline database setup, automated updates via cron, verification steps, and useful references for a robust cloud‑native security workflow.
Integrating Trivy into Harbor
As software supply‑chain security gains attention, developers and operations increasingly focus on container image safety. Harbor is an open‑source, cloud‑native registry for storing, signing, and scanning images, while Trivy is a lightweight scanner that quickly detects known vulnerabilities. Combining Trivy with Harbor creates a more secure and reliable application delivery pipeline.
Configure Helm Parameters
Add the following settings to the Harbor Helm values file to enable Trivy:
<code>cat <<'EOF' | sudo tee -a /etc/kubernetes/addons/harbor-value.yml
trivy:
enabled: true
replicas: 2
offlineScan: true
skipJavaDBUpdate: true
skipUpdate: true
image:
repository: 172.139.20.170:5000/library/trivy-adapter-photon
tag: v2.11.0
EOF</code>Update Harbor
Upgrade the Harbor release with the modified values:
<code>$ helm -n harbor upgrade harbor -f /etc/kubernetes/addons/harbor-value.yml /etc/kubernetes/addons/harbor
Release "harbor" has been upgraded. Happy Helming!
NAME: harbor
LAST DEPLOYED: Mon Aug 26 22:21:08 2024
NAMESPACE: harbor
STATUS: deployed
REVISION: 2
</code>Verification
Check the pods to ensure the Trivy components are running:
<code>$ kubectl -n harbor get pod
NAME READY STATUS RESTARTS AGE
harbor-core-7bfdc95674-czlnz 1/1 Running 0 35s
harbor-trivy-0 1/1 Running 0 56s
... (other pods omitted for brevity)</code>Offline Vulnerability Database
Download the offline DB and Java DB using
oras:
<code>$ oras pull ghcr.io/aquasecurity/trivy-db:2
$ oras pull ghcr.io/aquasecurity/trivy-java-db:1</code>Copy the downloaded archives into each Trivy data directory found under Harbor:
<code>$ for dir_path in $(sudo find / -name "*harbor-trivy*" -type d); do
sudo mkdir -p ${dir_path}/trivy/{db,java-db}
sudo tar xvf db.tar.gz -C ${dir_path}/trivy/db
sudo tar xvf javadb.tar.gz -C ${dir_path}/trivy/java-db
sudo chown -R nfsnobody.nfsnobody ${dir_path}/trivy
done</code>Regular Database Updates
Create a script
/opt/download_and_extract.shthat downloads the latest DBs and updates all Trivy instances. The script runs
oras pull, extracts the archives, and replaces the contents. It also updates the Java DB on Thursdays.
<code>#!/bin/bash
TRIVY_PATHS=$(sudo find / -name "*harbor-trivy*" -type d)
function update_db() { ... }
function update_java_db() { ... }
update_db
if [[ $(date +%w) == 4 ]]; then
update_java_db
fi
EOF
sudo chmod +x /opt/download_and_extract.sh</code>Add a daily cron job at 03:00 to execute the script:
<code>cat <<'EOF' | sudo tee -a /etc/crontab
00 03 * * * root /opt/download_and_extract.sh > /opt/download_and_extract.log
EOF</code>Verify Harbor Image Scanning
After the integration, scan a sample image through Harbor’s UI or API. The results show detected vulnerabilities, which can be filtered as needed. Screenshots illustrate the scanning process and the final vulnerability report.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.